Category: Tech

Posted on
by

Today’s Microsoft security patches include one for a potential remote exploit in… Wordpad? Yes, according to Security Bulletin MS04-041, there are two problems in the Word 6 converter that could be used to take control of your system. In addition to fixing those holes, they’ve disabled the converter.

I could understand if this were something like Emacs, which is practically its own operating system, but Wordpad is a bare minimum RTF editor.

What next? Are they going to find a plain-text hole in Notepad? Discover you can crash your system by dividing by 0.0000000000001 in Calculator? I know, looking at a malicious font in Character Map is going to be the next big virus vector.

Posted on
by

Various outlets have reported on the recent appearance of evangelical spam—unsolicited bulk email which promotes religious messages instead of advertising products. It’s been pointed out that since CAN-SPAM refers to commercial mail it can’t be used to stop people who bombard you with other types of messages.

I’ve seen 419 scams with religious trappings for months. These are the usual “Help me smuggle $20 million out of my country” ploys with the added twist of “Oh, I’m a missionary” or “I’ll donate it to an orphanage” or “You can trust me, I’m a Christian,” usually tied to a middle-eastern nation where Christians are in the minority (because Nigeria is so passé). Of course the only thing the scammers really worship is the almighty X-MILLION US DOLLARS. It’s a cheap sympathy ploy, nothing more, made obvious by the fact that, well, it’s a scam!

Today I saw a new variation on that tactic: instead of appealing to Christians, this one was appealing to Muslims. It was all about some Muslim convert in Cuba who had been abandoned by his Catholic family and just needed to transfer $12 million out of the country… all sent from a UK-based email account.

On a side note, I’ve found myself wondering lately why so many of these seem to come from European ISP Tiscali, particularly Tiscali UK. (One came through yesterday with 119 copies of the standard footer!) I assume they must provide easy-to-get email accounts, or perhaps connectivity for a lot of Internet cafés. It also suggests that quite a few of these scammers aren’t anywhere near the (mostly) third-world nations where they claim to live.

Posted on
by

CAN-SPAM one year later: more spam than ever. Spam has more than doubled from 15 billion messages in 2003 to an estimated 35 billion in 2004. Is anyone really surprised? From the article: “The FTC says the goal of the act was never to cut down on spam but to give recipients control via the opt-out component.” Hmm, that might be part of why groups like Spamhaus were calling it the “You Can Spam” act. (via The War on Spam)

Webroot identifies the Top 10 “Most Unwanted” Spyware programs, using the “P-I Index…. P is for prevalence, I is for insidiousness.” The “winners” include pop-up generators, keystroke loggers, autodialers and the like. (via Aunty Spam’s Net Patrol)

Finally, there are several fixes and work-arounds for the pop-up window spoofing vulnerability I wrote about last week. There’s the all-inclusive method: close all other browser windows. Netcraft reports that Opera has issued a fix (7.54u1) and Safari is safe if pop-up blocking is enabled. I just got an email indicating that KDE has released a fix for Konqueror (expect that to start hitting distributions this week). No word yet on Firefox or IE, and while Microsoft has its monthly patch day tomorrow, I wouldn’t expect this to show up quite that soon.

Posted on
by

Here’s an online security story to freak you out: Security firm Secunia has found a loophole [Edit: originally linked to Yahoo! News] in basic browser window handling that can let any site plug its code into a pop-up window generated by any other site. That’s not just ads, that includes pop-up help files, password dialogs, you name it.

They even have a demonstration: Start the code going on their site, open up Citibank, then click on a button on the Citibank site and it’ll open a page from Secunia.

And it works in every major browser, for the simple reason that it uses standard functionality that no one has questioned until now: The ability to open a page in a particular frame or window. All you need to know is the name of that window, and you’re set. As long as it hides the toolbars (SOP for pop-up windows of all stripes), the user will never notice. There is a workaround, at least for Firefox and Mozilla users, but it’s ugly: prevent sites from hiding the location bar.

Actually, the functionality has been questioned before: last July, when Secunia found a similar problem in frames. The solution for that was to prevent a page in one window (or tab) from accessing frames in another. But it’s a little more challenging to decide which pages should be allowed to update a top-level window.

In the short term, sites wanting to protect themselves from being hijacked can probably help by randomizing the names of their pop-up windows. In the long term, browsers are going to have to figure out how to separate windows that should have the ability to load new pages from windows that shouldn’t, knowing that they’ll undoubtedly end up breaking some websites in the process.

(via The War on Spam)

Posted on
by

CNET has posted a write-up of AOL’s new Netscape prototype based on Firefox, as well as a screenshot. It seems to be a combination of Firefox + theme + bundled extensions… plus a mode that embeds Internet Explorer for compatibility.

There are some nice ideas: adapting Firefox’s RSS capabilities to create a headline ticker, for instance, and the Firefox team has been talking about bundling extensions since it was called Phoenix. As for the embedded IE mode… on one hand it provides a convenient solution to the biggest criticism laid on all non-IE browsers: they don’t render pages exactly the way IE does. But it comes at the cost of all the security risks inherent in IE itself. It does remind me of the “View with Gecko” option Konqueror used to have (and probably still does on some systems).

But the clutter… The sheer number of buttons, icons, widgets etc. in that screenshot is staggering. Even after installing the web developer extension I don’t think I have that many buttons on Firefox. 3+ buttons on the tab bar, 3 icons on each tab…. I hope that CNET was just enabling every feature they could find to get them all in one screenshot, but if AOL is trying to bill it as “easier” than Firefox (which was created with a simple user interface as a design goal), they’ve got to try another approach.

Update (via WaSP): It seems BetaNews has more information on the dual-engine setup. Apparently they do have security settings to mitigate the IE issues… but then so does IE, and we all know how well that’s worked. Also, another screenshot, which looks even more cluttered than CNET’s. I think this will be a browser that requires you to run it maximized at 2000×1500. (Also of note: Firefox developer Blake Ross’ Open Letter to Netscape and Henrik Gemal’s collection of screenshots.)

Further Update: MozillaZine has posted a more thorough review.

Posted on
by

After updating some links, the following dialogue occurred to me:

Sallah: Indy, why does the web… move?
Indiana: Give me the URL.
(The location looks like a Python script)
Indiana: Snakes. Why did it have to be snakes?
Sallah. ASP. Very dangerous. You go first.

(Actually, I have to credit Katie for the Python reference. The first and last lines just popped into my head, though.)

Posted on
by

Mozilla developer Ben Goodger writes about losing his inbox to the latest virus… despite not using any vulnerable software. Apparently he’s been getting over 10,000 virus-laced messages every day, and with the four-day weekend they built up to the point that Thunderbird wasn’t able to handle the influx. (Imagine having to filter out 770 megabytes of junk every day, and having that build up over several days.)

Sure, the the pre-release Thunderbird still has problems dealing with very large folders, but 770 MB/day? Even Gmail only gives you 1 GB of total storage. I can’t think of any reasonable expectation that any mail client should have to deal with that at today’s level of data richness. Maybe in the future when we’re sending full-motion video on a regular basis, but not when most email is text with maybe some formatting and a couple of small images.

It’s just staggering that, even though the main email worms depend on Microsoft Outlook, Outlook Express, and Internet Explorer to spread themselves and infect new hosts, they can still damage systems that don’t use those programs!

»All pages site-wide with this tag