Discussion on:

Download.Ject can cause Internet Explorer to expose secure transactions

Microsoft has released an emergency update to reduce the impact of this threat. It consists of a configuration change for Windows XP, WS2003 and W2K operating systems.

See http://news.com.com/Windows+update+will+be+late%2C+Microsoft+says/2100-1016_3-5265378.html?tag=st_lh for the CNET report
And
http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
for the information from Microsoft.

Meanwhile, XP SP2, which protects against download_ject, has just been delayed to August according to a CNET report. http://news.com.com/Windows+update+will+be+late%2C+Microsoft+says/2100-1016_3-5265378.html?tag=st_lh.

SP2 had been scheduled to ship this month.

With this rush update and configuration advice, do you feel that Microsoft is finally getting the message?

Since there are exploits in the wild which XP SP2 will block, does this affect your decision as to how quickly you will load in the final release?

How to disable the ADODB.Stream object from Internet Explorer
http://support.microsoft.com/default.aspx?kbid=870669

In his initial response to his own article, the Tech Locksmith (TL) asks the question, "do you feel that Microsoft is finally getting the message?"

For me, the answer is no. I have reviewed the links provided by TL and here's what I find: a set of updates to alter my system configuration in some unspecified way that will supposedly protect me against the download.ject malware.

There is no information on what specific configuration items will be altered, nor how these changes will impact system security, or what the overall effect is intended to be.

In effect, Microsoft is saying, "Just trust us to fix the problem that we created. Don't expect to understand, and don't ask any questions."

It is precisely this haphazard, yet arrogant, approach to system design that got us into this trouble in the first place. Security by obscurity is no security at all. I think most users expect better. I certainly do.

Well said. Microsoft is so busy trying to crush competition in every possible software niche that they forgot to secure the OS.

The article reads: "These attacks come from third-party pop-up adware servers that plant a keystroke logger on systems when users visit any of the affected financial sites using Internet Explorer."

Does this mean that the pop up ad was or was NOT clicked on? If you do NOT click, can your system still be compromised?

thanks.

If you're NOT using a pop-up blocker, it is most likely that your system will be compromised once the popup window (carrying the malware BHO) loads. It doesn't matter whether you clicked on the pop-up ad or not.

I'm trying out Mozilla and firefox and am considering changing the company over. The latest Firefox has a built in popup blocker but I had to turn it off. I go to a help site which uses pop ups and firefox must need the exact URL not just the domain because the popup wouldn't come up.

So far I still like IE better, it loads faster and works. Mozilla needs a TSR to open quicker, and firefox doesn't have that option. But I will probably switch if they work well and can be deployed easily.

Switching to Mozilla and FireFox are mostly options for power users rather than for corporate environments. Some people will disagree but I bet they haven't tried to deploy a new browser on three hundred or thirty thousand desktops, train users, and support the software.

It's important to remember that NO browser is completely without vulnerabilities.

I have nothing personal against either browser (or Opera or Navigator for that matter) but remember they too have problems.

In fact, check out
http://www.osvdb.org/displayvuln.php?osvdb_id=7595
which is a recent disclosure relating to Mozilla, FireFox and Thunderbird if you don't believe me.

Check out http://www.mozilla.org/security/shell.html
for a bulletin and fix from the Mozilla team - released within 1 day of the vulnerability being reported.

Compare this to the Internet Explorer vulnerability discussed in the article. It was reported weeks before it was exploited, and still no fix has been forthcoming.

I don't agree that we should continue to use software with a hideous security track record just because it might be difficult to switch.

Large environments have mechanisms in place to deply software to desktops - deployment of the browser would not be an issue.

As for training, most users make very limited use of a web browser. They use bookmarks, type in URLs, and click links. Most users would not find it difficult to adjust.

The biggest obstacle to switching would be a need to use sites that use IE-only technologies (such as ActiveX).

While Mozilla browsers will probably have security issues in the future, I doubt they will be of the quantity and severity as those that plague IE.

I have to wonder what experience you base your statements on. Pardon me, but did you ever try to switch 10,000 or 20,000 users and machines to another browser?

Ok, some patches are released quickly. It still takes the same amount of work to patch the systems I am responsible for.

Also, how many users have you tried to train in the use of a different program?

Your experience may be different but I've never even been able to get more than a fraction of users to stop opening attachments and that's with the threat of possible termination in some instances. Judging from the fast spread of most really virulant malware other security specialists haven't been able to train users in something that simple either.

In my experience training is always a major challenge - companies spend a small fortune just changing from one version of Office to another. In addition, I've never met an administrator for a big network who dismisses the costs involved in merely installing and switching programs the way you do.

For many larger businesses the ActiveX issue isn't minor either.

As for whether Mozilla will have security problems of the same severity as IE, the only way to discover that would be to make Mozilla the default browser for a couple hundred million users and see if hackers turn their attention to it.

Finally, what do you think will happen to the person who convinces management to spend a bundle to switch browsers when something goes wrong with that new browser? Can you say unemployment?

I don't mean to be hypercritical, but my 40 year's experience with software, management, and users in the real business world just doesn't match up with your comments.

Just Mozilla 1.4 has had 4 moderately critical vulnerabilities discovered in the past 12 months, 1/3 of the total number of vulnerabilities for that particular version. That's 1 vulnerability per month on average.

And, BTW:
- Mozilla Fails to Restrict Access to "shell:"
http://secunia.com/advisories/12027/
- Mozilla XPInstall Dialog Box Security Issue
http://secunia.com/advisories/11999/
- Multiple Browsers Frame Injection Vulnerability
http://secunia.com/advisories/11978/
- Mozilla Browser Address Bar Spoofing Weakness
http://secunia.com/advisories/11856/
- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability
http://secunia.com/advisories/11602/
- Mozilla Cross-Site Scripting Vulnerability
http://secunia.com/advisories/10980/
Certificate Store Corruption
http://secunia.com/advisories/12076/

I appreciate your comments but must respectfully disagree.

thank you to mr tech locksmith for pointing out that no matter what browser you choose you'll find an issue somewhere down the line. Remember kiddies if it looks like candy someone will want to steal it.