Spyware Sucks

Congratulations West Coast Eagles - AFL Premiers 2006

If you want to see *real* men play football, you can see the game online, for free, here (Broadband required):
http://westcoasteagles.com.au/

No wimpy body armour or helmets for these guys

Interesting tidbit: The West Coast Eagles *lost* to Sydney in the lead up to the Grand Final a few weeks ago in a Preliminary Final and the score was the same, 85 - 84, except this time Sydney had the 85 points.

Running a Mac? You might want to get patched

http://docs.info.apple.com/article.html?artnum=304460

CFNetwork - Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated

Flash Player - Impact: Playing Flash content may lead to arbitrary code execution

ImageIO - Impact: Viewing a maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution

Kernel - Impact: Local users may be able to run arbitrary code with raised privileges

LoginWindow - Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users

LoginWindow - Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled

LoginWindow - Impact: Network accounts may be able to bypass loginwindow service access controls

Preferences - Impact: After removing an account's Admin privileges, the account may still manage WebObjects applications

QuickDraw Manager - Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution

SASL - Impact: Remote attackers may be able to cause an IMAP server denial of service

WebCore - Impact: Viewing a maliciously-crafted web page may lead to arbitrary code execution

WorkGroup Manager - Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt

McAfee Site Advisor in damage control after the release of the 3sharp report

As noted in this blog post, McAfee's SiteAdvisor scored an extremely low 3 out of 200 (putting them in last place) in the 3sharp antiphishing tools test released just the other day.

McAfee are now crying foul.  Shane Keats has posted to my blog, and to the IE blog, disputing the inclusion of McAfee's Site Advisor in the tests because, in his words, McAfee "[doesn't] offer anti-phishing".

McAfee's online response can be found here (unfortunately they don't seem to use RSS, nor do they have unique links for individual blog posts):
http://blog.siteadvisor.com/2006/09/we_dont_do_antiphishing_1.shtml#comments

So, I went to have a look at the SiteAdvisor site to see what it *does* say.  The SiteAdvisor site says that it warns of "fraudulent practices" and has tested "sites representing more than 95% of worldwide Web traffic" and performs "tens of thousands" of tests every day (but phishing sites aren't included??)

"Web sites are tested for excessive pop-ups, fraudulent practices, and browser exploits."
http://www.siteadvisor.com/download/ie_learnmore.html

There is no mention of excluding phishing sites here either:

"SiteAdvisor is a consumer software company dedicated to protecting Internet users from all kinds of Web-based security threats and annoyances including spyware, adware, unwanted software, spam, pop-ups, online fraud and identity theft."
http://www.siteadvisor.com/press/faqs.html#q11

Perhaps McAfee should be more specific about what they consider to be "fraudulent practices", "online fraud" and "identity theft" and add a very clear statement that they do not protect from phishing in the FAQ in addition to the Support Centre URL Shane cites (people will not go to the support site unless they have problems).

Then I read Paul Robichaux's blog. He's also been contacted by Shane Keat and has some interesting points to share:
http://www.robichaux.net/blog/2006/09/mcafee_siteadvisor_sure_looks_like_an_an.php

Of particular concern is this comment:

"On August 3rd, I spoke via phone with both Craig Kenwec of McAfee and Scott Van Sickle of Global Fluency, a PR agency that handles client-security PR for McAfee. Both of them told me that SiteAdvisor incorporates anti-phishing functionality"

Here's the thing McAfee.  Comments in the Support Centre, that users will not see unless they go looking for support, or in a blog, which your users may not read, are not a sufficient disclaimer.  Not when we take the rest of your site (and your own employee's and PR firm's comments) into consideration.

Why am I being so hard on McAfee about this?  Not because they "lost" or IE7 "won", but because protection of users is my primary concern.  As noted by the Anti-Phishing Working Group, and as I have seen in my own tests, phishing sites may attempt to download keyloggers and other dangerous software, and may attempt to take advantage of known Web browser exploits, to infect systems. 

Phishing sites can be extremely dangerous and if SiteAdvisor is going to disclaim protection from phishing sites and their users will not be protected, then their users deserve, nay they NEED, such a disclaimer to be clearly communicated to them right from the start, and not have the information buried in a support site or a blog.  And they certainly don't deserve to be misled by statements on the SiteAdvisor site like those highlighted above.

SiteAdvisor need to make it very very clear that they are disclaiming protection against phishing sites.  Reality is that SiteAdvisor users are assuming that they are protected from phishing, and they are not being dissuaded from this misapprehension by the FAQ or the Learn More page, and will not be dissuaded unless and until they visit the SiteAdvisor Support Site and/or the SiteAdvisor blog.

Oh, and McAfee, do me a favour and change your home page.  In my world phishing sites *are* "online scams":

Important clarification re the Web View Folder Icon Integer Overflow vulnerability

MS Security Advisory here - patch due by October 10
http://www.microsoft.com/technet/security/advisory/926043.mspx 

Secunia and FRSIRT have released information about a new vulnerability:
http://secunia.com/advisories/22159/
http://www.frsirt.com/english/advisories/2006/2882

Secunia and FRSIRT announce IE vulnerability - Web View Folder Icon Integer Overflow

Note: despite all the headlines to the contrary, this is not an IE vulnerability, although IE is an exploit vector - it is a vulnerability in the Windows Shell.

Edit: MS Security Advisory here - patch due by October 10
http://www.microsoft.com/technet/security/advisory/926043.mspx 

Secunia and FRSIRT have released information about a new IE vulnerability:
http://secunia.com/advisories/22159/
http://www.frsirt.com/english/advisories/2006/2882

My tests indicate that not only does the demonstration page crash Internet Explorer 7 on Windows XP if you allow the activex control to download and run, it also kills FrontPage until you reboot.... I must have spent half an hour trying to "fix" FrontPage until it occurred to me that the crash I was seeing, and the exploit, both affected the same functionality - Web Folders.

Note, the demonstration page does not work in IE7 on Vista even with Protected Mode turned off - the "Start Demo" button does not respond.

The error in FrontPage that I experienced after crashing IE7 using the exploit was "Cannot find stsnwi.dll" when trying to publish updates.

My skills are not sufficient to be able to tell you if the IE crash is sufficient to allow an exploit, or if it simply crashes IE.  Somebody way smarter than me will need to study that. If I find out, I'll let you know.

Gone Phishing: Evaluating Anti-Phishing tools for Windows

3sharp, a Redmond based technical services company, has been commissioned by Microsoft to undertake a competitive study of various anti-phishing technologies.  The results of that study were released just minutes ago.

The IE team comment on the study:
http://blogs.msdn.com/ie/archive/2006/09/28/774513.aspx 

Before we proceed, I will say, right at the outset, that the only safe antiphishing technology is one that *BLOCKS* access to known phishing sites.  Why?  Because in its July report (released on 11 September 2006), the Anti-Phishing Working Group reported 182 unique websites hosting password stealing trojans, 1850 sites hosting password stealing malicious code (exploits) and a large increase in traffic redirecting, also known as pharming:
http://www.antiphishing.org/reports/apwg_report_july_2006.pdf
 
In short, it is not enough to simply warn a user that a Web site is a known phishing site yet still display the page.  Just opening a phishing site in your Web browser can be dangerous, even if you have absolutely no intention of entering any information on a page, if that site attempts to infect your system with a trojan, keylogger or other nasty.  Please keep this in mind when deciding which protective technology you wish to use.  I cannot recommend strongly enough that you choose a product that BLOCKS access to known phishing sites.

Unfortunately IE7 allows sites to continue to load while the phishing filter makes its checks, meaning that it is still theoretically possible for a site to infect a PC even when "blocked" by IE, but any hostile activity that requires user interaction is neutralised.  Your security settings would have to be lowered allowing automatic execution of code or active x, or a exploitable vulernerability would have to be used, and we know that IE7 has been immune to virtually all vulnerabilities.

Ok, now to the results....

The products were tested using 100 known phishing URLs (which had to be tested within 48 hours of collection) and 500 known good URLs.

The "winner", with the best overall performance, and a composite accuracy score of 172 out of 200 was Internet Explorer 7 Beta 3 (V7.0.5450.33).

2nd place went to the NetCraft toolbar (V1.6.2) with IE6 with a score of 168 out of 200.

A distant third was Google's Toolbar for Firefox with "Safe Browsing" (V2.0) with Firefox 1.5.0.4 with a score of 106 out of 200.

The remaining products rated:

eBay's toolbar with AccountGuard (V2.3.1) with IE6 - 92 out of 200 (note, eBay restricts itself to eBay and PayPal spoofs and will not detect any other type of phish)

Earthlink's ScamBlocker (V3.1.5) with IE6 - 76 out of 200

GeoTrusts TrustWatch (V3b1) with IE6 - 67 out of 200

Netscape (V8.1) - 56 out of 200

McAfee SiteAdvisor (V1.5.0.0 build 3083) with IE6 - 3 out of 200

Total catch rate for known phish URLs - pay particular attention to the block versus warn percentages

Mistakes made on known "good" URLs

Important tidbits

• Although GeoTrust did very well with a 99% catch rate, it also had a very high rate of false positives at 32.2%.  Not only that, it does not block access to known phishing sites.
  
• When scoring results, a false block on a good site was scored as twice as bad as a false warning.  Allowing a good site had zero value.
  
• The known phishing URLs were not taken from any feeds from known third-party data providers or end users to the Microsoft Phishing Filter Service in IE7.
  
• Known good URLS were pulled from a feed of randomly selected traffic-weighted URLs provided by Microsoft and were independent of, and confirmed not to be included in, the Microsoft Phishing Filter system (they are not in the Phishing Filter white list).

The full report, and associated Press Release, can be found the URL below. The report provides comprehensive information about how the products were tested, the rules under which the tests were conducted, how and where the phishing URLs and good URLs were sourced and how scores were calculated, and a full list of the URLs used during testing is also included.
http://www.3sharp.com/projects/antiphishing

Podcast:
http://www.robichaux.net/blog/3sharp_releases_gone_phishing_study_of_a.php

FAQs about "Gone Phishing: Evaluating Anti-Phishing Tools for Windows"
http://www.robichaux.net/blog/2006/09/frequently_asked_questions_about_3sharps.php

Recommendations:

The most important thing to me is that users are safe when browsing the Internet.  That is why I am doing all I can to encourage users to update their copy of Internet Explorer to IE7 Release Candidate 1.  I also strongly recommend that, if you are using IE7, you enable the Phishing Filter.

If, for whatever reason, you are not able to run IE6 then I recommend that you download and install the NetCraft's toolbar.

Quick statistics about IE7's phishing filter

1. The Phishing Filter is a “real time” service that does not require a user to download or regularly update a list of “bad” sites.
   
2. Microsoft has been adding up to 17,000 URLS a month to its Phishing Filter service.
   
3. From February to Mid Aug 2006 the Phishing Filter helped block over 800,000 instances of people trying to access reported phishing websites using IE7 or MSN/Windows Live Toolbar.  This figure includes almost 500,000 blocks since IE7 Beta 2 was released.
   
4. IE7 users are reporting up to 4,500 potential phishing sites per week.
   

Spam as a business

Seen on the Microsoft Switzerland Security Blog:
http://news.bbc.co.uk/1/hi/technology/5371078.stm

"Analysis of the net addresses where the e-mail messages originated showed that more than 100,000 hijacked home computers [my emphasis] spread across 119 nations had been used to despatch the junk mail."

Do you have a home computer? A broadband connection? Then the spammers want your machine, and if you give them the chance, they will use it.  Get thee a firewall and get thee patched (my networks were hammered by employment spam that was being sent via home PCs compromised via the vulnerability patched by MS06-040).

Coincidentally, Trend has released a product called Intercloud, specifically addresses the mounting threat posed by botnets—networks of compromised machines that can be remotely controlled by an attacker:
http://www.trendmicro.com/en/about/news/pr/archive/2006/pr092506.htm

Hopefully such technology will, over time, help reduce the damage caused by home based spambots and other zombies.  Its always been a major problem that home based PCs, and their users, do not have an IT department to oversee a system's security and health status.  Now ISPs will hopefully find it easier to detect, and neutralise, such compromised systems.  I can only hope that the ISPs also take steps to educate their users.  Just cutting them off isn't going to fix anything unless the users infected are also taught how to not only clean their system, but avoid being infected again in the future.

Patch released for high profile VML vulnerability

A patch for the high profile VML Vulnerability has been released by Micrososoft. It resolves not only the public vulnerability but also additional issues discovered through internal investigations.  It is available via Windows Update, Microsoft Update, Autoupdate and WSUS.

It only applies to IE5 and IE6 machines.  IE7 is immune to this (and most other) vulnerabilities.

Security Bulletin here:
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

Microsoft Security Response blog:
http://blogs.technet.com/msrc/archive/2006/09/26/459194.aspx

Important notes:

If the workaround “Modify the Access Control List on Vgx.dll to be more restrictive” has been applied to systems, the security updates provided may not install correctly. See the Workarounds for VML Buffer Overrun Vulnerability – CVE-2006-4868 section in this security bulletin for instructions on how to revert this workaround before applying this security update.

You may also wish to review Jesper's comments about reversing mitigations that may have been applied to your system:
http://msinfluentials.com/blogs/jesper/archive/2006/09/26/VML-Patch-Is-Out-_2D00_-Unapply-The-Mitigations.aspx

By request: What is the best antispyware application?

Hello Tagshare - tell Wayne he owes me a Chivas

"What is the best antispyware application?" is an oft asked question.  Unfortunately, gentle reader, the answer is one that you may not like.

In short, there is no magical prophylactic out there that will protect your computer from all spyware, or from the inevitable results of "unsafe hex".  So, as much as I would like this article to say "download and install Product X and you will be safe", that is not going to happen.

I have lost track of the number of times I have been asked to clean an infected PC, and the owner says to me "but I'm running  Product X, or Product Y - I thought I was protected".  I've also lost track of the number of times products such as AdAware, Spybot, Trend, and sundry other catch-all antispyware or antivirus product have been installed on a PC yet FAILED to PREVENT or properly CLEAN an infection.

You see, many antivirus and antispyware applications are "reactive".  A threat emerges and they react to it - studying the threat, and then writing and releasing definitions that detect it, leaving a window of opportunity when the threat is undetectable.

The malware world is not what is was back when AdAware, Spybot and the like came into being.  Back then, adware removal was easy.  All you had to do was delete a few files whose names never changed, and perhaps some registry entries.

But then randomly named files appeared, then hidden files, then super hidden files, then the bad guys started installing multiple services that monitored each other, instantly recreating/reinstalling removed malware, then came the rootkits, then writing to AppInit_DLLs making it well nigh impossible for old style cleaners to get rid infections.

Nowadays, I do not recommend AdAware *at all*, and only recommend products like Spybot to reduce the signal to noise ratio - that is, to get rid of the easy stuff so that I can concentrate on the big problems.

What we need to do is get past the idea of depending on what is effectively a monitored alarm system, and stop the bad guy *before* he climbs through the open window and trips an alarm.  By the time that alarm has been tripped, a lot of damage may have already been done.

Ok, so as we move away from detection of threats as they appear on our machines, towards preventing the badguys from being able to raise a threat at all (a subtle, but important distinction), how is this best achieved?  We take a multi-pronged approach.  We look at the operating system; we look at its patch level; we look at the Web browser; we look at user permissions; we look at the Web browser settings.

Ok, let's get to work.

Operating system:
Move away from Windows 95, 98, 2000 and XPSP1.  Upgrade to XPSP2.  Local Machine Zone lockdown (LMZ), Zone Elevation Blocks, and MIME Handling Enforcement all work together to make it that bit harder for the bad guys to get to us via the Internet.

Rather than repeat the content of one of my published articles, I'll send you to its URL for further information:
http://www.microsoft.com/windows/ie/community/columns/improvements.mspx

Security patches:
Download and install those security patches.  Turn on automatic updates and set it to check for updates every day (yes, I know, we have "Patch Tuesday" now, but products such as Windows Defender are not restricted to once a month updates, and we also want to get out-of-band security patches as soon as they are released - and believe me, if its out of band, you want to install it as soon as possible).

When the myspaces banner ad debacle occurred in July this year, over 1 million PCs were infected via an exploit that had been patched six months earlier!!!  In August, itnews.com.au reported that 50,000 PCs had been detected that had been infected via a specific exploit in just one week after a patch was released.  This is because the bad guys grab those patches, reverse engineer them and work out how to use the vulnerabilities those patches fix to infect as many machines as possible.  You have to patch, or you have to use one of the approved workarounds if you must test a patch before roll-out.

Internet Explorer:
The single most effective thing you can do to protect yourself from spyware on the Internet is to update to Internet Explorer 7.  Of course, if you are in a corporate environment you will need to check your Line of Business applications to ensure that they will continue to work. Read the RELEASE NOTES and make a judgment call based on the software that you run.

To be extra careful, you can search the general Internet Explorer newsgroup for mention of your software to see if others are having problems.

Now, as the following URL will show you, running IE7 will *NOT* protect you if you don't practice safe hex.  That is, if you reduce Internet Explorer's security settings, if you say yes to download prompts, if you believe, and click on, those ridiculous pop-ups and banner ads that trumpet false warnings about infection, or you allow pop-up advertisements (that are also often used to slip malware on to a PC) you will end up getting infected.

Malware in action - August 2006:
http://msmvps.com/blogs/spywaresucks/archive/2006/08/28/110588.aspx

Other Web browsers:
Don't assume that just because you use Firefox, or Opera that you are somehow "safe".  You're not.  Firefox and Opera will not protect you from unsafe behaviour and settings, and they have also been subject to their own exploits.  Search this blog for the word Firefox or the word Opera to find articles that I may have posted about vulnerabilities in those products.

Safety on the Internet:
As the Winfixer example above illustrates, we *must* start practicing "safe hex".  Pop-up advertisements, banner ads, and Web pages are all conduits for infection.   If anything tries to warn you that your PC is infected **and you did not go to that site and request a scan** DON'T BELIEVE IT!  Seriously.  If you really want to be sure, go to a reputable site like Trend or Ewido and conduct your own scan.

Remember, pop-ups and Web pages **cannot** see what is installed on your computer without the assistance of additional software which you must download and install first, so if a pop-up or banner reports that it has detected <whatever> it's lying.

There is a famous Microsoft essay entitled "The 10 Immutable Laws of Security" which can be found here:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

Briefly, the 10 laws of security are:

 Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

 Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

 Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

 Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

 Law #5: Weak passwords trump strong security

 Law #6: A computer is only as secure as the administrator is trustworthy

 Law #7: Encrypted data is only as secure as the decryption key

 Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

 Law #9: Absolute anonymity isn't practical, in real life or on the Web

 Law #10: Technology is not a panacea

But I still want to use antivirus and antispyware software - what do you recommend?

Ok, I'll answer your question, but you have to *promise* to keep your system patched, practice safe hex, and not assume that your choice of prophylactic is going to allow you to throw caution to the wind and do whatever you want online without risk of harm.

Forget AdAware and Spybot, ok?  They're not up to the job with the nasty stuff out there like Smitfraud, Vundo and their ilk.

This is what I recommend:

1.  Install IE7 (after reading the release notes and assessing whether it is compatible with essential applications).  Not only does it beef up your Web browser security, it has not been vulnerable to virtually every exploit published this year.

2.  You may want to consider Mike Burgess's HOSTS file.  It works by stopping your computer from getting to many known bad sites - that is, your computer will not be allowed to download stuff and *then* be stopped from running it (assuming it is not already too late)  - instead, access to the bad sites will be completely blocked, and the bad stuff won't get anywhere near you.  If a Web page tries to load something from a bad site, whether it be a pop-up, or a banner ad, a dangerous file, or even an entire Web page, IE simply won't get there because the URLs are all mapped to localhost (your local machine).  Mike's HOSTS file can be found here:
http://www.mvps.org/winhelp2002/hosts.htm

IMPORTANT DISCLAIMER:  The HOSTS file will not protect you from previously unknown or extremely new dangerous URLs, but it will do more than just about any product to reduce the risk surface.  It must be updated regularly, and you can subscribe to a mailing list that will alert you to updates.

3.  Windows Defender Beta 2 - but make sure you upgrade to Advanced Membership and turn on real time protection.  Windows Defender is a traditional "detection" product in many ways, but it stands out from the crowd because of SpyNet.  SpyNet is an early warning system about spyware and other undesirable software.  As Windows Defender is used around the world to scan systems, information about new threats that have been discovered is quickly circulated between SpyNet’s advanced members using the SpyNet Community Rating system for unclassified software.  This rating system shows us what other Windows Defenders users have been doing when particular software is discovered on their machines by displaying a bar graph which shows how many people have allowed, removed or blocked a particular program or item- so, you are warned not only about classified software, but also about unclassified software that the SpyNet community does not trust.

Windows Defender can be set to check for updates immediately before every scan.  Make sure you use that setting.

4. Antivirus.  For years I used Vet Antivirus until the product was bought out by Computer Associates and I became concerned at where the product was going, at which time Trend wooed me away.  Again, it must be updated regularly (all my systems are set to check for updates hourly), and I strongly recommend nightly scans (not weekly, as some recommend).

I strongly recommend AGAINST Norton and McAfee products.

Federal Bureau of Investigation Honors Microsoft for Rapid Response to Mytob/Zotob

On behalf of Robert S. Mueller III, director of the Federal Bureau of Investigation, FBI Cyber Division Assistant Director James E. Finch today presented certificates for “Exceptional Service in the Public Interest” to nine Microsoft employees, including Brad Smith, Microsoft Senior Vice President and General Counsel, for their assistance in the swift resolution of the 2005 Mytob/Zotob computer worm investigation.

http://www.microsoft.com/presspass/press/2006/sep06/09-25FBICertificates.mspx

New Internet Explorer KB articles

BUG: The Setup program does not respond when you deploy a ClickOnce application over the Internet or over an intranet and a user clicks Install or Run on a published page in Internet Explorer 6
When you deploy an application that uses ClickOnce technology over the Internet or over an intranet, a user on a client computer may click Install or Run on a published page. However, the Setup program does not respond. Additionally, the user does not receive an error message. When you try to install the ClickOnce application from the Web server, the Setup program runs as expected.  This problem occurs when you are using Microsoft Internet Explorer 6.
http://support.microsoft.com/default.aspx?scid=kb;en-us;922774

Information about some new Group Policy settings for Internet Explorer Security Zones in Microsoft Windows XP SP2 and in Microsoft Windows Server 2003 SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;922704

Say what? California Attorney General is suing car makers for damages over global warming

For crying out loud:

"In a first-of-its-kind suit, California Attorney General Bill Lockyer is demanding damages from automakers for the impact of global warming."
http://www.overlawyered.com/2006/09/calif_ag_sues_automakers_for_g.html

Important - IE VML Vulnerability - IE7 is immune

Internet Explorer 7 is immune to this vulnerability (just like it has been immune to virtually all the other vulnerabilities that have been announced).  I strongly recommend that you update to the IE7 Release Candidate as soon as possible.

To quote the IE team themselves back in August "...With the exception of a very short list of issues we’re aware of and working on, we think the product is done.... Depending on your feedback, we ***may*** [my emphasis] post another release candidate. We’re still on track to ship the final IE7 release in the 4th calendar quarter." 

Please, don't hold off installing IE7 for these last few months just because IE7 is still "in beta".  Read the RELEASE NOTES and make a judgment call based on the software that you run.

If you have problems, there is this blog, and the support newsgroups available to you.  It should be noted that HP Director software will have problems (but a workaround has been posted to the newsgroups) and Norton software is problematic (frankly, IE7 RC1 will protect you from exploits far better than Norton - if given a choice between the two, I say go for IE7 and move to a different antivirus). 

To be extra careful, you can search the general Internet Explorer newsgroup for mention of your software to see if others are having problems.

Of course there will be situations where you cannot install IE7 because there is an application that you know will break.  But, in circumstances like this, where you will protect your machines not only from the vast majority of exploits, but in all likelihood future vulnerabilities (which is a *major* security benefit) we should assess the situation on a per site basis and make a decision.  Test things out.

Screenshot of results of Zert test page using IE7RC1 on XPSP2:

Internet Explorer 7 on Windows Vista Ultimate (unlike Ed Bott I did not see any ActiveX prompts):
 

To recap:

A patch is anticipated by October 10, but may be released earlier (see 2nd Security Centre blog entry listed below) 

Information about IE VML vulnerability posted at MS.

http://www.microsoft.com/technet/security/advisory/925568.mspx
http://support.microsoft.com/kb/925568

Jesper has also posted information about how to mitigate the threat as well:

http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx

Microsoft Security Response Centre blog:
http://blogs.technet.com/msrc/archive/2006/09/19/457560.aspx
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx

ActiveNetworks takes a swipe at Microsoft and Internet Explorer - perhaps they should stop allowing Winfixer to be advertised on their site before throwing stones.

"Seriously, how many times must users and businesses be kicked in the face before they buy a clue? Before they realize that they don't have to stay in the abusive Microsoft relationship? The answer seems to be: an unlimited number of times. Take, for example, Internet Explorer. In the latest bad news, the newest zero-day flaw in the Internet Explorer implementation of the Vector Markup Language has opened up a gaping wound in Windows. Through that wound, every kind of garbage imaginable—bots, Trojan down-loaders, spyware, rootkits—are pouring into Windows systems."
http://www.activewin.com/awin/comments.asp?HeadlineIndex=36555

Such commentary is truly ironic, and dare I say hypocritical, coming from a site that has been caught allowing the spread of malware like Winfixer via income earning banner ads more than once.

August 28 2006
http://msmvps.com/blogs/spywaresucks/archive/2006/08/28/110588.aspx

March 6 2006
http://msmvps.com/blogs/spywaresucks/archive/2006/03/06/85583.aspx

Yes, the problem continues to current day.  I have this suggestion for ActiveNetworks.  If they are going to get on their high horse about Microsoft, then I strongly suggest they clean up their own backyard first and stop allowing crap like Winfixer to be spread via advertisements on their site.

I went here:
http://www.activewin.com/faq/longhorn.shtml

I saw this:

I clicked on the banner and was sent here - the site immediately tried to download Winfixer to my machine:
 

As you can see, the site also reported that a file called win32res.exe was sending information about my machine.  If you conduct a Google search you will find several discussions about Winfixer making false claims about win32res.exe.  So, I conduct a search for the file:

What do you know... there is no such file on my machine - why am I not surprised:

My first foreign language phishing email

I've just started working with Windows Mail in Vista.  I was particularly interested in seeing the phishing filter in action.

There was the normal paypal phishing, and ebay phishing, and bank phishing, but the two newest phish emails were ones I have not seen before.  They were in Hebrew and *very* simplistic.  No fancy scripting... no complicated URLs, redirects or trickery.  Just a simple embedded graphic, a username and password field (I think) and a submit button.  I wonder what sort of publicity there is in the Hebrew speaking world to warn about such dangers on the Internet.

RSS security in IE7 and attachments - how does it work?

The RSS team have written a new article about RSS in IE7 and how it handles attachments:
http://blogs.msdn.com/rssteam/archive/2006/09/20/763966.aspx

Of particular interest is this comment:

"We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable)... AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. "

Note that the ability to download enclosures is also managed by Internet Explorer's security zone.  If you want to block all enclosures from a site, simply add it to your Restricted Sites Zone.

SPI Dymanics reports on RssReader vulnerability

Cite Secunia:
http://secunia.com/advisories/21994/

"The vulnerabilities are caused due to input validation errors in the processing of Atom and RSS feeds. This can be exploited to inject and execute arbitrary HTML and script code in context of the feed by tricking a user into adding a malicious feed and then viewing the content of it."

Please rest assured that IE7 is not prone to such a vulnerability because:

• The Windows RSS Platform uses several techniques to strip out script (and several other variations of malicious HTML) before storing the feed content.
• Just in case the first step misses something, IE's feed view uses a variation on the Restricted Zone to show a feed, meaning that no script in a feed will run, even if makes it through the previous step.

http://blogs.msdn.com/rssteam/archive/2006/09/09/747111.aspx

Ironically, SPI Dynamics was mentioned in that very post.

By far the funniest, and the most sale-destroying, product review I have read in a long time.

"Uh oh, that didn't go quite as planned" says Sprint Person 1 to Sprint Person 2.

Sprint sent Joel Spolsky one of their new phones to review on his blog - an LG Fusic.

Joel doesn't like the phone.

Joel makes it very clear to his gentle readers that he doesn't like the phone, and why.

What is my favorite excerpt?  I can't choose. There's too much to love.  I strongly recommend you go and read his review, and then go buy some shares in the company that manufactures the most popular antacid product for sale in Sprint's home town... they're going to need buckets of the stuff.

For your reading pleasure....
http://www.joelonsoftware.com/items/2006/09/19b.html

Information about the IE VML Vulnerability

Information about IE VML vulnerability posted at MS.

http://www.microsoft.com/technet/security/advisory/925568.mspx
http://support.microsoft.com/kb/925568

Jesper has also posted information about how to mitigate the threat as well:

http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx

Microsoft Security Response Centre blog:
http://blogs.technet.com/msrc/archive/2006/09/19/457560.aspx

Note that there will hopefully be an update released to address the vulnerability on or before 10 October 2006.

Signs of life in the Windows Genuine Advantage blog

They've been too quiet over there, without a single post for the entire month of September.

Alex is back now, and being the person that I am, his last paragraph was the one that interested me the most.  He says:

"Another thing that has been keeping me pretty busy is the time I’ve spent supporting some analysis done internally on actual samples of counterfeit Microsoft software that have been obtained from around the world. We’ve been looking at how the software might be different from what was actually released, whether code has been altered or additional code included etc. We’ve seen some pretty interesting results and I should to be able to share more info on this research soon."

I, for one, will be *very* interested to hear the results of the research that Alex mentions.