Another IE Bug Provides Phishing Tool

Another bug discovered in Microsoft’s Internet Explorer Web browser may help trick Internet users into divulging sensitive information and executing malicious code.

The latest problem allows a specially crafted URL, or link, in an e-mail message to load a browser window that appears to be displaying any address the attacker wants — a window that would appear to be displaying a proper web site, but would in fact display content from another source.
The IE problem makes it easier for scammers to trick Internet users into divulging personal details through “phishing scams,” where e-mails purporting to come from the victim’s Internet banking provider or another such site encourage them to re-enter details like usernames and passwords. This also has the potential to run executable content on a local PC.
“Phishing” is a term used to describe the action of assuming the identity of a legitimate web site, using e-mail or web page views to convince consumers to share their user names, passwords and personal financial information for the purpose of using it to commit fraud. It could be creatively described as “fishing for consumers’ identity and financial information.” While these e-mail hoax or phishing scams (and the fake web pages that they sometimes refer you to) are not new, they are definitely on the rise.
Because of the creativity in ever-changing content, presentation and approaches, a great many users can potentially fall victim. Paypal and eBay users are among the targets, according to growing trends in Identity Theft crime reports.
While it’s possible for users to mitigate those vulnerabilities by disabling the browser’s “active scripting,” which allows the browser to run scripts and ActiveX code, turning off the feature will limit the browser’s functionality.
Contributing Issues to Vulnerability

  1. Many computers’ default configurations are insecure, or new security vulnerabilities have been discovered since the time the computer was built and configured by the manufacturer or set up by the user.
  2. Attackers know the common broadband and dial-up IP address ranges, and scan them regularly.
  3. Numerous worms are already circulating on the Internet, continuously scanning for new computers to exploit.

As a result, the average time-to-exploitation on some networks for an unprotected computer is measured in minutes! This is especially true in the address ranges used by cable modem, DSL, and dial-up providers.
Steps to Protect Your New Computer

  1. Download and install software patches as soon as possible after connecting a new computer to the Internet. However, since the background intruder scanning activity is so pervasive, it may not even be possible to complete the download and installation of software patches before the vulnerabilities they are designed to fix are exploited. If possible, connect the new computer behind a network (hardware-based) firewall or firewall router.
  2. Install a network hardware firewall or firewall router between the computers on your Local Area Network (LAN) and your broadband device (cable/DSL modem). By blocking inbound access to the computers on the LAN from the Internet at large (and still allow the other LAN computers’ outbound access), a hardware-based firewall can often provide enough protection to complete the downloading and installation of necessary software patches.
    A software firewall is sufficient for computers using a dialup connection. If your operating system doesn’t include a built-in software firewall, you can install a third-party firewall application. There are many such applications available at little or no cost. But since the issue you’re trying to address is the short lifespan of an unprotected computer on the open Internet, any third-party firewall application must be installed from media (CD-ROM, DVD-ROM, or floppy disc) before connecting the PC to a network rather than downloaded directly to the unprotected computer. Otherwise, the computer can be exploited before the download and installation of the firewall software is complete.
  3. Disable all nonessential services, such as file and print sharing. Most operating systems are not configured with file and print sharing enabled by default, so this shouldn’t be an issue for most users. After all relevant patches have been installed, file sharing can be re-enabled if needed.
  4. Continue to download and install software patches regularly as needed. Once the computer has been protected from initial attack through the use of either a hardware or software-based firewall and file and print sharing is disabled, it should be relatively safe to connect to the network in order to download and install any software patches necessary. It’s important not to skip this step since otherwise the computer could be exposed to exploitation if the firewall were disabled or file & print sharing turned back on later.
  5. Always download software patches from known, trusted sites (i.e., the software vendors’ own sites), to minimize the possibility of an intruder gaining access through the use of Trojan horse software. Go to windowsupdate.microsoft.com to install all Windows Critical Updates.
  6. Install and use antivirus software. While an up-to-date antivirus software package can’t protect against all malicious code, it’s still the best first-line of defense against malicious code attacks. Most antivirus packages support automatic updates of virus definitions.
  7. Use caution when opening e-mail attachments or when using peer-to-peer file sharing, instant messaging, or chatrooms. Use plain text e-mail.
  8. Don’t enable file sharing on network interfaces exposed directly to the Internet. In fact, don’t enable any feature if you don’t need it.
  9. Create and use an account with only ‘user’ privileges instead of ‘administrator’ for everyday tasks. Normally you would only need to use administrator level access when installing new software, changing system configurations, and the like. Many vulnerability exploits like viruses or Trojan horses are executed with the privileges of the user that runs them — making it far more risky to be logged in as an administrator all the time. Also make sure that there are no accounts with weak or missing passwords. A weak password would be one that is easily guessed, or is the same as the account name.

Flaws Found in RealNetworks’ Media Players
RealNetworks Inc. also recently released a security update to plug a series of vulnerabilities in its media players that could open a user’s machine to malicious code. Three flaws affecting different versions of its media player could allow attackers to create corrupt music or video files that, when played, take control of a victim’s PC. The flaws can affect RealNetworks’ RealOne Player, RealOne Player version 2, RealPlayer 8, RealPlayer 10 Beta, and the company’s RealOne Enterprise products. When people play or stream corrupted media files in a vulnerable version of RealPlayer, the attacker’s code will run, compromising the PC.
The specific exploits are:

  1. To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
  2. To modify RMP files to allow an attacker to download and execute arbitrary code on a user’s machine.
  3. To modify media files to create “Buffer Overrun” errors.

These vulnerabilities could affect a large portion of the 350 million unique registered users of the media player software. The specially-modified media file can be one of five types: RealAudio (RAM) file, RealAudio Plugin (RPM) file, RealPix (RP) file, RealText (RT) file or synchronized multimedia integration language (SMIL) file. Security vulnerabilities that can be exploited through playing a media file have been rare. Last May, a flaw in the way that Microsoft’s Windows Media Player handled “skins,” or interface colors and motifs, led the software company to release a patch for their application as well. RealNetworks has posted instructions for people to update their RealPlayer software at www.service.real.com/help/faq/security/040123_player/EN.

Another Mydoom

A third version of the Mydoom virus was found, but it only threatens computers already infected by the first Mydoom. The new virus doesn’t spread via e-mail, it attacks machines already infected with Mydoom, via the backdoor left by the original worm. Virus researchers with Network Associates Inc. believe some 50,000 to 100,000 computers are still infected by the original Mydoom, and will likely be found and infected by the new Mydoom.

The new worm focuses on attacking Microsoft.com and unlike its predecessors, the denial of service attack is not set to expire.
Two other dangerous software flaws that could become attractive targets for hackers have been discovered in widely used computer-security software made by Check Point Software Technologies Ltd. If hackers create programs to exploit the flaws that security experts found in Check Point’s firewall and virtual-private network software, they could wreak havoc on the corporate networks they’re designed to protect.

There’s no end in sight.