Adware Spyware soapbox, part II
While I’m on the adware and spyware soap-box, I wanted to let you know that adware and spyware programmers do have the capability to make sure that their websites are deemed “safe” by Internet Explorer, which then allows their website to run anything they want to on your computer.
To explain:
Internet Explorer has four ‘zones’ of security (there actually may be more than that, but that’s all Microsoft is telling the public about.)
Each of these ‘zones’ is supposed to be set for differing security levels based on what types of traffic each ‘zone’ is supposed to allow or stop.
By default, the highest level of security is on the “Restricted” ‘zone’.
The next lower level is the “Internet” ‘zone’.
Then the security level drops a bit more for the “Local Area Network” ‘zone’.
And finally the least secure (just about any type of program can run here) ‘zone’ is named “Trusted”.
What types of programs can Internet Explorer run? Glad you asked, here’s a list, but DO NOT try to make sense of of what each one does unless you want to spend time learning how to program!!! This list is here ONLY to show you some of the many ways your computer can be controlled from a website via Internet Explorer.
Signed ActiveX controls with binary behavior
Unsigned ActiveX controls with binary behavior
Signed ActiveX controls with script behavior
Unsigned ActiveX controls with script behavior
Signed ActiveX plugins
Unsigned ActiveX plugins
META REFRESH
Installation of desktop items
Launch programs and files in an IFRAME
Active scripting
Java
Javascript
Now, to brighten up the picture a bit more, some adware and spyware programmers can move their chosen websites into Internet Explorer’s “Trusted” ‘zone’ so that all restrictions are off, meaning those websites that pay them to write adware and spyware to get all that crap loaded onto your computer, keep you pissed off with those annoying little popup windows, give you a slow Internet connection, and generally make Internet surfing hell. Put simply, some adware and spyware can manipulate Internet Explorer to do their own bidding.
For example:
We just repaired a Windows XP Home computer that was on the Internet behind a router. It had 58 virus infected files, 738 (1/3 of our highest ever) adware, spyware and malware items (”mal-” meaning bad or evil) and the following sites had been moved into the “Trusted” ‘zone’:
*.blazefind.com
*.clickspring.net
*.flingstone.com
*.mt-download.com
*.my-internet.info
*.searchbarcash.com
*.searchmiracle.com
*.skoobidoo.com
*.slotch.com
*.slotchbar.com
*.windupdates.com
*.xxxtoolbar.com
*.ysbweb.com
81.222.131.59
Obviously, these are not websites that a user would know to, or want to trust…
And the Internet Explorer “Internet” ‘zone’ had also been set so that unsigned ActiveX controls could be downloaded and installed. What’s the big deal here? ActiveX is a type of programing that lets programers run their programs on _YOUR_ computer from their chosen website or via an email if the user is using Outlook or Outlook Express - both of which use Internet Explorer (including it’s weaknesses) to display HTML email. The original intention on this *may have been* fine, however, it allows bad-intentioned programmers to do as they wish on _YOUR_ computer.
Currently, cleaning adware and spyware crap out of users of Internet Explorer on Windows computers creates more than half of our daily work.
I suppose I should be a good little citizen and thank Microsoft for my bread and butter, but if Microsoft were working for me, I would have fired them years ago. To be nice, their Internet Explorer sucks pond water. (Most animals wouldn’t drink pond water if they were dying of thirst.)
Now, my real opinion on this whole mess is that, for reasons of their own, Microsoft is allowing other companies the luxury of breaking and entering your computer via their Internet Explorer. This makes Microsoft a partner in the crime.
Last I checked, breaking and entering was against the law - but somehow lawyers haven’t gotten on that bandwagon yet.
Pity - they should be able to make a killing on it.
5 Comments for "Adware Spyware soapbox, part II"
Leave a comment ...
There may be a delay in displaying comments, which are moderated due to spammer abuse. Apologies; I appreciate your participation and your comment will be reviewed as soon as possible. Posters must be 18 or older | Privacy Policy
» Diane Vigil
05/14/05 @ 5:50 am
Hm. Meta Refresh is HTML coding that auto-forwards the browser from one page to another. For instance, say you move a page in a website but don’t want to leave people arriving at the page’s old location stranded or confused; you could put a new page in the original location, and add a meta refresh to it so that it takes them to the new location. Sure, it could be done more elegantly in other ways, but that’s one way to do it.
Like anything, I suppose meta refresh can be put to bad use but that, at least, was the original purpose for meta refresh. What sorts of problems were you seeing with it?
» Dan
05/14/05 @ 2:30 pm
Well, for starters, when you do this Google search for: “meta refresh vulnerability” you end up with about 17,000 results, the first of which (being a proof of concept site) attempts to load a script from a non-restricted site, or you could look at Securiteam’s example of another product’s security problem that then allows Meta Refresh to be used nefariously by the attacker.
Sorry, lack of sleep precludes further ramblings at this moment. (As well as lack of spelling coherance. :)
» Diane Vigil
05/14/05 @ 5:29 pm
Okay. Ramble not. My point was that meta refresh is just an auto-forwarding feature that is put into an HTML page; it is the page itself that does whatever it does. It is likely the loading of the page itself that executes whatever is executed. In that case, I’m sure there are other ways it could be done, but won’t delineate them here.
And, in that case, would other browsers not have the same problems?
» Dan
05/16/05 @ 4:08 pm
I believe you are correct in regards to other browsers being susceptible to Meta Refresh problems as well as Internet Explorer.
However, my purpose in this article was to specifically point out problems with Internet Explorer.
Other browsers have troubles, but if the troubles of the top three Internet browsers (not including Internet Explorer) were to be combined, they would still be less in both number and severity than Interet Explorer’s rather obnoxiously long list.
» Diane Vigil
05/17/05 @ 3:09 am
Okay. I think there may be some missing info here. First, meta refresh is standard HTML redirect coding supported by the W3.org, so it’s not a “susceptibility” in the usual sense that browsers support it any more than they would support any other HTML tag. Secondly, meta refresh is only code to automatically redirect the browser to a specified page after a specified time — which can be zero seconds.
Meta refresh can be used, for example, when a website has been moved to a new domain. You put an HTML page on the old domain — perhaps it says “we’ve moved” — and add meta refresh coding to take visitors seamlessly to the new domain after a few seconds.
So far as I know, meta refresh does not, in and of itself, load anything extra onto a page; the code only says where the user will be redirected and how soon. My guess is that the problem is actually caused by a browser’s accessing of a page containing malicious code. I’d guess that the meta refresh code may be used to mask from the user whatever was on the original page (if it is visible at all) due to the speed of the redirection, but doesn’t cause the problem in and of itself.
Of course, like any other technology, meta refresh (or any other technology that allows auto-redirection such as JavaScript) could be put to devious ends. Unfortunately, we’re a little too far along in the Web tech cycle to retract the meta refresh tag from the official HTML specifications or to recall all browsers that have ever supported it. The real problem, of course, is that some/most/all computers may not, out of the box, block the execution of malicious code. Otherwise, we wouldn’t care what code downloaded.
Thus, your point about the issues with IE being greater than those of the other three major browsers combined is well taken. For myself, I’m finding Opera 8 to be the most user-friendly and *elegant* browser I’ve ever had the pleasure to use.