Saturday, August 21, 2004
Followup from yesterday: the drag/drop IE problem
I found the sample attack and took a look. It's kind of scary.
All you see on the screen is some red lines and a little Pac-Man(tm) like figure (and some pointless vulgarity). As far as you can tell by looking, all you do to infect yourself is move a picture from one place on the screen to another. The attack uses some features that only exist in Internet Explorer("IE") which allow it to disguise a program as a picture and disguise a folder on your computer as a blank space.
This can happen even on XP Service Pack 2, the version with all the security improvements.
Microsoft isn't very worried. They say it's a minor problem because it requires so much work by the user before a computer can be infected. At least one independent firm rates it "highly critical". I think it's grounds for worry because it's hard for a street-smart user to avoid. An attack could be disguised as an ad. You've seen the ads that say "click the monkey to win a prize"? An ad that said "Drag the monkey to the barrel and win a prize" could trick a lot of people, and it's less work for the user than some highly successful attacks have required.
The independent firm (Secunia) recommends turning off Javascript (Tools/Internet Options/Security/Internet/Custom/Scripting/Active Scripting/Disable; I am not making that up, and if you do it a lot of web sites won't work right), or switching to another browser. Switching is painless and actually fun. There's even help about how to do it.
|
All you see on the screen is some red lines and a little Pac-Man(tm) like figure (and some pointless vulgarity). As far as you can tell by looking, all you do to infect yourself is move a picture from one place on the screen to another. The attack uses some features that only exist in Internet Explorer("IE") which allow it to disguise a program as a picture and disguise a folder on your computer as a blank space.
This can happen even on XP Service Pack 2, the version with all the security improvements.
Microsoft isn't very worried. They say it's a minor problem because it requires so much work by the user before a computer can be infected. At least one independent firm rates it "highly critical". I think it's grounds for worry because it's hard for a street-smart user to avoid. An attack could be disguised as an ad. You've seen the ads that say "click the monkey to win a prize"? An ad that said "Drag the monkey to the barrel and win a prize" could trick a lot of people, and it's less work for the user than some highly successful attacks have required.
The independent firm (Secunia) recommends turning off Javascript (Tools/Internet Options/Security/Internet/Custom/Scripting/Active Scripting/Disable; I am not making that up, and if you do it a lot of web sites won't work right), or switching to another browser. Switching is painless and actually fun. There's even help about how to do it.
# posted by Frederick @ 10:32 AM Email to a friend:
Haloscan: they provide trackback