Windows Tips and Tricks

A security problem in Internet Explorer is being reported. Ryan Naraine writes:

Another day, another gaping hole affecting fully patched versions of Microsoft’s Internet Explorer browser.

According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.

The code, published here by ’sirdarckat’, shows how the vulnerability can be exploited to hijack an iFrame in a legitimate site and capture a target’s keystrokes. This occurs because Internet Explorer fails to properly restrict access to a document’s frames, allowing an attacker to modify the contents of frames in a different domain.

No patch yet but, if I understand correctly, the exploit uses JavaScript so disabling scripting should protect you. In general, I recommend using Firefox with the NoScript extension.

Ars Technica reports a study that shows that as many as 40% of surfers are not using an updated browser:

A recent study collaborative study between Google, the Swiss Federal Insitute of Technology, and IBM offers new insight into how many people surfing the web are doing so safely. According to the report, a clear majority of users (some 59 percent) are using the latest version of their preferred Internet browser—but that still leaves 40.1 percent who aren’t. That’s a troublingly high number for anyone working in IT security, given that virtually all (89.4 percent) of the vulnerabilities reported in 2007 were remote exploits. Not all of these exploits specifically targeted the web browser, but it’s become the target of choice for an increasingly large percentage of all attacks. Proper browser security is therefore of paramount concern.

Maybe you think that because you are up to date, it’s just tough luck if these other people are careless and get infected. That’s their problem. But it’s actually our problem as well. Who do you think is sending out all that spam in your mailbox or all those Trojans that might manage to slip through your defenses? The bulk of malware is sent by botnets containing the infected computers of these careless people. Everybody is affected. What can be done? The study group suggests:

The group of researchers include several of their own suggestions for improving browser security. Firefox and Opera are both credited for including an auto-update feature, but the team notes that “Firefox’s auto-update was found to be way more effective than Opera’s manual update download reminder strategy.” How effective? way more effective. Auto-updates are, however, a Very Good Thing, and the group recommends the feature be included in all browsers. On the corporate side of things, the study recommends that businesses adopt URL Filters, or filters designed to prevent company employees from even touching websites carrying payloads of malicious content.

An interesting finding of the study is that a lot of people are still using Internet Explorer 6. How much that compromises security isn’t clear.

Readers of this blog will not be surprised to hear that ActiveX problems account for the large majority of security holes in Internet Explorer plug-ins. Greg Keizer writes about a new Symantec report:

ActiveX controls accounted for an overwhelming majority of all browser plug-in vulnerabilities in the second half of 2007, Symantec Corp. said this week in its semiannual Web security report.

Microsoft Corp.’s technology, which is used to create add-ins for Internet Explorer, accounted for 79% of the 239 plug-in bugs discovered between July and December of 2007, Symantec said. The plug-in with the next-highest number of flaws was Apple Inc.’s QuickTime, which had just 8% of the six-month’s total.

Note the statistics for the Firefox browser:

Only one vulnerability in a plug-in for Mozilla Corp.’s Firefox browser was detected in the same period, meaning Firefox’s extensions — the moniker Mozilla Corp. uses for plug-ins — accounted for only 0.4% of all flaws found.