Internet Explorer

I Use LastPass

OMG! I just opened that box that Pandora gave me. I have often said that I don’t like password managers because I don’t consider them secure. That goes double for the password managers built into the browsers. I don’t like anything to reside directly on my system, so that leaves a remote location. These days, “remote location” equates to “The Cloud.”

That’s why I use LastPass and have been using it for more than a year now. All of my passwords are stored online, encrypted, and I only have to remember one master password to unlock the vault. I don’t have to carry anything with me on a thumb drive or install any programs on someone else’s computer in order to access my stuff when I’m not using my own PC.

Don’t take my word for it, check out this list of features. And then decide for yourself.

Oh, by the way, you can generate very secure passwords with LastPass and you don’t have to worry about remembering them, because LastPass will do it for you. Firefox and IE add-ons make things even easier. When you come to a new site you need to set up an account with, LastPass offers to generate a password for you. Then, when you log in, LastPass offers to save all information for the site. If you do that and then come back to the site later, LastPass will give you the option to either auto-fill the information or perform an auto login.

Highly recommended if you don’t want to do your own password management. You can still use all of the methods I’ve proposed for generating secure passwords, but you’ll never have to worry about remembering them.  Use my methods to generate the most secure password you can for your LastPass master password and encode it so you can write it down securely, but use LastPass for all your password management needs.

Search for Screensavers at Your Own Risk

Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on ZDNet.com.

One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.

This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.

There is no "Super Secure" Browser

Security is a complicated process, leaving many to desire a magic bullet. Unfortunately, there isn’t one. No matter how much security developers build into software, the behavior of the person seated in the chair will always be the weak link. Truth be told, all of the major browsers are safer than the browsing habits of their users. I have advocated safe computing practices for years, especially when it comes to keeping operating systems and applications patched. Sure enough, the best protection against malware is a fully patched system.

Recently, Roger A. Grimes of InfoWorld posted “Browser Security Wars” in his Security Advisor blog. For several months, Grimes tested the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. His conclusion is no surprise:

So which one is guaranteed to make your Internet browsing experience perfectly safe?

None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser.

Not exactly a great revelation; however, there is one surprising discovery: In Grimes’s testing, none of the browsers allowed malware to silently install as long as they were running on fully patched systems. Instead, most of them relied on tricking the user into intentionally running an infected executable:

Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. [Emphasis added]

You’ll find a comprehensive rundown of security features and faults of all the aforementioned browsers in InfoWorld’s special report, “InfoWorld Test Center’s guide to browser security.”

No More Security Updates for Firefox 2

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 2.0.0.19 does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!

Microsoft Announces Out-of-band Patch for Zero-day Flaw

Microsoft issued today “Microsoft Security Bulletin Advance Notification for December 2008.” The actual security bulletin will be released on December 17, 2008:

Microsoft Security Bulletin Advance Notification for December 2008
Published: December 16, 2008

Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.

This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on December 9, 2008.

I don’t have any statistics on how fast they’ve responded to zero-day flaws in the past, but this seems pretty quick to me.

Internet Explorer Targeted by Zero-day Attack

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0×0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
•  oiuytr.net
• laoyang4.cn
• cc4y7.cn

In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.

Clickjacking Attacks Are Ocurring in the Wild

Less than a month after the clickjacking exploit came to light, sporadic reports of users falling victim to the attack are beginning to surface. Dennis O’Reilly’s column in Windows Secrets Newsletter, Issue 172, contains this report from a reader:

Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn’t accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.

When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.

Just yesterday, I received a report from another engineer at our office that he had witnessed a clickjacking attempt on his own machine when he clicked a button on an antivirus blog. Instead of going to the previous page, as expected, he receive a pop-up for the “Antivirus XP 2009” malware download. I had him disable IFRAME handling in Internet Explorer and install NoScript on Firefox. That fixed the issue.

Software for Secure Computing: Firefox & NoScript

Everyone agrees that it just isn’t safe out there on the Wild, Wild, Web and while Microsoft has made huge strides in securing Internet Explorer, the fact that IE continues to use ActiveX scripting technology makes it the least secure browser. I often recommend that people not use IE unless they have to and if they have to, to run it in a sandbox or virtual machine. An application sandbox such as SandboxIE protects your system from malicious scripts by allowing them to run only in the protected area.

There’s a much better approach, however: switch to Firefox and take advantage of the free Firefox add-on, NoScript. NoScript takes a “default deny” approach and prevents all scripts on a site from running unless you explicitly permit them.  NoScript is also effective against the latest clickjacking attacks. My article, “How to Protect Yourself from Clickjacking,” over at Dave’s Computer Tips describes the configuration options for both IE and Firefox with NoScript installed.

Switch to Firefox, install NoScript, and enjoy secure computing.

Clickjacking: The Latest Criminal Tactic

According to US-CERT’s latest alert, “Multiple Web Browsers Affected by Clickjacking,” there’s a new cross-browser exploit technique called “Clickjacking.” One report suggests that, “With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky.” According to the CERT article:

Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]

Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”

For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.

I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.

Software for Secure Computing: Secure Browsers

Two of the biggest mistakes Microsoft ever made were tying Internet Explorer into the Windows OS and ActiveX. Exploits took advantage of both and some of the nastiest malware ever written entered millions of PCs through these vectors. I’ll be the first to acknowledge that IE7 has enhanced security and MS has taken some of the hooks out of the OS, but the old adage, “Once burned, twice shy” is my operating basis. Yes, you can configure IE to be relatively secure, but it’s more work than the average user is willing to do. Why not just use a browser that’s relatively secure to begin with?

Some things still (unfortunately) require IE, so you’ll have to use it sometimes; but, for everyday use, I don’t recommend it.  Firefox 3 and Opera 9.5 are both inherently more secure than IE. Take your pick. Either way, you’ll be more secure on the Web.