Security Watch

At 15, IE a Scrappy Teen

Plus: Security Essentials 2 beta releases this week; XP 2 security trick; Facebook scams growing.

• By Jabulani Leffall
• 08/16/2010

As of this week, Internet Explorer has been in existence 15 years. IE still leads its younger browser siblings from other mothers and fathers -- Mozilla Firefox and Google Chrome. As the big brother of Web surfing applications, IE is saddled with the requisite teen growing pains as the cloud world looms and Web-borne threats grow.

But the campy metaphors end there. The simple truth is, security will be key for IE's continued dominance, with IE 9's beta set for mid-September. Strangely, though, Microsoft has been conspicuously mum on the browser's security features.

To be sure, a function to thwart cross-site scripting and browser session sandboxing are both on the security wish lists among threat researchers and technical security specialists alike. Memory randomization, as stated by NSS Labs' Rick Moy, will make it harder for attackers to identify and repeat exploits against vulnerable code.

But perhaps the biggest and most pervasive challenge will be figuring out what to do about the "drive-by install," or the ability of malicious Web pages to upload and trigger bad code on a PC or Mac during an IE session, requiring nothing more than a user viewing said malicious Web page.

These security issues, whether or not heeded by Microsoft, won't go away. Perhaps with an actual live-Web release not coming until April 2011, there's some time for Microsoft to implement and test some of these functions, or at least listen to trusted security gadflies and take what they say under advisement.

Redmond Pushes Back Antimalware Engine Release
Microsoft said it's releasing the Security Essentials antimalware engine on Thursday. It comes with updated versions of its free antivirus software Microsoft Security Essentials 1.0 and Forefront Client Security.

The original beta development milestone for MSE 2.0 was first offered via Microsoft Connect on June 20, 2010.

Don't Try This at Home Update to XP SP3
F-Secure has figured out a way for savvy administrators still working in Windows XP SP2 to install the recent out-of-band patch for the LNK vulnerability -- and it doesn't require upgrading to XP SP3. F-Secure researchers said all it takes is editing a key in the Windows registry.

"It turns out that an SP2 system will think it's SP3 if you edit this key: HKLM\System\CurrentControlSet\Control\Windows, and edit the DWORD value CSDVersion from 200 to 300 (and reboot)," the researchers wrote.

Apparently the edit tricks the OS and can easily make XP SP2 seem like XP SP3.

"We also tested an LNK exploit, and it did not infect the system after the patch," the researchers said.

Even with this quirky discovery, it's important to remember that Redmond has discontinued supporting XP SP2, and if this were to catch on, any subsequent fix might rejigger the registry configurations to prevent such shortcuts, thereby destabilizing a tweaked XP SP2 OS.

F-Secure, while lauding its own technical tricks, tends to agree, and said to err on the side of caution if considering this quick fix.

"We do NOT recommend that anybody use this tweak in a production network of any kind," the researchers warned. "Hacking the registry and applying updates is likely a very quick way to destabilize your system. You really should update to Service Pack 3 if at all possible.... If you want to experiment, do so at your own risk."

Saving Face
Incidents of phishing have recently spiked on Facebook. The phisher can now catch you on IM or on your wall using a message that lures you in with audio and video links, spoofed Facebook homepages and fake messages from friends. The fake messages are less obvious now, though, and tend to incite curiosity, playing on such pop culture allusions as "Are you a wolf or a vampire?" Some of these links are stupid but others, depending on what day you log on and how intense your multi-tasking is, can easily slip past your consciousness.

When you couple those scams with another one making its way around Facebook -- the "dislike" button application installation -- you have a a recipe for disaster.

Facebook continues to grow, so such attacks will continue. Thus given the recent concerns over privacy on Facebook, the question remains as to whether Facebook needs to adopt formal security standards tailored to a social networking environment.

A survey by anti-malware security shop ESET showed 56 percent of poll participants said that they would support some government intervention in social networking sites, and 66 percent of Americans ages 25 to 34 would "like the government to at least issue guidelines for safer use of social networking sites."

Apropos, the U.S. Senate is debating a bill that would provide the President with what's been dubbed an "Internet kill switch," granting him the authority to disconnect the U.S.'s Internet in the event of a threat to our cyber security.

While that's a bit drastic, compliance standards for social networking sites such as Facebook might curb at least some of the more pedestrian attacks and prevent the spread of more malevolent computer viruses.

It's only a matter of time before mischief evolves to maliciousness. Stay tuned.