Dropping Internet Explorer

Last week, InfoWorld columnist Oliver Rist recommended that you stop using Microsoft Internet Explorer as your browser. He had good reason: The latest vulnerability reports point out some significant security holes in IE that aren?t going to be easily overcome.

According to Rist (who is sitting behind me while I write this, just to make sure I don?t misquote him), the biggest problem is with Microsoft?s continued use of ActiveX, but that’s by no means the only problem. In fact, it looks as if IE can?t be successfully patched, and what?s needed is a whole new version.

But what are you going to do if you don?t use IE? For most, IE is the default browser; they don?t have another choice that?s easy to implement. Does that mean that you should just grit your teeth and hope for the best? Not necessarily.

There are other browsers out there without IE?s security holes, most notably Mozilla. Getting Mozilla isn?t a problem — just download it from the Web site. The real problem is that you have to be sure that moving to Mozilla doesn?t introduce a new set of problems.

My own experience with Mozilla indicates that it works at least as well as IE and appears to be somewhat faster. I?ve already moved to Mozilla as my default browser because of the security issues with IE. As it happens, I’m also finding that I like it better than IE.

Unfortunately, the only way to know for sure whether Mozilla will work with the apps that require a browser is to test it. Download it to a few machines and see if anything breaks.

Testing Mozilla might be the first step on the path to IE separation, but the journey isn’t over yet. Many companies who run Web sites tend to be kind of lazy and code their sites only for IE, because it?s the dominant browser. Sometimes they take shortcuts that keep other browsers from working properly.

The only way to know for sure if these shortcuts will shortcircuit a non-IE browser is to try potential replacement browsers to see if they work with the Web sites you absolutely depend on. If they do, you won?t need to worry as much about adopting them, although you?ll still have to install the new browser on every machine, and that?s not the world?s easiest task in a large enterprise.

But there?s another task you have to worry about. What are you using for your own Web server? Internet Information Server has its own set of vulnerabilities, after all. And what about the code running on your Web site? Have you avoided those programming practices that will lock your visitors into IE? After all, a lot of companies are now using machines that don?t run Windows (and therefore not IE), and a growing number are trying to avoid IE even if they do run Windows because of the security issues. You don?t want to discourage them from visiting your site, do you? I didn?t think so.

Unfortunately, you can?t drop IE from your Windows machines completely. You still need it for Windows Update alerts. But it is possible to use it sparingly, and until Microsoft issues a new release, that would be a good idea.

http://www.infoworld.com/article/04/07/16/29secadvise_1.html

Posted in Security | No Comments

Worm sleeps to avoid detection

The latest mass-mailing worm, Atak, hides by going to sleep when it suspects that antivirus software is trying to detect it.

Atak was first discovered Monday. Although antivirus companies do not expect it to cause much damage, they say it will be a nuisance because it can generate a large amount of spam.

Graham Cluley, senior technology consultant for antivirus company Sophos, said authors of malicious software generally try to make the job of antivirus researchers as difficult as possible by adding confusing code and using evasion techniques.

“Atak tries to tell when someone is stepping through the code to analyze whether it is a virus or not. Often, a virus will contain lots of code that is designed to make it more complicated for (antivirus) companies to write the detections,” Cluley said.

Mikko Hypponen, director of antivirus research at Finnish company F-Secure, said that although it is common practice for virus writers to protect their malware, this worm is exceptional.

“It is standard for worms to have layers of encryption–or armoring–to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analyzed by antivirus research tools. If it thinks it is being analyzed, it stops running and shuts down,” Hypponen said.

Atak is not thought to be a serious threat. But because of recent detection and in-built protection, the worm’s full functionality has not yet been fully analyzed. However, it is known that the worm contains text that seems to threaten other well-known worms and viruses, such as MyDoom, Bagle and Netsky.

Hypponen said there is a possibility that Atak will try to seek out and destroy “rival” worms.

“We haven’t been able to figure out if Atak tries to disable some of these viruses,” he said. “The message implies it does contain some code that attacks other viruses.”

http://news.com.com/Worm+sleeps+to+avoid+detection/2100-7349_3-5267258.html

Posted in Security | No Comments

Web Sites Still Infected

More than 100 Web servers running Microsoft’s Internet Information Services software are still infected with malicious code that was part of a widespread Internet attack, known as Scob, or Download.ject, that began two weeks ago, a security researcher says.

Dan Hubbard director of security and technology research at Websense Inc., a maker of employee Internet management and content protection software, says he spotted the 100-plus sites when the firm conducted its routine study of roughly 24 million Web sites for malicious code and possible Web-based attacks.

The Scob attack first surfaced the week of June 21 when security researchers began warning that thousands of hacked Web sites were infected with malicious software and that those servers placed Web surfers at risk to attack.

It’s widely thought that Russian hackers were behind the attack, which took advantage of unpatched Web servers running Microsoft IIS software version 5.0 as well as several vulnerabilities within Internet Explorer. One of the Internet Explorer vulnerabilities the hackers exploited didn’t have a patch, or a fix, at the time of the attack.

Full Story…

Posted in Security | No Comments

There is no anti-spyware silver bullet

The spyware threat to enterprise security will increase over the next few years without an enterprise-class tool to prevent it, consulting firm META Group warns.

Spyware has both good and bad properties that make it difficult for traditional antivirus software to identify and clean up, leaving only a handful of consumer and emerging corporate solutions to combat the problem. And that’s pretty risky too.

On a new website online forum, Spywarewarrior claims that many of the anti-spyware tools available are actually malware or spyware themselves.

Some of these products simply do not provide proven, reliable anti-spyware protection. Others may use deceptive sales tactics and false positives to scare up sales from confused users. Few of these products are either associated with known distributors of spyware/adware.

For instance: eAcceleration/Veloz Stop-Sign is accused of carrying “deceptive advertising” for sites related to CoolWebSearch, one of the worst trojans around. NoSpyX promises a free scanner, but then demands purchase. Others are known to have stolen databases from other anti-spyware vendors.

At the moment, META Group says, there is still no “silver bullet” enterprise-class tool to protect against spyware, so the IT world must address the problem through a combination of policies, procedures, and products until more complete enterprise-class solutions become available.

META Group believes antivirus vendors are in the best position to provide extended threat protection once they enable clean-up tools, and provide a more complete signature database of spyware threats.

http://www.theregister.co.uk/2004/06/30/anti_spyware_silver_bulllet/

Posted in Security | No Comments

Password Stealing Browser Hijacker Discovered

The Internet Storm Center has announced a very scary discovery. They have found a browser hijacker, installed as a Browser Helper Object (BHO), that will monitor what are supposed to be secure, encrypted browsing sessions and steal passwords. These passwords then are forwarded to a web based script at www.refestltd.com. It appears that this site now has been deleted.

The hijacker is loaded from a web page as if it were a .gif image file. The file is not really an image. It is a compressed trojan dropper that installs a .dll file as a BHO. How the trojan is executed is unknown. The most likely explanation is that the page calling the file exploits some flaw in Microsoft Internet Explorer.

If any more information is discovered about this new hijacker I’ll be sure to mention it here.

http://www.spywareinfo.net/june30,2004#scary

Posted in Security | No Comments