Category: Computer Security

Posted on
by

At the end of a post on SSL/TLS and just how much security a “secure” site really gives you, Eric Lawrence of IEBlog posted an interesting thought:

The so-called “browser wars” have fundamentally changed. It’s no longer Microsoft vs. Mozilla vs. Opera et all. Now it’s the “good guys” vs. the “bad guys.” The “bad guys” are the phishers, malware distributors, and other miscellaneous crooks looking for a quick score at the expense of the browsing public.

We’re all in this together.

I’m not sure I agree entirely. It’s more like a second war has started, one in which former enemies are (or at least should be) allies. I do still think competition is necessary, as evidenced by Microsoft’s sudden reversal on updating IE once Firefox became popular—but more cooperation on security may be something MS/Moz/Opera/Apple should consider.

Posted on
by

Talk about convoluted. Someone has developed a Java applet that will use one browser to install spyware on another. The applet runs in any browser using the Sun Java Runtime Environment—Firefox, Opera, Mozilla, etc.—and if it can convince you to run the installer, it will install spyware on Internet Explorer. And since you can’t remove Internet Explorer from Windows (you can hide it, but it’s always there…waiting), just using an alternative browser isn’t enough to protect you.

Of course, the obvious solution here is don’t let it install anything. That’s what the Java sandbox is for, after all: applets run in their own little world and can’t touch the rest of your system unless you let them (or they find a hole in the sandbox, which is why you need to keep Java up to date—just like everything else).

Time to emphasize the fact that while Firefox is still safer than IE, it’s not a magic bullet. There is no magic bullet. You can minimize risk, but never eliminate it.

(via SANS Internet Storm Center)

Posted on
by

AKA stuff I wanted to write about earlier this week but need to just slam out while they’re still topical.

  • Judge slams SCO’s lack of evidence against IBM. Also Groklaw’s take. After all the wild claims they’ve made without providing evidence, it’s nice to see even the judge is getting sick of it.
  • Coke may try out coffee cola – Yeah, it’s a month old, but it’s news to me. (Incidentally, I hate CNN’s practice of deleting stories from their website. That’s where I read about this earlier this week, and I had to go hunting for an article that was still up.) [Note: I’ve had to track down a third copy of the article.]
  • MP3tunes.com shuns DRM – former MP3.com founder starts a new legal download service, and sticks with unencumbered MP3s instead of messing around with ultimately-flawed digital rights management. I’m reminded of Cory Doctorow’s famous talk on why DRM is bad for everyone.
  • Beware the unexpected attack vector – Your enemy may not come at you from the direction you expect. Set up sentries around the beach, they’ll get you through the ocean. Set up a firewall, they’ll get you through web browsers. It’s mainly about computer/network security, but it has an interesting story explaining why there’s only one major newspaper in Los Angeles.
  • CSS Zen Garden parody: Geocities 1996 – I’ve been meaning to post a link to this for over a month. It’s fully valid code, and manages to bring back the worst of 1990s web design.

Posted on
by

Something that could help with the ever-shrinking window between turning on a new (Windows) computer and getting hacked by some automatic probe is to just make downloading security updates part of the setup process. I installed two Linux distributions this weekend, Mandrake 10.1 and SuSE 9.2, and both did this.

What I liked about the SuSE installer was the way the option was worded. The setup utility asks you if you want to “test your Internet connection.” It tests the connection by downloading the latest release notes and checking for updates! (Unfortunately, it somehow chose an old mirror of the SuSE site—not the one I used during the installation—and the process failed.)

Posted on
by

Today’s Microsoft security patches include one for a potential remote exploit in… Wordpad? Yes, according to Security Bulletin MS04-041, there are two problems in the Word 6 converter that could be used to take control of your system. In addition to fixing those holes, they’ve disabled the converter.

I could understand if this were something like Emacs, which is practically its own operating system, but Wordpad is a bare minimum RTF editor.

What next? Are they going to find a plain-text hole in Notepad? Discover you can crash your system by dividing by 0.0000000000001 in Calculator? I know, looking at a malicious font in Character Map is going to be the next big virus vector.