EXTEND AND EXPLOIT: WHY ‘IE’ IS A SECURITY DISASTER By John Abbott

There's only so much you can do with HTML and cascading style sheets (CSS). You can do more with high-level Web languages like PHP, ASP, Perl, and Python, but you still need HTML to display Web programs. A more powerful solution is to create an applet -- a separate program that is downloaded and run through your Web browser upon request. Sun Microsystems created the Java language for this purpose, and Microsoft responded by introducing the ActiveX control subsystem. The difference is, Sun designed Java with security in mind, and Microsoft didn't. Microsoft's idea of ActiveX security is to require that publishers digitally sign their programs and to require that end-users assent to the installation of ActiveX applets. There is no way to know what an ActiveX applet will do until you've run it, at which point it is too late to stop any damage it has done. Digital signatures do nothing to stop malicious code.

No matter how many security patches Microsoft releases, ActiveX can still destroy your system or steal your data. The only way to prevent it from potentially harming you is to disable ActiveX, thereby limiting IE's functionality.

The second disastrous extension that Microsoft added to IE is the Browser Helper Object, a file that loads with Internet Explorer and has unrestricted freedom to download, run, and install programs or applets without your permission or knowledge. The security risk here is obvious and self-explanatory; coincidentally this is one of the tools used in the above-mentioned recent Trojan horse attack.

BHO exploits cannot be detected or stopped by antivirus software. Some kinds of spyware detection programs can detect these kinds of attacks, and some can't. Rather than downloading and installing more software to fix problems in IE, it's best to just use a different browser.

As a program, IE simply was not designed to be secure. SecurityTracker.com keeps a list of IE's security alerts -- see for yourself how serious the threats are to Internet Explorer and how often they occur.

http://www.securitytracker.com/archives/target/49.html  

 Compare that list with the list for Mozilla. Which one would you rather use? http://www.securitytracker.com/archives/target/1291.html

Assuming that you WANT to protect yourself here's how to remove IE

Before you remove IE you need to download and install another browser. Most of the Internet community supports Mozilla and then Opera. Mozilla can be downloaded (free) at http://www.mozilla.org.  Once you've decided to get rid of IE, you can use the following process, provided you have Internet Explorer version 6 or later installed. Ironically, the easiest way to remove Internet Explorer versions earlier than version 6.0 is to first upgrade to 6.0 -- a process best done through Windows Update. If you're using Windows 95 and want to remove IE, Microsoft has instructions here.

In Windows NT 4.0, 98, 98SE, ME, 2000, and Advanced Server Limited Edition, open up your Control Panel, which is found in the Start Menu under Settings. Then double-click on Add/Remove Programs; a new window will appear with this same title. Select Add/Remove Windows Components from the left-hand icon column and then uncheck the box next to Internet Explorer. Click Next and IE will disappear from your system; click Finish to complete the process. All IE icons will be removed from your quick launch, desktop, and Start menu.

Depending on which operating system you're using and how it has been updated and configured, the option for removing Internet Explorer may alternately be in the Add/Remove Installed Programs section instead of the Add/Remove Windows Components section, but the basic process remains the same.

In Windows XP the process is exactly the same, except you have some further options to limit Internet Explorer. In the same Add or Remove Programs window, Windows XP has an additional option for those with Administrator rights: Set Program Access and Defaults, which is the last icon down on the left-hand icon bar. Click on it and you'll see some different profiles to choose from. Click on Custom; this will list some program defaults and access controls that you can change manually.

The first group in the list is for your Web browser. Uncheck the box labeled "Enable access to this program" next to Internet Explorer. You'll notice there is a button for the system default -- you'll want to click the dot next to your new browser to make it the default if it isn't already set.

Internet Explorer is, unfortunately, built into Windows in all versions after 98 and can't be fully removed. No matter what you do, IE will still be available in a limited capacity for the purpose of running Windows Update, which requires Internet Explorer to run. It will not be generally available to users, however, and since you set your default browser to whatever you installed earlier, IE will never open on its own when you click a link offline. This is the best you can do; Windows security is all about reducing risk, rather than eliminating it. If you start Windows Update, an IE window will open and you can use it for browsing sites other than Windows Update despite the fact that it's been "removed" and "disabled." This is one of the main problems with Windows -- there are always loopholes like this one that compromise your system's security. A more effective long-term answer to such security concerns might be to switch to GNU/Linux.

     Just in case you hadn't realized how big computer security has become.  Here is a list of the alert sites to which I am a member. And each of these has categories of security within them.  Can you imagine having to sit down at a table with each of these groups on a regular basis?  It’s about all I can do to keep up with their email.

By John Abbott

     1ndonesian Security Team
     @Stake - L0pht
     AERAsec
     ALPER Research Labs
     AngryPacket Security
     Arhont Ltd.
     Black Tigerz Research Group
     Blackshell
     Blackwatch Labs
     Blue Panda
     Centaura Technologies
     CERT (Computer Emergency Response Team)
     Cgisecurity.com
     ChinaSL Information Technology
     CIAC (US Dept. of Energy)
     CORE
     Corsaire
     COVERT Labs (Network Associates)
     cqure.net
     Damage Hacking Group
     Databugs Security Team
     Deep Zone
     Defcom Labs
     DHC
     Digital Defense
     Dtors Security Research
     DWC Gr0up
     e-matters
     ECHU.ORG
     eEye Digital Security
     exploitlabs.com
     Eye on Security
     Eye On Security Research Group - India

     FIRST (Forum of Incident Response Security Teams)
     Frame4 Security Systems
     Freedom 0f Knowledge Project
     Foundstone
     Georgi Guninski
     Global InterSec Research
     Global Security Solution IT (GSSIT)
     GOBBLES
     GreyMagic Software
     Guardent
     GulfTech Security Research Team
     Hackerslab
     Hat-Squad Security Team

     iDEFENSE
     Illegal Instruction Labs
     illegalaccess.org
     INetCop Security
     Infohacking
     Information Risk Management plc
     Infowarfare.dk
     Integrigy
     Internet Security Systems (X-Force)
     INTEXXIA
     iSEC Security Research
     iSecureLabs
     IT-Checkpoint Security
     KPMG
     Mordred Security Labs
     NetGuard Security Team
     Netric Security Team
     netVigilance
     Network Intelligence India
     NGSEC
     NGSSoftware
     Nomad Mobile Research Centre
     NovaPPC Security Research Group
     NSFOCUS
     NSSI-Research Labs
     OpenWall
     Phenoelit Group
     Pine Digital Security
     PivX Solutions
    

     Portcullis
     ProCheckUp
     qDefense
     QITEST1
     r0tten dev1ce Crew
     Rapid 7
     RAZOR
     rfp.labs (RainForestPuppy - wiretrip.net)
     RUS-CERT
     RusH Security Team

     S-Quadra Security Research
     S21SEC
     SafeHack
     SCAN Associates
     sec-labs
     SECNAP
     Secunia Research
     Secure Net Service (LAC)
     Secure Reality
     SecureXpert Labs
     Securiteinfo.com
     Security-Corp
     SECURITY.NNOV
     SecurityOffice.net
     Sentinel Chicken Networks
     Sentry Union
     Shadow Penguin Security
     Shell Security
     SNS Research
     SP Research Labs
     STG Security
     Strategic Reconnaissance Team
     SystemSecure.org
     Texonet
     Tripbit Security Research Group
     Trust Factory
     UkR Security Team
     UNDERSEC Security
     USSR (Underground Security Systems Research)
     Vietnamese Security Group
     VIGILANTe
     w00w00
     Westpoint
     Wkit Security AB
     Zone-H
 

MICROSOFT BASELINE SECURITY ANALYZER V1.2, By Harold Buechly

MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS), SQL Server, Internet Explorer, and Office. MBSA 1.2 will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, IE, Exchange Server, Windows Media Player, Microsoft Data Access Components (MDAC), MSXML, Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server, and Office.

Once you download it, install it and run it, You will be given a report of what it finds right and what is wrong and how to correct it. It is available for anyone but it is prepared by Microsoft for IT Professionals. This procedure  previously was listed in Barrons’s Bytes in the March 24, 2003 Bulletin.

http://my.awesomenet.net/~bentsen/030324b.htm

Download from:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Harold

SMART COMPUTING USER GROUP OFFER, By Harold Buechly

By subscribing to Smart Computing or one of their other 4 magazines, your computer club gets credit. When 5 credits are issued we will receive a free subscription to be given away as a door prize. Go to:

https://www.smartcomputing.com/groups/default.asp?guid and click on subscribe on the left side and fill out the form to start your subscription.

You will receive access to a very complete web site tip, information and educational source with many thousands of well written articles and on line access to all 5 magazines.

VIRUS / ANTIVIRUS - BATTLE TO CONTROL THE INTERNET, By Harold Buechly

Attacks on our computers are getting more often and more vicious as time goes by. Several years ago the viruses were not as damaging as they are becoming. If we allow any malicious program to run on our computer, we totally turn over the control of our computer to the person that wrote that program. There are many thousands of programs on our computer and hopefully they are all good programs designed to help us accomplish various tasks.

A program is a set of instructions written in a language your operating system understands. It is much like a foreign language to us but quite simple compared to learning to speak French or Spanish. A program is also called software or an application and may be a utility.

A program may create or use a data file on your hard drive. Data files may contain pictures, sounds, words, numbers, settings, preferences or any information that can be processed by a computer.

A malicious programmer may create an entire program or modify a good program by adding his code to a common program found on most computers or it may totally replace a good program. A program setting on your hard disk is doing no harm unless it is executed. When we click on an icon on our desktop we execute or run a program. When we turn on or start our computer, many programs are started.

We all know the most common way of receiving viruses is by e-mail. We also know that by opening an attachment is the most common way of installing a virus on our computer. We can only hope that our antivirus programs can continue to do the marvelous jobs they have been doing.

To protect our computers, we must have several programs running in the background and frequently run several other programs to clean up what gets through. To run these protecting programs in the background, it takes a big chunk of our computer processor capacity. Not long ago 32 to 64 MB of RAM may have been adequate. Now we need 256 to 512 MB of RAM. Not just because of the protection we need. We are running bigger programs with large hunks of data and many programs at one time. For a computer to operate fast and efficient, all the programs and all the data they are using must be loaded into the RAM.

In order for a virus to do its thing it must spread to many computers. If it is active in your computer, its first job is to replicate itself and send itself to those in your address book. It can do this without using your e-mail program because it has its own built in. It may also be capable of going to a web site and get e-mail addresses to send messages to using your return address or continuously opening a web site which is an attack on a site that may shut it down because of excess traffic. At the same time it is creating a lot of traffic on the WWW which slows us all down.

So far, few viruses have damaged our computers and data but a malicious program is capable of destroying data and programs on our computer.