In case anyone hadn't already switched to Firefox

[KcMizzou]

Spyware Barely Touches Firefox

By Gregg Keizer
TechWeb.com Thu Feb 9, 2:15 PM ET

Internet Explorer users can be as much as 21 times more likely to end up with a spyware-infected PC than people who go online with Mozilla's Firefox browser, academic researchers from Microsoft's backyard said in a recently published paper.

"We can't say whether Firefox is a safer browser or not," said Henry Levy, one of the two University of Washington professors who, along with a pair of graduate students, created Web crawlers to scour the Internet for spyware in several 2005 forays. "But we can say that users will have a safer experience [surfing] with Firefox."

In May and October, Levy and colleague Steven Gribble sent their crawlers to 45,000 Web sites, cataloged the executable files found, and tested malicious sites' effectiveness by exposing unpatched versions of Internet Explorer and Firefox to "drive-by downloads." That's the term for the hacker practice of using browser vulnerabilities to install software, sometimes surreptitiously, sometimes not.

"We can't say IE is any less safe," explained Levy, "because we choose to use an unpatched version [of each browser.] We were trying to understand the number of [spyware] threats, so if we used unpatched browsers then we would see more threats."

Levy and Gribble, along with graduate students Alexander Moshchuk and Tanya Bragin, set up IE in two configurations -- one where it behaved as if the user had given permission for all downloads, the other as if the user refused all download permission -- to track the number of successful spyware installations.

During Levy's and Gribble's most recent crawl of October 2005, 1.6 percent of the domains infected the first IE configuration, the one mimicking a na�ve user blithely clicking 'Yes;' about a third as many domains (0.6 percent) did drive-by downloads by planting spyware even when the user rejected the installations.

"These numbers may not sound like much," said Gribble, "but consider the number of domains on the Web."

"You definitely want to have all the patches [installed] for Internet Explorer," added Levy.

In the same kind of configurations, Firefox survived relatively unscathed. Only .09 percent of domains infected the Mozilla Corp. browser when it was set, like IE, to act as if the user clicked through security dialogs; no domain managed to infect the Firefox-equipped PC in a drive-by download attack.

Compare those figures, and it seems that IE users who haven't patched their browser are 21 times more likely to have a spyware attack executed -- if not necessarily succeed -- against their machine.

Most of the exploits that leveraged IE vulnerabilities to plant spyware were based on ActiveX and JavaScript, said Gribble. Those two technologies have taken the blame for many of IE problems. In fact, Firefox boosters often point to their browser's lack of support for ActiveX as a big reason why its security claims are legit.

Levy and Gribble didn't set out to verify that, but they did note that the few successful spyware attacks on Firefox were made by Java applets; all, however, required the user's consent to succeed.

Microsoft's made a point to stress that Internet Explorer 7, which just went into open beta for
Windows XP, tightens up ActiveX controls by disabling nearly all those already installed. IE 7 then alerts the user and requires consent before it will run an in-place control.

Good thing, because one of the research's most startling conclusions was the number of spyware-infected sites. One out of every 20 executable files on Web sites is spyware, and 1 in 25 domains contain at least one piece of spyware waiting for victims.

"If these numbers are even close to representative for Web sites frequented by users," the paper concluded, "it is not surprising that spyware continues to be of major concern."

The moral, said Levy, is: "If you browse, you're eventually going to get hit with a spyware attack."

http://news.yahoo.com/s/cmp/20060210/tc_cmp/179102616

[jidar]

Quote:

Originally Posted by phxchief

lol
Like that?
It wasn't exactly off the cuff. I've said variations of that rant a couple of times a year for the last 6 years or so.

[Skip Towne]

Quote:

Originally Posted by htismaqe

I've actually been busy today at work. It's a rare occurrence.

Damn! That's got to be cutting into your Planet time. I'd speak to management about it.

[Otter]

I'm certainly no MS expert but if I understand the core problem of IE vulnerability it’s that IE is so very integrated to within every use of the OS that it needs to have access to things a web browser doesn’t’ need access.

Example: IE is used to browse files, access control panel, access services, regedit ect.

What if MS just fell back, regrouped and in their next OS version installed an app strictly for browsing the internet and left explorer to do its GUI stuff thus severing the whole integrated vulnerability tie?

Too easy? Over simplifying the matter?

Thoughts *cough* hits *cough* on the subject?

[htismaqe]

Quote:

Originally Posted by Skip Towne

Damn! That's got to be cutting into your Planet time. I'd speak to management about it.

I did. They weren't sympathetic.

[htismaqe]

Quote:

Originally Posted by Otter

I'm certainly no MS expert but if I understand the core problem of IE vulnerability it’s that IE is so very integrated to within every use of the OS that it needs to have access to things a web browser doesn’t’ need access.

Example: IE is used to browse files, access control panel, access services, regedit ect.

What if MS just fell back, regrouped and in their next OS version installed an app strictly for browsing the internet and left explorer to do its GUI stuff thus severing the whole integrated vulnerability tie?

Too easy? Over simplifying the matter?

Thoughts *cough* hits *cough* on the subject?

That is indeed the issue.

If IE could be isolated and taken out of Windows with no hooks, I wouldn't be using it.

My experience has been that if I try to use a 3rd-party browser, Windows has issues with it.

Is that good? No. But it's reality.

[kaplin42]

Quote:

Originally Posted by htismaqe

Keep pumping Firefox. As soon as there's enough of them out there to be worth the time and effort, there will be spyware for it.

Exactly!! This is the same arguement that Mac users use when they say Mac's dont get viruses. Thats because Mac's only make up about 10% of the market share, who would waste their time with that?

[Simplex3]

Quote:

Originally Posted by kaplin42

Exactly!! This is the same arguement that Mac users use when they say Mac's dont get viruses. Thats because Mac's only make up about 10% of the market share, who would waste their time with that?

Once again, you've bought the line from MS. There are far more *nix servers in the world. Credit card companies, banks, etc. It would be easier for a hacker to do far more damage by hacking them, but it's not easier. Windows is highly vulnerable, especially in it's default configuration, so instead of going to the source they go to the end user and get the information one person at a time.

[Hammock Parties]

Firefox rules. I recently started using the SessionSaver extension. My god!

[htismaqe]

Quote:

Originally Posted by Simplex3

Once again, you've bought the line from MS. There are far more *nix servers in the world. Credit card companies, banks, etc. It would be easier for a hacker to do far more damage by hacking them, but it's not easier. Windows is highly vulnerable, especially in it's default configuration, so instead of going to the source they go to the end user and get the information one person at a time.

Actually, that line didn't come from M$. It's common knowledge.

90% of the systems I secure are Unix or Linux.

Black Hat Professionals --> Unix

Script kiddies, spyware, and bullshit --> Windows

[htismaqe]

I should note that the one Windows-based target for the real Black Hats, particularly Eastern European organized crime, is botnets -- using virus/trojan malware to produce huge DDoS attacks for extortion.