Security Watch

Security Alert Fake-Out

• By Jabulani Leffall
• 09/21/2010

Symantec researchers tell us new "scareware" is circulating that pretends to send infected users a warning from Microsoft Security Essentials. Symantec said that the minute the malicious installer is executed on a computer, a fake MSE window pops up warning the user of an "Unknown Win32/Trojan."

Prompts then give the user the option to "Clean computer" or "Apply actions" and then once those buttons are clicked the migration of malicious code migrates over and the user gets a list of 30 or so security solutions allegedly in the process of scanning the file.

You have been warned.

Scareware Tactics
Microsoft begins the week investigating a "publicly disclosed vulnerability" in ASP.NET that the software giant says affects all versions of the .NET Framework. Redmond released a security advisory late on Friday to that effect.

The exploit, when triggered, can allow a hacker to view sensitive data in the .NET Framework in every supported OS. Specifically the hack can allow access to data to "View State," which was encrypted by the target server, or read data from files on the target server, such as web.config."

So far Microsoft says it isn't aware of any attacks. The company said it may release a patch through its regular monthly release cycle or provide an out-of-cycle security update, "depending on customer needs."

HTML5 and Security
Last week I visited San Francisco and grilled Microsoft execs about security for Internet Explorer 9, for which Microsoft released a beta version last week.

At the core of IE9's cool features is the burgeoning Web programming and code standard HTML5.

Microsoft has concurred with Google, Apple and others that as far as the future of Web graphics is concerned, HTML5 is in the top position for developers of Web programs, builders of Web sites and network administrators building Web-borne architecture.

The question remains as to how the new, fancy code stacks up security-wise. Better parsing for Web browsers and strong defenses against cross-site scripting have been named among HTML5's benefits.

But the biggest concern among all security experts is the fact that increased Web functionality can also mean an increased and enhanced attack surface.

HTML5 is going beyond simple data and media tags, and will also support new data formats and tags such as the "<canvas>" and "<video>" tags prominent in search engine optimization functions for multimedia files.

So this means that new generation browsers like IE9, which offer new layered browser sessions and utilize HTML5, will be vulnerable to file formats that are already corrupt and being loaded into the new HTML5-powered browser session.

A subset of this problem is that Javascript and imaging-related functions, as well as IE9's image parsers are known to be vulnerable to malicious code.

"Browsers have evolved substantially over time as they went from content delivery mechanism to the new generation of Web technologies which allow your browser to literally be an operating system for Web 2.0 applications," said Rob Juncker, vice president of technology for Shavlik Technologies. "This change in use-case has resulted in an explosion of attack vectors that the browser manufacturers must mitigate and manage."

As Juncker points out, hackers evolve just like browsers do.