Spyware Sucks

Time for a rant; how many sites are pointing out that many web browsers are vulnerable to the window injection vulnerability?

Edit: fix title. 

Come on guys - are people really so determined to find bad news about IE7 that they are willing to let important information about a vulnerability go unmentioned in their reports?

Despite the Secunia Windows Injection Vulnerability Test URL being http://secunia.com/multiple_browsers_window_injection_vulnerability_test/, and the test itself mentioning multiple Web browsers being affected, many news sites and blogs only mention IE7 in their reports.

Now, assuming that all of the Web sites below actually looked at the vulnerability test page, and read its content, as distinct to only reading the Secunia report specific to IE7, I have to ask why so few sites are mentioning that multiple Web browsers are vulnerable?  Are they leaving it to their readers to discover it for themselves?  Does it make for better press, or grab more hits, or cause more of a stir, if they only mention IE7?

I've completed a quick survey of news sites that have reported on the window injection vulnerability to see who, at the time of writing, mentions that many Web browsers are affected - so far, things are not looking good - yes, I know several of the sites are quite obscure, but they're the ones that have come up in News, Web and Blog searches.

Edit: The Microsoft Security Response Team responds:
http://blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx

Auscert, thankfully, points out that many browsers are affected:
http://www.auscert.org.au/render.html?it=4602

eweek - nope:
http://www.eweek.com/article2/0,1895,2047195,00.asp 

(quote from a spokesperson at MS in the eweek article - "[Secunia] describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window. In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision," - not only that, the bad sites have to get past the phishing filter and all the other difficulties described in my blog entry.

the register - nope:
http://www.theregister.co.uk/2006/10/30/ie_firefox_vulns/ 

bink.nu - nope:
http://bink.nu/Article8673.bink 

itnews.com.au - nope
http://www.itnews.com.au/newsstory.aspx?CIaNID=41462

itnews.com.au again - nope, but they do mention that FF2 seems to be immune
http://www.itnews.com.au/newsstory.aspx?CIaNID=41458

neowin? - YES!!!
http://www.neowin.net/forum/index.php?showtopic=507807

betanews - YES!!
http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840

securiteam - nope:
http://blogs.securiteam.com/index.php/archives/706 

cbsca - nope:
http://www.cbc.ca/technology/story/2006/10/30/tech-ie7injection-061030.html 

bitsofnews - nope:
http://www.bitsofnews.com/index2.php?option=com_content&task=view&id=4277&pop=1&page=0&Itemid=44

blogsforfirefox - nope:
http://blogsforfirefox.blogspot.com/2006/10/thesecurity-score-ie7-3-ff2-0.html

faill.com - nope:
http://www.faill.com/story.php?id=255

tipsdr.com - nope:
http://www.tipsdr.com/?p=555

fergdawg:
http://fergdawg.blogspot.com/2006/10/old-window-injection-flaw-reappears-in.html

networksecurity.fi - nope:
http://networksecurity.typepad.com/networksecurity/2006/10/ie_7_window_inj.html

vnunet.com - nope:
http://www.vnunet.com/vnunet/news/2167585/ie-bug-opens-exposes-users

Even Harry makes no mention
http://msmvps.com/blogs/harrywaldron/archive/2006/10/30/Internet-Explorer-7-Window-Injection-Vulnerability.aspx

Firefox 2 bitten by old bug

Its been around since June 2006, and some said it was fixed in Firefox 1.5.0.7, but it's back...
http://www.securityfocus.com/bid/19488

Further information:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4253

Moderately critical IE7, Firefox, Mozilla, Opera, Safari and Konqueror vulnerabiity at Secunia

Jeez, I tell you, this was one *irritating*, in your face, damned obvious to anybody paying a modicum of attention that something weird is going on, vulnerability to check out ... listed as 'moderately critical'.

The test works - but only once - you have to refresh the page to get it to work multiple times.

Internet Explorer 7 Window Injection Vulnerability
http://secunia.com/advisories/22628/

To be fair, the vulnerability affects many Web browsers and operating systems.

Web browsers: Internet Explorer, Mozilla, Firefox, Opera, Safari, Konqueror (it looks like FF2 may be immune)

Operating Systems: Windows, Linux variants, UNIX variants, Mac OS

The vulnerability is that a website can inject content into another site's window if the target name of the window is known.  So first of all you have to have the hostile site open, then the hostile site has to convince you to go to a second site, then the hostile site has to know what you are going to click on so that it can inject content.

If the hostile site is closed after the other site is opened, the exploit does not work.

Let's be realistic here. For a vulnerability to be truly successful it has to be able to easily fool the user.  The fact of the existence of a vulnerability or weakness does not mean it can realistically be exploited... weird or unusual behaviour is going to grab the user's attention.

Imagine, if you will, that you go to a fake Bank Web site - assuming the page isn't blocked by the phishing filter in the first place - then it has to convince you to click on a link that leads to a legitimate Web site... then the owners of the hostile site have to hope that your computer doesn't goes nuts from the hundreds of popups per minute that are being generated.  The constant clicking from the blizzard of 2 to 3 pop-ups per second is a dead giveaway that something is wrong to anybody using IE7 with its default settings.

Auscert says "This is of particular concern for accessing secure sites which routinely open a new window for user logon with no location bar, since the attacker can overwrite the real logon window with a fake logon window."    It should be noted that IE7 displays an addressbar on all windows, even user logon windows which normally do not display an addressbar, unless the user chooses to turn that option off via Security settings.

Edit: The Microsoft Security Response Team responds:
http://blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx

So, to summarise... if the user has not turned off the addressbar for popups, or does not see that the address is wrong, if the user does not close the hostile Web site, if the user has turned off the IE sound cue that a pop-up has been blocked or the system does not have a sound card or speakers, if the user has turned off the info-bar, or the user has disabled the pop-up blocker, then the chances of success go up marginally - but the site still has to get around the phishing filter.  And it has to get around the problem of convincing users to trust a site if hundreds of pop-ups within a couple of minutes is not normal behaviour for the site being spoofed.

Australian spammer fined $5.5 million

Not too shabby for 12 months of misbehaviour...

 http://australianit.news.com.au/articles/0,7204,20669063%5E15306%5E%5Enbv%5E,00.html

"A PERTH-based company has been fined $5.5 million for sending millions of unsolicited emails, with a judge labelling the spam annoying, costly to combat, and a threat to the internet.

It is the first time an Australian company has been fined under the federal Government's spam laws, introduced in April 2004."

Orders and Reasons for Judgment - last updated 13 April 2006
http://www.austlii.edu.au/au/cases/cth/federal_ct/2006/410.html

Orders and Reasons for decision - last updated 30 October 2006
http://www.austlii.edu.au/au/cases/cth/federal_ct/2006/1399.html

File this under "yes, we know its bad and its happening but you're going to have to do the monitoring for us..."

http://www.itnews.com.au/newsstory.aspx?CIaNID=41386

"Internet addresses that appeal to identity thieves eager to rip off consumers are being posted by major domain resellers, a security company charged on Friday.

Finnish-based F-Secure has identified more than 30 registered domain names for resale on Sedo that would be of interest only to the legitimate holder of the trademark or to phishers, criminals who try to dupe consumers into divulging personal information by enticing them to fake websites. Among the domains: citi-bank.com, bankofameriuca.com, americanexpresscredicard.com, mastercarding.com, and visacardcredit.com.

"Why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer?" wrote Mikko Hypponen, F-Secure's chief research officer, in an alert on the company's site. advertisement

...

Sedo said that while it has a process in place to pull domain sales that violated trademarks, it was the trademark holder's responsibility to file a request. "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales.""

Oops... problems with Firefox 2 installer

"There's a problem with the installer where it doesn't shut down Firefox completely and so files don't get updated. Uninstall Firefox 2.0, delete the application folder (on Windows, C:\Program Files\Mozilla Firefox), and reinstall. If they're still not there, read this. "
http://forums.mozillazine.org/viewtopic.php?t=477283&sid=67b0fefb7b6b605b6a30891039c1b277

"Some Windows users are reporting that their bookmarks are missing after upgrading to Firefox 2. This problem is apparently related to the installer not properly exiting all Firefox processes (bug 357922). In this case, the bookmarks are not lost. To restore the "missing" bookmarks and fix other problems that may be related to the upgrade: Uninstall Firefox, delete the Firefox program folder (usually "C:\Program Files\Mozilla Firefox") and reinstall Firefox 2. The bookmarks will be back to normal (you may need to reinstall some added plugins). "
http://kb.mozillazine.org/Lost_bookmarks

Uninstalling the problematic Adobe Flash player

Adobe call the fact that you can't remove Flash Player via Add/Remove Programs an enhancement.  "An enhancement on what planet?" says I.

Considering the fact that I am seeing so many reports about flash9.ocx causing crashes in IE7, and so many reports about Web sites not being able to detect the presence of Flash, leading to erroneous "you need to install Flash" errors, lots of people are going to need the uninstaller that Adobe has released ...

Anyway, here it is:
http://www.adobe.com/go/tn_14157

Installation of IE7 never finishes or is *really* slow

The installation of Windows Internet Explorer 7 never finishes
http://support.microsoft.com/kb/926716

New Internet Explorer KB articles

FIX: In Internet Explorer 6, the OnChange event in a field does not occur when you change the "ß" character to "ss" characters, or when you change "ss" characters to the "ß" character
http://support.microsoft.com/default.aspx?scid=kb;en-us;925683

FIX: It takes a longer time to load an HTML page that contains many non-ASCII characters in Internet Explorer 6
http://support.microsoft.com/default.aspx?scid=kb;en-us;908676

MS report on the risk of counterfeit software finally released

Back on September 19 I mentioned that Alex of the Windows Genuine Advantage blog had been way too quiet, but that he had promised a report on the dangers of using non-genuine (counterfeit or cracked) software.

Well, Alex has blogged to let us know that the report has finally been released.  It makes interesting reading.

This particular comment caught my eye:

"the findings of the research suggest that those who are inclined to sell counterfeit software may also be increasingly tampering with or adding unwanted software to their product that provide more opportunities for them to make money. One possible explanation for this observation might be that with increased awareness of security issues, more people than ever before are installing anti-spyware and antivirus products, and turning on firewalls making it harder for spyware and other malware to be effective. The IDC study has compelling evidence that shows the planting of malicious software when the operating system is first installed or the use of a recognizable and trusted software title as a Trojan is becoming increasingly prevalent"

The full report is available for viewing here (PDF format):
http://download.microsoft.com/download/7/6/9/769E42E0-68C4-4826-838B-0F801DB2EFC2/IDC%20White%20Paper%20on%20Risks%20of%20Pirated%20Software.pdf

Summary here:
http://www.microsoft.com/athome/security/update/wga_idc/default.mspx

This ties in with another pet peeve of mine, downloading system files from third party sites.  We had an issue for a while with a few people offering IE7 beta uninstaller files for download to people who had accidentally, or knowingly, deleted their copies, leaving them unable to remove the IE7 beta.  There is one site in particular that was updated only days ago to add RC1 to their "uninstall build".  I have to ask myself why they are doing this.  The installer for IE7 RC1 and IE7 Gold, if the uninstall files are missing, will adapt.  We don't need to go out and find replacement IE7 beta uninstall directories anymore.  Can you really trust a download from somebody who has missed that essential little point?

New Internet Explorer KB article

FIX: The AutoComplete feature does not work after you click a JavaScript hyperlink on a Web page in Internet Explorer 6

http://support.microsoft.com/default.aspx?scid=kb;en-us;924301

Myspace.com have some very basic problems...

http://news.netcraft.com/

"Netcraft has discovered that the social networking site, MySpace, appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form is designed to submit the victim's username and password to a remote server hosted in France.

Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting (XSS) or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form."

PCWorld have reported that the fraudulent site has been shut down BUT how many users were affected before this occurred?  So far there has been no word on how many users' accounts may have been compromised. 

It remains to be seen why Myspace allowed a user account like "login_home_index_html" to be registered when they have a database of user names that are not permitted.

I block myspace.com on whenever possible on networks in which I have a say about such things because of incidents like the one featured today, and one million PCs being infected via a banner ad and because the myspace login is unencrypted.

Spamhaus v e360insight - again

Thanks to my reader 'attorneyfish' (aka David) who pinged me to let me know about some new articles about Spamhaus.  The first article, on a blog that I read regularly, is:
http://internetandclassactionlaw.blogspot.com/2006/10/spamhaus-email-lawsuit-gets.html

which points here:
http://www.lawbulletin.com/news/gettoctext.cfm?TOCUID=22147706&SessionID=w016734702829

It makes for interesting reading.  This issue has never been simply e360insight v Spamhaus - its implications, as I have said for the start, have always had the potential to be far reaching, affecting not only Spamhaus who thought they could sit back in the UK and thumb their noses at the US, but also for all other spam reporting services, especially USA based ones.  Questions like... What is spam? Do listing services have to check the accuracy of spam reports? Do they have to check for opt-out/opt-in? Or can they just take a report and run with it?

You can find all my other articles on Spamhaus via a search of this Blog.

New Internet Explorer KB articles

When a Web page that hosts Flash advertisements in an iframe object refreshes itself dynamically, Internet Explorer may stop responding

http://support.microsoft.com/default.aspx?scid=kb;en-us;924928

You receive a security warning in Internet Explorer 7 when you visit a Web page that is hosted on a secure Web site:
http://support.microsoft.com/kb/925014

How to use Reset Internet Explorer Settings:
http://support.microsoft.com/kb/923737

IE7 offered for installation after running a manual scan at Microsoft Update

I haven't seen IE7 offered via "automatic update" on any of my non-WSUS managed machines yet, but IE7 was offered on a machine on which I conducted a manual scan via Microsoft Update.

This may explain the reports in the support newsgroups that IE7 was being offered via "automatic updates" within days of IE7 being released (when all information was that IE7 was not available via AU yet).  Automatic Updates (the automatic scan) is not the same as going to the Microsoft/Windows Update sites and running a manual scan.

Sometimes the time stamps applied to IE's RSS Feeds are incorrect

No, we can not blame the Neowin and Bink snafu on this....

Check out this screenshot which indicates that one of my blog posts had gone live 3 hours earlier...

Now, check out this screen shot, which seems to indicate that the Secunia article I am talking about had been published just two hours earlier, *after* my article went live:

I am not sure why this happened but the most likely cause that occurs to me is that the time reflects when I turned on my laptop and downloaded the articles, as distinct to when the articles hit the aggregators.  The hour or so discrepancy as far as the Secunia entry is concerned could be explained by the Secunia feed being unavailable for a while.  That being said, I'm open to suggestions as to what else may have caused the glitch.

It must be a slow news day, or a server glitch, or deja vu...

My RSS feeds alerted me today to the fact that a new article had gone live on bink.nu reporting that Scott Richter has agreed to pay Microsoft UK$7 million - but... that news sure does look familiar.
http://bink.nu/Article8625.bink

Edit: Hm, the above URL won't load ATM - did Bink.nu delete the article? 8624 is still there...

Huh? Neowin have reported on the same article:
http://www.neowin.net/index.php?act=view&id=35818

I'm sure I've read this somewhere before... ages ago... yep, according to Wikipedia all this happened in August 2005:
http://en.wikipedia.org/wiki/Scott_Richter

And bink.nu have already reported on it once before - on 9 August 2005:
http://bink.nu/Article4669.bink

As have Neowin - again on 9 August 2005:
http://www.neowin.net/index.php?act=view&sub=c_reply&id=29863&cid=389805

The article being cited by bink.nu and Neowin is dated 11 August 2005:
http://www.guardian.co.uk/international/story/0,3604,1546744,00.html#article_continue

Hmm, two different news sites, both reporting on an article from back in 2005... I can't blame that on a server glitch.. Bink went live first so we'll blame him   Maybe this is why the term "gestetner sites" was invented.  Hands up how many of you are old enough to remember using a mimeograph?  Yes, I remember using one, way back when I was in High School - I suppose that makes me officially old.

Internet Explorer 7 Popup Address Bar Spoofing Weakness reported by Secunia

http://secunia.com/advisories/22542/

"The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions."

"Somewhat spoofed" is a fairly good description. 

I've not had a chance to have a comprehensive look at this but note after a quick once over that the spoof only seems to work while the addressbar is highlighted.  As soon as you click anywhere in the screen the real address appears.  Not only that the addressbar itself is highlighted, which is unusual during normal Web browsing.

Edit: It has been noted that Secunia's proof of concept does not work if IE7 is set to open pop-ups in a new tab, and that the proof of concept only works in the exact, specific sized window that Secunia used when they displayed the result of the 'weakness'.

Richard G. Harper, MVP comments:

"You could get it to work with a different size window but you'd have to re-calculate the invisible/spacer characters to make it work, and then it would be tied to THAT size window and no other.

There's no way to make it scalable - no way to make it so that it would properly obscure in a randomly-sized window, or a re-sized window. You can't even make it work in a maximized window since there's no hiding-space available there. A maximized window makes it very plain what the trick is."

I've emphasised the above text in bold and underline because it is very important.  Imagine, if you will, that you've gone to a fake site and have just clicked in a form field to enter data... your address bar, which has been highlighted, blinks and suddenly displays a different address - people are going to notice that.  They're also going to notice that what they think is their bank's Web site is only appearing in a little window, that can't be resized... I'm sure the vast majority of people will see all of the above as just too weird.

One thing that also occurs to me, which I haven't played with, is to wonder what effect different screen resolutions will have.

A special note to those who are yelling that the sky is falling and that IE7 should be blocked because of the above "weakness"

Wake up to yourselves.  IE7 has been immune to virtually every *real* exploit that has been released - exploits that are actually being used in the wild to compromise systems, and are therefore a real danger to Web surfers.  Any security advisor who recommended that IE7 be blocked on the basis of this address bar weakness, or the other reported IE7 vulnerability (which is not being exploited, and has not been exploited, despite being public since April and which says something in and of itself) would not last very long on any security team in which I had a say.

Professionals are meant to balance risk against reward, and not base their decisions on a pre-existent bias, whether it be their own bias or anothers.

The Microsoft Security Response team have also blogged about this 'weakness':
http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx

SANS have seen fit to bump the description up from a "weakness" to a "vulnerability" for who knows what reason.
http://www.incidents.org/diary.php?storyid=1804

SANS's idea of "to work quite well" and my idea of "to work quite well" do not correlate.

As much as I dislike the fact that SANS have seen fit to call this *weakness* a *vulnerability*, in their credit they have said:

"We received a lot of reports from our readers suggesting that Firefox and some other browsers are vulnerable to this exploit as well.

In case of this vulnerability, it is not easy to say if a browser is vulnerable or not – we're not talking about exploiting a remote execution so it either works or it doesn't work. In this case, an attacker is actually trying to make the user believe that he's on a different site, and that can be, unfortunately, done using this vulnerability **on almost all browsers**."

You will note from the Opera and Firefox screenshots on the SANS site that Firefox does not show an addressbar at all.  Opera displays a small section of text.

When we compare the behaviour of IE7 to Firefox and Opera (see SANS screenshots) it can be said that IE7 is actually *safer* than Firefox and Opera.  Why?  Because:

1)  The addressbar is *highlighted* in IE7 when the window first opens - unusual in itself.

2)  The addressbar highlighting *turns off* (the addressbar flashes) and the address that is displayed changes as soon as you click anywhere on the page being displayed.  A visitor will instinctively look at the addressbar as soon as that happens to see what just changed - a visual cue that both Firefox and Opera lack.

3)  If the size of the pop-up window is changed in IE7, the weakness is immediately exposed.

Exploit window as it originally appears:

Exploit window after clicking anywhere on the page - note how the entire URL is displayed.

New Internet Explorer KB article

FIX: CPU utilization increases to 100 percent on a Windows XP-based computer when you search for content in a Web page in Internet Explorer 6

http://support.microsoft.com/default.aspx?scid=kb;en-us;918310

Did you see? The IE Team sent the Mozilla team a cake...

...to congratulate them on the release of Firefox 2:
http://fredericiana.com/2006/10/24/from-redmond-with-love/

Blake Ross was also gracious in congratulating the IE team on the release of IE7 (no mention of a cake though)

Ok, so he did mention the cake in his FF2 announcement 

Tony has blogged as well:
http://www.tonychor.com/archive/000496.html

I love his comment "Sometimes, a cigar is just a cigar. We just wanted to give the FF team a pat on the back. There's no personal animosity between the teams (I like the FF team members I've met so far)."

Its a pity that some Firefox fans can't be as gracious as the IE and Firefox teams.  The behaviour of some of the Firefox fanboys in the Internet Explorer support newsgroups since the release of IE7 has been less than complimentary to them, and their communities as a whole.  We always experience a sharp increase in the number of Firefox fans and IE detractors flaming users and generally causing trouble whenever a major build of IE is released.  We hardly see a sign of them otherwise.

I'll admit that I don't spend a lot of time in the Mozilla forums, but I hope that the ill will and misbehaviour of some of the Firefox supporters will not have been replicated in the Mozilla forums. To be honest, I'll be surprised if the IE newsgroup community responds in kind.