Beware the click-jacking Captcha of Evil!

Subject: General Tech | July 2, 2013 - 01:29 PM |
Tagged: Malware, IE10, chrome, security

Just in case you weren't already getting tired of captchas there is a new click-jacking technique which works on both IE9 and 10 in Windows 7 and also on Chrome for Windows 8 so for the time being you might want to avoid any captchas that begin with an 'R'.  The new Smartscreen features on Win8 as well as UAC should give you at least some defense and require you to allow the exectuable to run and infect your machine but you can be guaranteed that some less observant users will click straight through without reading the messages which appear.  While this type of attack is nothing new, the particular technique mentioned at The Register does have some new tricks.

CAPTCHA.jpg

"A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines.

The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating fake Facebook likes, the keyjacking involves disguising a "run executable" dialogue box within a CAPTCHA challenge."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

IE10 is the safest web browser in one way; checkmate!

Subject: Editorial, General Tech | May 16, 2013 - 03:45 PM |
Tagged: web browser, Malware, IE10

If you consider your browser security based solely on whether it will allow you to manually download a malicious executable: IE10 is the best browser ever!

Rod Trent over at Windows IT Pro seems to believe this when NSS labs released their report, "Socially Engineered Malware Blocking". In this report, Internet Explorer blocked the user from downloading nearly all known malware (clarification: all known malware within the test). Google Chrome came in second place with a little less than 17% fail rate and the other browsers were quite far behind with approximately a 90% failure rate.

ie10-malware.jpg

Based on that one metric alone, Rod Trent used a cutesy chess image to proclaim IE the... king... of the hill. Not only that, he suggests Safari, Opera, and Firefox consider "shuttering their doors." After about a decade of Internet Explorer suffering from countless different and unique vectors of exploitation, now is the time to proclaim a victor for attacks which require explicit user action?

Buckle in, readers, it's a rant.

Firstly, this reminds me a little bit of Microsoft Security Essentials. Personally, I use it, because it provides enough protection for me. Unlike its competitors, MSE has next to no false positives because almost ignores zero-day exploits. The AV package drew criticism from lab tests which test zero-day exploits. Microsoft Security Essentials was ranked second-worst by this metric.

Well, time to shutter your doors Micr... oh wait Rod Trent lauded it as award-winning. Huh...

But while we are on the topic of false positives, how do you weigh those in your grading of a browser? According to the report, and common sense, achieving pure success in this metric is dead simple if you permit your browser to simply block every download, good or bad.

If a 100% false positive acceptance rate is acceptable, it is trivial to protect users from all malicious download. With just a few lines of code, Firefox, Safari, and Opera could displace Internet Explorer and Chrome as the leaders of protection against socially engineered malware. However, describing every download as "malicious" would break the internet. Finding a balance between accuracy and safety is the challenge for browsers at the front of protection technology.

-NSS Labs, "Socially Engineered Malware Blocking"

A browser that is capable of blocking malware without blocking legitimate content would certainly be applause-worthy. I guess time will tell whether Internet Explorer 10 is able to walk the balance, or whether it will just be a nuisance like the first implementations of UAC.

OK, Google did actually release exactly one native Windows application at Google I/O: It's called Android Studio, an application that helps developers create apps that run on Android, Google’s answer to Windows. But don’t worry, Microsoft fans: Internet Explorer (IE) flags the Android Studio download as potential malware.

-Paul Thurrott, Windows IT Pro

Ah crap... that was quick.

Now to be fair, Internet Explorer 10 and later have been doing things right. I am glad to see Microsoft support standards and push for an open web after so many years. This feature helps protect users from their own complacency.

Still, be careful when you call checkmate: some places may forfeit your credibility.

IE10; so nasty we know to block it before it even launches?

Subject: General Tech | February 1, 2013 - 01:00 PM |
Tagged: irony, microsoft, IE10, blocker toolkit

It could only have been an unintentional slip that the verification that IE10 for Win7 is coming down the piped was that a tool was released to block the installation.  The Internet Explorer 10 Blocker Toolkit will prevent Windows Update from installing IE10 automatically, which would signal a change from Microsoft's usual way of introducing a browser.  Remember Beauty of the Web, the site used to distribute new Internet Explorer versions before they arrived as an automatic update?  The blocker toolkit is nothing new, most versions of IE which did not come with the OS coexisted with a toolkit to allow sysadmins to prevent updates to the new browser before they could test it fully.  We've been waiting about 9 months now for IE10 on Win7 and from what The Register and other sites say it will be worth upgrading when it arrives ... someday.

ieblocker.jpg

"Microsoft has dropped a strong hint that the long-awaited version of Internet Explorer 10 for Windows 7 might actually ship soon – ironically, by releasing a tool that blocks installation of the browser on users' PCs."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

And the mobile IE10 makes three versions

Subject: General Tech, Mobile | November 9, 2012 - 12:51 PM |
Tagged: win8 mobile, win8, IE10

We already know that Windows 8 essentially has two versions of IE10, the one you launch from Metro and the one you launch from the desktop with the desktop launched version possessing more features.  Today Microsoft detailed (to some extent) what IE10 will be like on Win8 powered phones.  They told The Register that the mobile version will not support inline video, multi-track HTML5 audio, drag-and-drop APIs, pinned websites and other features available on the full version.  However thanks to the presence of hardware acceleration for graphics the majority of the graphical features you want will be supported by the phone OS.  Check out more here.

windows-phone-8-start.jpg

"SOFTWARE HOUSE Microsoft has detailed the differences between its Internet Explorer 10 (IE 10) web browser for Windows 8 and Windows Phone 8 ahead of the release of the mobile operating system (OS) in the US today."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Internet Explorer 10 Exploitable: Both More & Less Than Hype

Subject: General Tech | September 9, 2012 - 04:19 PM |
Tagged: Malware, IE10, flash

Recent statements from Microsoft show that they are not afraid to wait a little bit before shipping patches with their bundled Flash in Internet Explorer 10. The issue is more contained than is let on by Ars Technica – but also raises a bigger security issue for all of us at all times.

By far the worst enemy for security is complacency.

I often pick on Apple for their security practices. They are perceived as being secure despite their horrendous record of handling security updates – delaying a critical patch for privately disclosed vulnerabilities until after its reveal at Blackhat because Apple could not devote the programmer to the task.

That mentality has been everywhere – from Sony to Microsoft in the Windows XP era to Macromedia & Adobe.

In this case the issue is that Microsoft has been delaying updates to the built in copy of Adobe Flash preinstalled with Internet Explorer 10. Once a patch has been released attackers are able to figure out what the patch fixes and potentially exploit it for those who have yet to update. There are quite a few subtle caveats with this story which need to be discussed before opinions are made.

windowsupdate.png

... Relatively speaking...

First and foremost – Flash support on the Metro-based Internet Explorer 10 is limited to a whitelist. Flash is not exposed to websites which have not been flagged by Microsoft as safe and requiring backwards compatibility with Flash.

Websites become compromised all the time. Should one of the whitelisted websites get attacked it could become forced to serve a Flash applet to its users. The delay between Adobe and Microsoft patching dates gives the attackers a window to exploit all IE10 users until the whitelisted website notices. Attacks like these are very commonplace recently.

As an aside – there is quite a bit of confusion over Internet Explorer 10 on the desktop. According to the RTM evaluation it appears as though the only way to update Flash for Internet Explorer is through Windows Update even when not using the Metro browser. The whitelist is also in effect for Windows on the desktop although it seems like users are able to add their own exemptions. It appears like user-set exemptions is unique to the desktop version of IE.

It is disconcerting to see a platform become complacent to potential security issues intentionally. To be fair it is entirely possible that Google Chrome could have similar issues as they too handle Adobe Flash integration. Unlike IE10, Google Chrome does allow you to disable the built in Flash and manage your updates directly from Adobe although the process is far too complicated for most users.

Source: Ars Technica