All browsers are vulnerable to clickjacking [Newsletter Comp Version]

If your software garbles this newsletter, read this issue at WindowsSecrets.com.

YOUR NEWSLETTER PREFERENCES Change Delivery address: cpedley.kill-that-computer@blogger.com Alternate address: cgpedley@gmail.com Locale: Canada L3B 5N5 Reader number: 35034-18272

Home   Newsletter   Search   Reviews   Polls   Contact     This issue   Library   Upgrade   Preferences   Unsubscribe

Windows Secrets Newsletter • Issue 171 • 2008-10-16 • Circulation: over 400,000 All subscribers can get free PC buying advice We've obtained a license for you to download the best two chapters of How to Be a Geek Goddess: Practical Advice for Using Computers with Smarts and Style. The work is by Christina Tynan-Wood, who's contributed columns for PC World and PC Magazine and written for Popular Science, Family PC, and other magazines. The printed book won't ship until mid-November, but Windows Secrets subscribers can get our exclusive excerpt right now. The PDF download focuses on how to get the best deal when buying a laptop or desktop computer — advice that applies equally to Geek Gods and Geek Goddesses. Everyone likes a bargain. All subscribers: Set your preferences and download your bonus Info on the printed book: United States / Canada / Elsewhere

Table of contents INTRODUCTION: Yay, Fred's back! Readers give a big thumbs-up TOP STORY: All browsers are vulnerable to clickjacking KNOWN ISSUES: Are criticisms of Vista bogus or legitimate? WACKY WEB WEEK: "Chicken or fish?" may max out your credit card LANGALIST PLUS: Repair XP's ability to format floppy disks BEST SOFTWARE: Use a sandbox to improve your PC security KNOWN ISSUES 2: Put these file locations on your backup radar PC TUNE-UP: How to take over an IIS server in no time flat PATCH WATCH: Patch knocks out Net for XP PCs with ZoneAlarm

You're receiving only our free content. Use the following link to upgrade and get our paid content immediately: More info on how to upgrade

ADS   Your PC should be faster... The more you use your computer, the slower it gets. Run the all-new, free PC Pitstop PC Optimize 2.0 scan now, and in just minutes receive a free custom report showing you how to keep your PC running at peak performance. PC Pitstop   Are your computer's drivers up-to-date? Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers. Drivers HeadQuarters See your ad here

INTRODUCTION Yay, Fred's back! Readers give a big thumbs-up By Brian Livingston Ever since I announced on Oct. 9 that our editor-at-large, Fred Langa, was coming out of retirement to bring you a new column every week, we've received hundreds of e-mails from readers who're glad to see him back. We've received only a couple of messages like, "Fred who?" My favorite comment came from a reader named Sheri, who enjoys our paid content (including Fred's new column) and also was a subscriber to Ian "Gizmo" Richards' newsletter, Support Alert, which merged with Windows Secrets last July: "A few years back, I found Gizmo's newsletter. From the first issue, I knew I'd found advice I could trust, so that when I was doing repairs or upgrades for myself or my friends, I wouldn't accidentally do something or install something that would make a computer unusable. Happily, every computer I've worked on has left my home in better shape than when it arrived! ... "One time I wrote Gizmo and told him I got a lot of newsletters, but his was the only one I'd actually pay money to receive. That's still true of Windows Secrets, and I can't thank you all enough for the newsletter and for the opportunity to pay what I could to receive it." Fred's using his new column each week to answer at least three or four questions sent in by readers. He's committed to work through your problems for at least another year or two. (And I think we can keep him busy a lot longer than that!) His column appears in our paid content but, as always, there's no fixed fee to get it — we accept any financial contribution in any amount from anyone. If you're a free subscriber, we'd like you to try out our paid content. There's no risk. If you don't agree that it's worth what you contributed, you can get a full refund any time in the first four weeks. Please use the following link for details: More info All of our writers are working hard to dig up information on Windows that can help you work better and stay safe. It really keeps us going to see the positive responses from so many subscribers. Thanks for your support! Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books. Table of contents

ADS   Save up to 76% on quality inkjet ink We offer the sharpest prices on the Web for quality ink and laser toner. Back-to-school bonus: save an extra 10% by using coupon code PK839X. Free shipping to contiguous USA locations for all orders over $50. Offer expires 11/30/2008 and excludes OEM items. 4InkJets   Convert any audio file with ease Easily convert any music files to MP3, AAC, or WAV formats. 50x conversion speed. SoundTaxi Professional is simple to install and use. Enjoy all your music on your favorite device or computer, without any annoying restrictions. SoundTaxi See your ad here

TOP STORY All browsers are vulnerable to clickjacking By Stuart J. Johnston The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge. What's worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk. Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account. By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links. The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in. "If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security," Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians. Disguised links lurk behind clickable buttons In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link. Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches. They point out that even users who watch their systems like a hawk can be victimized. "There's really no way to know if what you're looking at is real," Hansen told Windows Secrets. In fact, Hansen and Grossman found so many new ways to attack your PC — and your Mac — that they categorize these threats as a "new class" of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said. Clickjacking isn't new. In fact, it dates back to at least 2002, Hansen said. What's new is the range of browser vulnerabilities that make clickjacking possible. Hansen's blog posting describes the scope most clearly: "There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them." This doesn't mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites. Disabling JavaScript has serious drawbacks, because so much of the Web's interactivity is driven by JavaScript apps. "[Disabling JavaScript] totally cripples the Web experience," Skoudis said. In addition, Hansen states, even browsing with JavaScript disabled will not protect against all possible avenues of attack. "Most browsers are going to be vulnerable," Hansen told Windows Secrets. Even the new version 8 of Internet Explorer, currently in beta, is susceptible — though Hansen said he expects Microsoft's upcoming browser to be patched by the time it's released later this year. Flash apps may activate webcams and mics Besides browsers, the bad guys can also exploit Web programs such as Adobe's Flash player. For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic. Clickjacking vulnerabilities don't stop there; attacks may also be launched via iFrames by using cross-site scripting techniques. Hansen says that disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity. In fact, in the three weeks since Hansen and Grossman first revealed the discovery of the clickjacking vulnerabilities, Hansen says he's received about half a dozen examples of proof-of-concept code and knows of several more — not counting the half dozen or so that he and Grossman have already found. To date, there have been no attacks in the wild, although with proof-of-concept code already out, it's just a matter of time. (Contributing editor Mark Edwards also mentions Flash exploits in his column today.) Can you stay safe in a clickjacking world? Browser and plug-in vendors have joined watchdog organizations in describing what you can do to stay safe. Adobe: The Flash vendor has issued a patched version that will help keep you safe from Flash-based attacks. See the company's download page. Previously, the company had posted a security advisory containing a workaround. Mozilla Foundation: Install Giorgio Maone's open-source NoScript plug-in to block execution of JavaScript except for sites you approve. NoScript is free, though the vendor requests a donation. The add-on lets Firefox users designate the sites on which scripts are allowed to run and blocks JavaScript on all other sites. Microsoft: To date, the company has taken a noncommittal stance in regard to the clickjacking threat. Microsoft responds to questions by referring users to the company's Security Support page. U.S. Computer Emergency Readiness Team (US-CERT): The agency provides a document that describes how to protect IE, Firefox, Safari, and other browsers from a range of attacks. Even taking all of the above precautions doesn't guarantee that your system is 100% immune to the new threat. You'll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure. While we're all waiting for vendors to patch their products, Alfred Huger, vice president of software development for Symantec Security Response, has some down-to-earth advice. Since most malware attacks occur on adult sites, keep your browsing rated PG-13. "You're most likely to see [attacks] on porn sites or on sites that offer game-cracking software," Huger adds. When in doubt, ask yourself whether your mom would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click. Despite the seriousness of this latest round of security threats, SANS Institute's Skoudis says he is optimistic. While the threat of attack may be high for the next three to six months, Skoudis expects more complete protections to become available as early as next spring and no later than next fall. "This is a very serious finding, but this is not going to be the end of the Web," Skoudis adds. Please tell us how useful this article was to you: Poor Fair Good Great Superb   Stuart Johnston is associate editor of WindowsSecrets.com. He has written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com. Table of contents

ADS   Never waste time with software installs PCmover is the only migration utility that automatically moves installed programs and files to your new PC. It even transfers bookmarks and e-mail settings! Stop wasting time waiting for installs and updates. Let PCmover automate your upgrades. Laplink PCMover   Recover Windows passwords Did you forget your Windows administrator/user password? Want to find your PC's BIOS/CMOS password? Recover e-mail, MSN, IE, and Google Talk passwords with ease. Locate any software product key on your PC. Solve password problems with Password Genius. Spotmau Password Genius   Get your message seen by 400,000 readers Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Windows Secrets Newsletter See your ad here

KNOWN ISSUES Are criticisms of Vista bogus or legitimate? By Dennis O'Reilly Several readers were dismayed to read about the Vista problems reported by Stuart Johnston in last week's Top Story, some going so far as to call it "Vista bashing." On the other hand, we heard from just as many readers who are struggling with the same problems as the readers Stuart quoted — plus other Vista glitches of their own. Reader Victor Sacco left no doubt about where he stands on the issue: "It's simplistic and plain silly to say that Vista x64 is 'junkware,' or [that] 'bugs abound' in Office 2007 when run in Vista x64. And that business about 23 million Registry entries — how was this determined? Is it accurate? What does it mean?" We've heard from many readers who struggle to get Vista 64 to work as advertised, not just Vince Heiker, the subscriber quoted by Stuart. (For the record, the application Vince used to count the lines in his Registry was Registry Easy.) Reader John Douglas offers an explanation for some of these glitches: "Most problems plaguing Vista — both 32- and 64-bit — are caused by poorly written apps and drivers. I strongly suspect that this is caused by the higher demands of the OS, but it's not like the developers haven't had time to get through it. "And likewise, it's not like Microsoft didn't do due diligence in making Vista betas available. Vista is simply an extension of Windows Server 2003 SP1, which was also the foundation of XP x64, which was my favorite OS until Vista 64 was introduced. "Of course, this is not the first time we are using applications that have a different code base than the OS. How many 16-bit apps did we use on 32-bit OSes? And some still are! Also, what applications would benefit significantly from a 64-bit extension? Video and high-resolution photo apps like Photoshop and Premier Pro, or perhaps database apps. ... "Finally, I will agree on one thing: the Registry is overdue for some serious optimizing. I just exported my Vista 64 Registry using Regedit, and the file is 374MB! Good thing I have 8GB of RAM." There's no doubt that many, many people are having problems with Vista almost two years after the product's release. Stuart's story wasn't an editorial: it reported on real problems of real users, and their experiences are far from isolated incidents. Whether someone's Vista Registry has bloated itself up to millions of lines, hundreds of megabytes, or some other measure, the problems Stuart wrote about represent the experiences of many Vista users. Ferreting out a disk-imaging bargain One of my favorite things is saving money on what I consider an indispensable PC application. That's why I stood up and took notice when reader John Sullivan wrote to tell us about a great deal he found on Acronis's True Image disk-imaging software: "While on a tech chat with Acronis one day recently, they told me to go to [this site]. Turns out, on that site they offer to give you — yes, give you — version 8 [of True Image] for free, then tell you that you can upgrade to the current version 11 for only $30 instead of the retail $50 or common street price of $35 to $40. And you don't even have to install it (version 8), just get a free key from them to qualify for the upgrade. Here's their page telling about it." Maybe you could use the money you save to treat your broker to a showing of "Beverly Hills Chihuahua." He or she should have plenty of time to kill. Victor, John D., and John S. will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page. Help people find this article on the Web (explain): Digg Delicious Reddit StumbleUpon Other Permalink The Known Issues column brings you readers' comments on our recent articles. Dennis O'Reilly is technical editor of WindowsSecrets.com. Table of contents

WACKY WEB WEEK 'Chicken or fish?' may max out your credit card By Katy Abby Remember the good old days, when virtually every flight came with a full meal? Airline food may have become a synonym for any dubious cuisine, but it still nurtured us and ensured that we arrived home with a full belly and at least one harrowing mystery-meat anecdote to amuse our friends. Today's airline patrons are lucky if they get so much as a complimentary cup of joe, and the victuals that people everywhere once loved to hate now seem like a downright luxury. But cheer up, folks; the worst is yet to come! Watch this video for a hilarious glimpse into the airlines of the not-so-distant future. Play the video Help people find this article on the Web (explain): Digg Delicious Reddit StumbleUpon Other Permalink Table of contents

PERMALINKS Use these permalinks to share info with friends We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam" and corporate filters start blocking our e-mails.) The following link includes all articles this week: http://WindowsSecrets.com/comp/081016 Free content posted on October 16, 2008: INTRODUCTION By Brian Livingston Yay, Fred's back! Readers give a big thumbs-up   TOP STORY By Stuart Johnston All browsers are vulnerable to clickjacking Bad news links lurk behind clickable buttons Flash apps may activate webcams and mics Can you stay safe in a clickjacking world?   KNOWN ISSUES By Dennis O'Reilly Are criticisms of Vista bogus or legitimate? Ferreting out a disk-imaging bargain   WACKY WEB WEEK By Katy Abby "Chicken or fish?" may max out your credit card   You get all of the following in our paid content: LANGALIST PLUS By Fred Langa Repair XP's ability to format floppy disks Flustered and flummoxed by floppy-format foibles Tame those annoying e-mail read-receipt requests Misplaced backup file clogs hard drive   BEST SOFTWARE By Ian "Gizmo" Richards Use a sandbox to improve your PC security Block access to system files as you browse Why sandboxes are important to your security Using a sandbox for safer browsing security measures aren't enough Security apps see in, malware can't see out Sandboxing isn't just for Web browsers KNOWN ISSUES 2 By Dennis O'Reilly Put these file locations on your backup radar   PC TUNE-UP By Mark Joseph Edwards How to take over an IIS server in no time flat ASP.NET apps present a serious security risk Adobe Flash player can be clickjacked Geode turns Firefox into a powerful mapping tool XP won't die; Windows 7 about to be born   PATCH WATCH By Susan Bradley Patch knocks out Net for XP PCs with ZoneAlarm ZoneAlarm users: postpone this week's XP patch File sharing may be hazardous to your PC Virtual-memory bug could allow real attack A patch for Windows XP Service Pack 3 Must-have patches arrive for Internet Explorer Patch Excel to prevent infection via spreadsheet Windows Internet Printing Services need a patch Windows 2000 gets two special updates Host Integration Server admins only need apply Other patches are interesting but less important   Get our paid content by making any contribution There's no fixed fee! Contribute whatever it's worth to you Readers who make a financial contribution of any amount by October 22, 2008, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.   A portion of your support helps children in developing countries Each month, we send a full year of sponsorship to a different child. Your contributions in October are helping us to sponsor Thabo Mpofu, a 5-year-old boy in Zimbabwe, a landlocked country in southern Africa. Plan USA channels development aid from donors to Thabo and his community. We also sponsor kids through Save the Children and other respected agencies. More info Use the link below to learn more about the benefits of becoming a paid subscriber! More info on how to upgrade Thanks in advance for your support!

Table of contents

YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch (2004), the LangaList (2006), and the Support Alert Newsletter (2008). Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Associate Editors: Scott Dunn, Stuart J. Johnston. Program Director: Tony Johnston. Web Developer: Damian Wadley. Editorial Assistant: Katy Abby. Copyeditor: Roberta Scholz. Chief Marketing Officer: Jake Ludington. Contributing Editors: Susan Bradley, Mark Joseph Edwards, Woody Leonhard, Ryan Russell, Scott Spanbauer, Becky Waring. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets & Support Alert Newsletter, the Windows Secrets Newsletter, Support Alert, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. YOUR SUBSCRIPTION PREFERENCES (change your preferences): Delivery address: cpedley.kill-that-computer@blogger.com Alternate address: cgpedley@gmail.com Country: Canada ZIP or postal code: L3B 5N5 Reader number: 35034-18272 Bounce count: 0 Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0. To change your preferences: Please visit your preferences page. To access all past issues: Please visit our past issues page. To upgrade your free subscription to paid: Please visit our upgrade page. To resend a missed newsletter to yourself: If your mail server filtered out a newsletter, you can resend the current week's issue to yourself. To do so, visit your preferences page and use the Resend link. To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours). HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period.  Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe cpedley.kill-that-computer@blogger.com from the Windows Secrets Newsletter, Use this 2-click Unsubscribe link; or Send a blank e-mail to unsub@WindowsSecrets.net with leave cpedley.kill-that-computer@blogger.com as the Subject line; or Visit our Unsubscribe page. Copyright © 2008 by WindowsSecrets.com LLC. All rights reserved. Table of contents