Another IE Bug Provides
Another bug discovered in Microsoft’s Internet Explorer Web
browser may help trick Internet users into divulging sensitive information
and executing malicious code.
The latest problem allows a specially crafted URL, or link, in an e-mail
message to load a browser window that appears to be displaying any address
the attacker wants — a window that would appear to be displaying a
proper web site, but would in fact display content from another source.
The IE problem makes it easier for scammers to trick Internet users into
divulging personal details through “phishing scams,” where e-mails
purporting to come from the victim’s Internet banking provider or another
such site encourage them to re-enter details like usernames and passwords.
This also has the potential to run executable content on a local PC.
“Phishing” is a term used to describe the action of assuming the
identity of a legitimate web site, using e-mail or web page views to convince
consumers to share their user names, passwords and personal financial information
for the purpose of using it to commit fraud. It could be creatively described
as “fishing for consumers’ identity and financial information.” While
these e-mail hoax or phishing scams (and the fake web pages that they sometimes
refer you to) are not new, they are definitely on the rise.
Because of the creativity in ever-changing content, presentation and approaches,
a great many users can potentially fall victim. Paypal and eBay users are
among the targets, according to growing trends in Identity Theft crime reports.
While it’s possible for users to mitigate those vulnerabilities by
disabling the browser’s “active scripting,” which allows
the browser to run scripts and ActiveX code, turning off the feature will
limit the browser’s functionality.
Contributing Issues to Vulnerability
- Many computers’ default configurations are insecure, or new
security vulnerabilities have been discovered since the time the computer
was built and configured by the manufacturer or set up by the user.
- Attackers know the common broadband and dial-up IP address ranges,
and scan them regularly.
- Numerous worms are already circulating on the Internet, continuously
scanning for new computers to exploit.
As a result, the average time-to-exploitation on some networks for an unprotected
computer is measured in minutes! This is especially true in the address ranges
used by cable modem, DSL, and dial-up providers.
Steps to Protect Your New Computer
- Download and install software patches as soon as possible after connecting
a new computer to the Internet. However, since the background intruder
scanning activity is so pervasive, it may not even be possible to complete
the download and installation of software patches before the vulnerabilities
they are designed to fix are exploited. If possible, connect the new computer
behind a network (hardware-based) firewall or firewall router.
- Install a network hardware firewall or firewall router between the
computers on your Local Area Network (LAN) and your broadband device
(cable/DSL modem). By blocking inbound access to the computers on
the LAN from the Internet at large (and still allow the other LAN computers’ outbound
access), a hardware-based firewall can often provide enough protection
to complete the downloading and installation of necessary software
A software firewall is sufficient for computers using a dialup connection.
If your operating system doesn’t include a built-in software firewall,
you can install a third-party firewall application. There are many such applications
available at little or no cost. But since the issue you’re trying
to address is the short lifespan of an unprotected computer on the
open Internet, any third-party firewall application must be installed
from media (CD-ROM, DVD-ROM, or floppy disc) before connecting the
PC to a network rather than downloaded directly to the unprotected
computer. Otherwise, the computer can be exploited before the download
and installation of the firewall software is complete.
- Disable all nonessential services, such as file and print sharing.
Most operating systems are not configured with file and print sharing
enabled by default, so this shouldn’t be an issue for most users.
After all relevant patches have been installed, file sharing can be
re-enabled if needed.
- Continue to download and install software patches regularly
as needed. Once the computer has been protected from initial attack
through the use of either a hardware or software-based firewall
and file and print sharing is disabled, it should be relatively
safe to connect to the network in order to download and install
any software patches necessary. It’s important
not to skip this step since otherwise the computer could be exposed to exploitation
if the firewall were disabled or file & print sharing turned back
- Always download software patches from known, trusted sites
(i.e., the software vendors’ own sites), to minimize the possibility
of an intruder gaining access through the use of Trojan horse software.
Go to windowsupdate.microsoft.com to install all Windows Critical Updates.
- Install and use antivirus software. While an up-to-date
antivirus software package can’t protect against all malicious code, it’s
still the best first-line of defense against malicious code attacks.
Most antivirus packages support automatic updates of virus definitions.
- Use caution when opening e-mail attachments or when using
peer-to-peer file sharing, instant messaging, or chatrooms. Use
plain text e-mail.
- Don’t enable file sharing on network interfaces exposed directly
to the Internet. In fact, don’t enable any feature if you don’t
- Create and use an account with only ‘user’ privileges instead
of ‘administrator’ for everyday tasks. Normally you would only
need to use administrator level access when installing new software, changing
system configurations, and the like. Many vulnerability exploits like viruses
or Trojan horses are executed with the privileges of the user that runs them — making
it far more risky to be logged in as an administrator all the time.
Also make sure that there are no accounts with weak or missing passwords.
A weak password would be one that is easily guessed, or is the same
as the account name.
Flaws Found in RealNetworks’ Media Players
RealNetworks Inc. also recently released a security
update to plug a series of vulnerabilities in its media
players that could open a user’s machine
to malicious code. Three flaws affecting different versions of its media
player could allow attackers to create corrupt music or video files that,
when played, take control of a victim’s PC. The flaws can affect RealNetworks’ RealOne
Player, RealOne Player version 2, RealPlayer 8, RealPlayer 10 Beta, and the
company’s RealOne Enterprise products. When people play or stream corrupted
media files in a vulnerable version of RealPlayer, the attacker’s
code will run, compromising the PC.
The specific exploits are:
the URL opened by a SMIL file or other file.
- To modify RMP files to allow an attacker to download and execute
arbitrary code on a user’s machine.
- To modify media files to create “Buffer Overrun” errors.
These vulnerabilities could affect a large portion of the
350 million unique registered users of the media player software.
The specially-modified media file can be one of five types: RealAudio
(RAM) file, RealAudio Plugin (RPM) file, RealPix (RP) file, RealText
(RT) file or synchronized multimedia integration language (SMIL)
file. Security vulnerabilities that can be exploited through
playing a media file have been rare. Last May, a flaw in the
way that Microsoft’s
Windows Media Player handled “skins,” or
interface colors and motifs, led the software company
to release a patch for their application as well.
RealNetworks has posted instructions for people
to update their RealPlayer software at www.service.real.com/help/faq/security/040123_player/EN.
A third version of the Mydoom virus was found,
but it only threatens computers already infected
by the first Mydoom. The new virus doesn’t
spread via e-mail, it attacks machines already
infected with Mydoom, via the backdoor left by the original worm. Virus
researchers with Network Associates Inc. believe some 50,000 to 100,000 computers
are still infected by the original Mydoom, and will
likely be found and infected by the new Mydoom.
The new worm focuses on attacking Microsoft.com and unlike its predecessors, the denial of service
attack is not set to expire.
Two other dangerous software flaws that could become attractive
targets for hackers have been discovered in widely used
computer-security software made by Check Point Software Technologies
Ltd. If hackers create programs to exploit the flaws that security
experts found in Check Point’s firewall and
virtual-private network software, they could wreak havoc on the corporate
networks they’re designed to protect.
There’s no end in sight.