If your software garbles this newsletter, read this issue at WindowsSecrets.com.
| || |
YOUR NEWSLETTER PREFERENCES Change
Delivery address: email@example.com
Alternate address: firstname.lastname@example.org
Locale: Canada L3B 5N5
Reader number: 35034-18272
Windows Secrets Newsletter • Issue 171 • 2008-10-16 • Circulation: over 400,000
Table of contents
INTRODUCTION: Yay, Fred's back! Readers give a big thumbs-up
TOP STORY: All browsers are vulnerable to clickjacking
KNOWN ISSUES: Are criticisms of Vista bogus or legitimate?
WACKY WEB WEEK: "Chicken or fish?" may max out your credit card
LANGALIST PLUS: Repair XP's ability to format floppy disks
BEST SOFTWARE: Use a sandbox to improve your PC security
KNOWN ISSUES 2: Put these file locations on your backup radar
PC TUNE-UP: How to take over an IIS server in no time flat
PATCH WATCH: Patch knocks out Net for XP PCs with ZoneAlarm
| You're receiving only our free content. Use the following link to upgrade and get our paid content immediately: |
Yay, Fred's back! Readers give a big thumbs-up
By Brian Livingston
Ever since I announced on Oct. 9 that our editor-at-large, Fred Langa, was coming out of retirement to bring you a new column every week, we've received hundreds of e-mails from readers who're glad to see him back.
We've received only a couple of messages like, "Fred who?"
My favorite comment came from a reader named Sheri, who enjoys our paid content (including Fred's new column) and also was a subscriber to Ian "Gizmo" Richards' newsletter, Support Alert, which merged with Windows Secrets last July:
If you're a free subscriber, we'd like you to try out our paid content. There's no risk. If you don't agree that it's worth what you contributed, you can get a full refund any time in the first four weeks. Please use the following link for details:
Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
All browsers are vulnerable to clickjacking
By Stuart J. Johnston
The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.
What's worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.
Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.
By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.
The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in.
"If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security," Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.
Disguised links lurk behind clickable buttons
In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.
Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.
They point out that even users who watch their systems like a hawk can be victimized.
"There's really no way to know if what you're looking at is real," Hansen told Windows Secrets.
In fact, Hansen and Grossman found so many new ways to attack your PC — and your Mac — that they categorize these threats as a "new class" of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.
Clickjacking isn't new. In fact, it dates back to at least 2002, Hansen said. What's new is the range of browser vulnerabilities that make clickjacking possible.
Hansen's blog posting describes the scope most clearly:
"Most browsers are going to be vulnerable," Hansen told Windows Secrets. Even the new version 8 of Internet Explorer, currently in beta, is susceptible — though Hansen said he expects Microsoft's upcoming browser to be patched by the time it's released later this year.
Flash apps may activate webcams and mics
Besides browsers, the bad guys can also exploit Web programs such as Adobe's Flash player.
For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic.
Clickjacking vulnerabilities don't stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.
Hansen says that disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity.
In fact, in the three weeks since Hansen and Grossman first revealed the discovery of the clickjacking vulnerabilities, Hansen says he's received about half a dozen examples of proof-of-concept code and knows of several more — not counting the half dozen or so that he and Grossman have already found.
To date, there have been no attacks in the wild, although with proof-of-concept code already out, it's just a matter of time. (Contributing editor Mark Edwards also mentions Flash exploits in his column today.)
Can you stay safe in a clickjacking world?
Browser and plug-in vendors have joined watchdog organizations in describing what you can do to stay safe.
While we're all waiting for vendors to patch their products, Alfred Huger, vice president of software development for Symantec Security Response, has some down-to-earth advice. Since most malware attacks occur on adult sites, keep your browsing rated PG-13.
"You're most likely to see [attacks] on porn sites or on sites that offer game-cracking software," Huger adds.
When in doubt, ask yourself whether your mom would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.
Despite the seriousness of this latest round of security threats, SANS Institute's Skoudis says he is optimistic. While the threat of attack may be high for the next three to six months, Skoudis expects more complete protections to become available as early as next spring and no later than next fall.
"This is a very serious finding, but this is not going to be the end of the Web," Skoudis adds.
Are criticisms of Vista bogus or legitimate?
By Dennis O'Reilly
Several readers were dismayed to read about the Vista problems reported by Stuart Johnston in last week's Top Story, some going so far as to call it "Vista bashing."
On the other hand, we heard from just as many readers who are struggling with the same problems as the readers Stuart quoted — plus other Vista glitches of their own.
Reader Victor Sacco left no doubt about where he stands on the issue:
Reader John Douglas offers an explanation for some of these glitches:
Whether someone's Vista Registry has bloated itself up to millions of lines, hundreds of megabytes, or some other measure, the problems Stuart wrote about represent the experiences of many Vista users.
Ferreting out a disk-imaging bargain
One of my favorite things is saving money on what I consider an indispensable PC application. That's why I stood up and took notice when reader John Sullivan wrote to tell us about a great deal he found on Acronis's True Image disk-imaging software:
WACKY WEB WEEK
'Chicken or fish?' may max out your credit card
Use these permalinks to share info with friends
We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam" and corporate filters start blocking our e-mails.)
The following link includes all articles this week: http://WindowsSecrets.com/comp/081016
Free content posted on October 16, 2008:
You get all of the following in our paid content:
The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch (2004), the LangaList (2006), and the Support Alert Newsletter (2008).
Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).
Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Associate Editors: Scott Dunn, Stuart J. Johnston. Program Director: Tony Johnston. Web Developer: Damian Wadley. Editorial Assistant: Katy Abby. Copyeditor: Roberta Scholz. Chief Marketing Officer: Jake Ludington. Contributing Editors: Susan Bradley, Mark Joseph Edwards, Woody Leonhard, Ryan Russell, Scott Spanbauer, Becky Waring.
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets & Support Alert Newsletter, the Windows Secrets Newsletter, Support Alert, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.
YOUR SUBSCRIPTION PREFERENCES (change your preferences):
Delivery address: email@example.com
Alternate address: firstname.lastname@example.org
ZIP or postal code: L3B 5N5
Reader number: 35034-18272
Bounce count: 0
Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0.
To change your preferences: Please visit your preferences page.
To access all past issues: Please visit our past issues page.
To upgrade your free subscription to paid: Please visit our upgrade page.
To resend a missed newsletter to yourself: If your mail server filtered out a newsletter, you can resend the current week's issue to yourself. To do so, visit your preferences page and use the Resend link.
To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours).
HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.
WE GUARANTEE YOUR PRIVACY:
1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
HOW TO UNSUBSCRIBE: To unsubscribe email@example.com from the Windows Secrets Newsletter,