Useful information on Zero-day vulnerabilities active and patched here.
One such Microsoft Word vulnerability is currently being used in targeted Trojan attacks. This seems to be a regular occurrence, the only difference being that the exploit emerged two weeks before 'patch Tuesday'- with the malware writers gambling that MS wouldn't be able to issue a patch in two weeks, giving them six weeks before MS patch the vulnerability the following Tuesday. ZDNet
New statistics on browser usage suggest many Europeans may use IE at work during the week, but prefer Firefox at home. The Inquirer
3/11/06 The browser wars- re-ignited!
Firefox 2.0 and Internet Explorer 7 are both out. Firefox requires that you download the installation file- it's not coming through automatic updates. IE7 now comes as a MS automatic update. Firefox 2.0 adds anti-phishing and a spell checker, IE7 brings improved security, tabbed browsing and anti-phishing. For me personally, Opera has the nicest appearance, but it's never long before I miss the features of Firefox: Adblock, the page search feature, and now the spell checker- indispensable!
Firefox wallpaper available here.
A good comparative review here.
After installing Firefox 2.0, I had a bit of a poke around. I noticed that the spell checker doesn't work until you right-click inside a web form (for example when posting on a forum), click on Languages and select Add dictionaries. I updated my Adblock list here. This is an excellent minimal list- it doesn't try to block every add under the sun. I also discovered an add-on (the new name for extensions) to put the mail icon back on the task bar here. Finally, I learnt that Firefox 2.0 doesn't block third-party cookies, but there is an add-on to do that too here.
7/9/06
Firefox has been updated to 1.5.0.6, but if you're using the browser you probably knew that already, with updates coming through automatically. But Sun's Java is not so good at keeping users up to date with the latest (and secure) version of the product. (It's been updated to Version 5 Update 6.) In fact, users may not be aware that an update is available (automatic update has never worked for me) and even users who do update may leave older versions of the program on their computer where they can be used by malware for a drive by download, where spyware is installed without the user even being required to click 'yes' to a dialogue box. washingtonpost.com
IE7 and Firefox 2 are both due out soon. The IE team has been working on security and standards compliance for the new version of Microsoft's browser. On security, IE is closing the gap with Firefox:
"Microsoft and Mozilla are on a collision course, both racing to complete major updates to their flagship web browsers scheduled for release this fall. Over the past two years, Firefox has zoomed from nowhere to gobble a significant chunk of market share at Internet Explorer's expense. The biggest selling point for Firefox is its generally better record on security issues; so it's no accident that Microsoft has paid significant attention to beefing up security features in Internet Explorer 7." zdnet.com
On standards compliance, IE is making an effort but still falling short of Firefox and Opera. Microsoft's Chris Wilson speaks on standards compliance:
"There were a ton of bugs from IE6 that were causing web developers a lot of pain - and we really wanted to nail those and the most requested features upfront."zdnet.com
Opera's Hakon Wium (the man who proposed the concept of Cascading Style Sheets, used in the design of this page, although mishandled by IE, incidentally) is not impressed:
"They're doing a paint job on their Pinto." (A Ford Pinto being a crap car from the 70's, apparently.) zdnet.com
Was it just IE's poor security record that made it the target of so much spyware, or was it the fact that it was such an attractive target due to its dominance? Will Firefox prove equally vulnerable as its market share increases and it is targeted more by spyware writers, or is it inherently more secure? Well, probably a bit of both, judging by the following reports:
"A spam e-mail making its rounds with a file attachment disguised as an "extension" or add-on for the Mozilla Firefox browser is actually a Trojan horse program, which allows attackers to install programs that intercept Web traffic from a victim's computer and monitor what he or she types, such as passwords and other login information."
Password-Stealing Trojan Disguised as Firefox Extension washingtonpost.com
So Firefox can be infected by spyware, but is it actually equally vulnerable to attack? A researcher subjected browsers to a flaw-finding program called a fuzzer, looking for previously unknown vulnerabilities:
"He discovered some issues with Mozilla's Firefox had, but the group fixed them quickly, he said. Opera's browser, at least the most recent version, stood up quite well
'Opera 8.5 fell apart ten different ways, but 9.0 looks pretty solid,' he said."
IE suffered the 'lion's share' of bugs, and the researcher made the vulnerabilities he found public, prompting one Russian crook to email him to complain that he had revealed a vulnerability he was actively exploiting!
Daily flaws ratchet up disclosure debate SecurityFocus
Maybe IE6 at least was inherently less secure than other browsers, and didn't just get attacked because it was the dominant browser.
Malware writers are increasingly using different method to attack different browsers. Here is a case where IE is attacked using exploits in the browser, while Firefox and Opera are attacked using social engineering:
The report also illustrates how malware is becoming more sneaky, finding ways to hide itself and make removal difficult. Fortunately, there are solutions to the rootkit problem. Here are some new arrivals on the anti-rootkit scene:
AVG Anti-Rootkit Beta FreewareFiles.com
Sophos Anti-Rootkit Sophos
How To Remove Rootkits with IceSword CastleCops
GMER gmer.net
Another tactic used by malware writers to make detection of their viruses more difficult is to make frequent modifications to the code so that the AV companies have trouble keeping their definitions up to date. Generic definitions and heuristics can be used to detect new variants, but how effective are they? One testing organisation tried to find out:
"ConsumerReports is currently the subject of concerted criticism. They dared to modify known viruses on a grand scale for an anti-virus software test."
"Experts from McAfee, Sophos and Kaspersky are queuing up to heap ever greater condemnation on this supposed taboo-busting." heise-security.co.uk
Over 100 security professionals have signed a letter against the practice: avien.org
The story is also commented upon here: sunbeltblog
Although it's not unheard of to modify Trojans to test how well an AV detects new variants, this has always been done as part of a test on real viruses:
"We’ve also taken some common steps to disguise one of the Trojans. Again, using well known free software, we’ve done only what a knowledgeable attacker would do."
"We’ve not written any original viruses; we’ve simply placed our test computers in the same situation as that faced by today’s regular computer user." transceiver.co.uk
However, testing only on "fake" viruses can be criticised on many grounds- see the Sunbelt blog- and it's not my idea of a good AV test.
Talking of testing, here are the results of the latest AV and anti-spyware tests:
On-demand comparative August 2006 av-comparatives.org
Spyware Fighters pcworld.com
Anti-Spyware Software Computer Shopper
5/5/06
Firefox has been updated to 1.5.0.3, with two updates that fix security vulnerabilities. Version 1.5 of Firefox has automatic updates: users should install updates when prompted. Users of Firefox 1.0.x need to update to Firefox 1.0.8, which fixes security vulnerabilities. Older versions (1.0.4 and lower) are now vulnerable to auto-installing spyware. SunbeltBLOG. This is in contrast of course to the recent episode of auto-installing spyware on fully patched IE6. SunbeltBLOG.
The latest AV review from computer shopper makes interesting reading. avast! Of the free anti-viruses, avast! did poorly, failing to detect several Trojans, AVG did well, catching a Trojan that Synantec missed. The best at detection were Kaspersky and F-Secure. A free anti-virus program can still be effective, but back it up with an anti-Trojan program like Ewido (recently acquired by AVG.) ComputerShopper.
The latest malware threat is the rogue anti-spyware program. A malicious program which often installs using security exploits, pretends to be a Windows notification or a legimate anti-spyware program, and demands money to remove spyware it alleges to have found. Mark's Sysinternals Blog, SunbeltBLOG, Wiki.castlecops.com.
The most effective removal tool is SmitFraudFix. (Run in safe mode followed by a scan with Ewido.)
26/3/06
"Some vulnerabilities have been reported in Flash Player, which can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to unspecified errors and can be exploited to execute arbitrary code on a user's system when a malicious SWF file is loaded." Secunia
Check you have the latest version of Flash at macromedia.com.
17/2/2006
Firefox has been updated to version 1.5.0.1: the new update came through the incremental update feature of Firefox 1.5, without the need to reinstall the program as was previously necessary. Malware exploiting a security vulnerability in version1.5 is 'in the wild,' so Firefox users should make sure the update has come through.
A recent study on spyware by the University of Washington has some interesting results. The researchers 'crawled' the web looking for spyware, much like the 'honey monkey' project I mentioned last year. The results will not be especially surprising: 13.4% of executable files on the web were found to be infected with spyware. 5.9% of pages attempted 'drive-by' download attacks. Certain internet zones are more dangerous than others: games download sites and 'crack' sites are two of the worst offenders. The type of spyware also varies from zone to zone: adware on games sites, and Trojan downloaders, often installed by drive-by download, on crack sites.
The frequency of drive-by download attacks was found to be decreasing, possibly because more computer systems have automatic updates, meaning vulnerable computers are rarer. Lawsuits against companies installing software by drive-by download may also have had an effect. Blacklists (such as IE-Spyad) were found to be less than 100% effective against blocking spyware downloads, as spyware was also found on sites which were not on the blacklist, although blacklisted sites included some which download more malicious forms of spyware such as Trojan downloaders.
The report tested two browsers, IE 6.0 and Firefox 1.0.6, on an XP system with no security patches. They found that IE was vulnerable to drive-by downloads without any user action; Firefox was only vulnerable to drive-by installations where the user clicked 'yes' to a dialogue box. IE was targeted by ActiveX installations, Firefox by Java installations.
A recent report also has some interesting statistics on browser security:
"For at least 38 days in 2005, Internet Explorer was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms and spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.
By contrast, Firefox users were exposed to potential threats that might take advantage of publicly released exploit code for only 17 days. I could not find any public reports of viruses, spyware or worms using those exploits during the time that the Firefox vulnerabilities were unpatched."
Security Fixes Come Faster With Mozilla washingtonpost.com
Another report again raises the question of ActiveX security:
"New data collected by at least one notable security researcher suggests that as much as 50 percent of all computers powered by Microsoft Windows might contain one or more non-Microsoft components that could allow malicious Web sites to seize control of them.
The components at issue all rely on ActiveX, a Microsoft creation that is deeply woven into the Windows operating system and in Microsoft's Internet Explorer Web browser. ActiveX was designed to allow Web sites to develop interactive, multimedia-rich pages, but such powerful features rarely ever come without security trade-offs."
Research: Buggy, Flawed 'ActiveX' Controls Pervasive washingtonpost.com
Last December I mentioned a site which sets out to portray Firefox in a less than favourable light. Having criticised the site on several internet forums, I now find myself misquoted in the testimonials column to suggest that I support the site. I would like to point out that I do not endorse the site. The best answer to the site remains the excellent parody Firefox Fables.
14/1/2006
A security update to fix a previously mentioned security vulnerability in the Apple QuickTime Player is available here. Some people have reported problems with this update. c|net
The Anti-Spyware Coalition have been attempting to define spyware in their Risk Model Description.
Sysinternals has a good story about rogue anti-spyware applications apparently installing spyware via Microsoft IE vulnerabilities (including the recent WMF exploit.) A pop-up from the system tray then informs the user of the spyware infection and suggests the download of an anti-spyware program. This program finds the spyware but will only remove it if you pay for the full version.
Other rogue applications identify legitimate processes as spyware.
This scam highlights the danger of rogue anti-spyware programs, and also the need to apply the latest Windows updates as soon as they come out.