Worst Browser Threats May Not Be Security Holes How Internet Explorer in XP SP2 Works Differently Brian Livingston
How Internet Explorer in XP SP2 Works Differently
With the release of Service Pack 2 for Windows XP in September 2004, Microsoft made a positive change in the behavior of IE, which is bundled with Windows. "It took them a number of years to get it," Howes says, "but they eventually did get it."
Instead of popping up a dialog box when a Web site tries to install, for example, an ActiveX program, IE with SP2 now displays a much less intrusive alert about the situation. "They put it in the Information Bar to take the dialog boxes out of people's faces," Howes notes, "so they don't feel pressured into making potentially bad decisions."
It's still possible for a user to click IE's Information Bar, find more information about software that a Web site wants to install, and click "OK" to install it. But it's much less likely. This, hopefully, will prevent many copies of spyware and adware from being installed. (Users of Windows XP who haven't installed SP2, as well as users of Windows 2000 and earlier versions, don't enjoy even this much protection against trickery,
unfortunately.)
Adware Publishers Are Using Java Applets
Adware makers are already distributing files on the Internet that launch Java applets on Firefox and other Mozilla-based browsers. According to Howes, these programs include 180search Assistant, istbar, PowerScan, Sidefind, PeopleonPage, and the YourSiteBar.
Other programs, including iSearch/iDownload, present dialog boxes to Firefox users through browser extension methods, according to a PDF statement (page 2, paragraph 3) by Sunbelt Software, an antispyware maker that has consulted with Howes.
It's certainly true that computer owners should be able to install just about any software they want. The problem arises when official-looking dialog boxes are presented to users, who often see no difference between them and other Windows dialog boxes that they must click on every day.
Officials of the Mozilla Foundation, which makes the Firefox browser, did not respond to e-mails seeking comment by press time.
Defending Against Deceptive Dialog Boxes
"The Firefox 'yellow bar' gives little notice of what is actually trying to install itself, and so, in that respect, IE does have some small advantage," according to Christopher Boyd, a spyware researcher associated with VitalSecurity.org. Boyd is a Microsoft "Most Valuable Player" for security, an honor the Redmond company bestows on individuals who aren't employed by the firm but who play an important role in educating end users on Web forums and elsewhere.
At the same time, Boyd says, "until Microsoft untangles IE from the operating system, the number one target for spyware/malware will always be IE. The problem we have now is that, realizing Windows and IE are becoming more hardened (coupled with the raft of security tools people now employ), attackers are simply resorting to cruder methods of attack — namely social engineering and cheap tricks."
Company executives can't expect computer end users to guess correctly when confronted with Windows dialog boxes urging them to click "Yes," Boyd states.
"A security professional who neglects the human aspect of an attack is not a security professional," he says. "Here's something that could get to your PC across almost all browsers, regardless of secure lockdowns. All it took was a simple click of a 'Yes' prompt. And unfortunately, users click 'Yes' to things!"
