Comments on: Hyperlink insecurity

Exploit Prevention Labs co-founder Roger Thompson has a message for Web surfers: Be afraid. Be very afraid.

[Philips]

Proper danger classification

"""My analysis revealed that the free Web counter had hidden functions. When someone visited the plasterer's site, the Web counter accessed a Web server in Slovakia, which then grabbed a drive-by download from a server in Colorado, that was then silently installed onto the unsuspecting Web site visitor's computer."""

Please in future before using passages like "world in grave danger" mention that problem is M$ Windows & Internet Explorer specific.

Not all of us are using Wind0ze. And more and more Windows users come to sense and install Firefox or Opera.

[hadaso]

Who gave the permission?

For software to be installed on your computer, it needs your permission. You might have granted that permission by accepting the terms when you installed your OS or your browser.

Does the Windows Metafile vulnerability allow the installation of a rootkit when the web browser (which browser?) is run without system administrator permisions?

[JChiarella]

Being "not well-behaved"

Thanks, Hadaso, for your thoughtful comment. It's an insightful question.

First, the WMF exploit specifically targets a vulnerability in Microsoft Internet Explorer. Other browsers, such as Firefox and Opera, are not as vulnerable.

Please keep in mind that exploits are not what we call well-behaved programs. They don't have to play by standard rules. By their very nature, they succeed by blowing up some application (IE in this case) and using it to poke a hole in the OS so that they can do whatever they want.

Hadaso is correct, it is _always_ best to surf the Internet with a lower privilege account. There is little on the down side, except that you may not always be able to easily install software that you _do_ want to install.

In the case of the WMF exploit, being logged in on a lower privilege account probably stops the install because the _common_ payload is just a downloader - but there are others. If the payload were a rootkit, or if the exploit payload involved privilege escalation, anything would be possible, including unwanted installations - even when those privileges aren't expressly allowed by your account.

The best defense, in our estimation, is to never let the exploit into the machine at all, thus keeping computers completely safe from this kind of harm.

Joe Chiarella
Product Manager, Exploit Prevention Labs
with additional insight from Roger Thompson, CTO

Mac and Linux look pretty good.

"In this age of open-source and free software, ... It typically takes Microsoft weeks or months to issue a patch for each new vulnerability discovery."

Oh, sorry, those were two separate sentences. ;)

Although Mac is hardly free in either sense of the word, it's still built to be more secure than Windows.

And it's a good thing I have Firefox on all my platforms (I'm actually on an MS Windows desktop right now).

[jdgill]

What are the software conditions of your hyperlink insecurity?

Assuming people are using unpatched versions of Windows, Internet Explorer, and running as Administrator I can see this as a problem.

When you were doing your testing of how easy it is to be infected were you running under these conditions? Or were you using a more secure method like Firefox, Windows fully updated, and under limited user account.

I understand the WMF exploit you mentioned could have bypassed many of these security practices.

Interesting article. A great shot of paranoia keeps everyone in the IT security field going in the morning. Thanks! :-)

[jdgill]

In response

To my knowledge the WMF exploit bypassed any permissions and security software (anti virus/anti malware) and caused code to be executed as a high level user (administrator). There are methods of embedding exploit code into a "harmless" jpeg image on a website. The viewing of this jpeg image under any browser compromised the system without the users input. No AV warnings, no certificates, no asking of permission to execute.