GoHip.com ActiveX Wreaks Havoc

This story popped in several times in the last couple days and it's pretty slow today so I figure it'll be good for a laugh. Apparently GoHip (no relationship to Goku or Gohan) had some sneaky ActiveX that a lot of people installed. Kinda a scary security situation right there. Makes me glad I don't have any of that OL- I mean CO- I mean ActiveX on this box.

You think you're safe?

[Keelor]

Just because a person doesn't use ActiveX does most definitely not mean that they are invulnerable to this kind of situation. Any time you install a piece of software on your computer, unless you:

1) Read through all of the source of the installer, or

2) Have software that warns you about every change to your system,

there is a chance that the software is editing some part of your computer that it shouldn't. In short, this isn't just a company abusing ActiveX--this is a company abusing basic software practices.

Personally, I call software that changes my outgoing e-mail without my consent a virus...

~=Keelor

A couple interesting things...

[ChristianBaekkelund]

A couple interesting things here...

First, in the article, those "fine print software agreements" were discussed...the legal validity of such have been under question for a while now. Due to various legal details, those "click Next to continue installing" agreements are considered by many to be too automatic and do not require enough action on the agreeing party to be legally binding...

Second, I was amused that GoHip.com considers what they do a Browser Enhancement.

Third, ActiveX ever since it's first incarnation has been horribly gigantic a gaping security hole. Anyone even remotely self-respecting computer security-savvy individual would never dream of having ActiveX enabled on their computer. Unfortunately, the average Joe might not know this...hopefully, they will be educated in time.
Here's one (of many) place I definitely like Java a whole lot better...

Fourth, in the end, this really isn't that big of a deal, as it was relatively benign. Hopefully, however, it will educate people as to the dangers of ActiveX, in general. I think David Kroll said it best: "I think it's pretty tacky what they did". Although he and Finjin did get it wrong when they said: "this is the first time a company has used ActiveX to alter personal information on someone's computer." Just see the ActiveX Exploder link mentioned above! I think they'd be more accurate in saying this is the first time it's been done purposefully and on a large scale by a corporation.

Fifth, this reveals an interesting problem with "signing" such programs with things like Verisign. That signature doesn't really mean as much as most people think that is does, as Verisign said: "Verisign spokesman Gray Chapman confirmed that GoHip is certified by Verisign, but stressed that his company was not in the business of passing judgment on the business practice of its client."

Sixth, GoHip.com sounds horribly sketchy. No phone numbers, bouncing e-mail addresses...is anyone surprised?...But finally, I have to admit to being horribly amused at the final quote by one of the "infected" GoHip.com visitors: "I compliment GoHip for a fine marketing effort as I certainly know who they are. I hate them, but I know who they are". In the end, capitalism seems to be all that matters again...

Exploits & Corporations - Same holes...

[Spoing]

So, there are more valid reasons to turn off Active-X. Big surprise. The fact that a corporation -- sleezy or not -- does this is no surprise. Staples keeps sending me spam, and they should know better...there's always Office Depot!

On a practical note, here's what I keep telling the people;

1. Turn off these everywhere...

HTML (except the browser)

Java

Java Script

Active-X

VBA or macro features

Anything similar to the above

2. Cookies - Delete it and recreate a new unreadable cookies file.

3. Never open any message unless you...

Know the person sending it

Expect the message

4. Move all mail to a Spam/Suspect/Trash folder automatically if the mail doesn't pass these two rules at a minimum...

It's from a known and trusted person or mailing list

It's addressed to one of your valid mail addresses; it's not from a mailing list

5. Remove all personally identifying comments from programs that have net access (Netcape's Mail Identity page, ...)

6. Don't give out your email address unless it's REALLY NECESSARY.

7. Use different email addresses for different types of mail; business, personal, ....

8. If you have to give out an email address for one-time use, tag it; /. asks, use something like slashdot_yanky@hotmail.com or some such (or better yet, get your own domain and mail server...quite handy!)

The best way to handle this is a firewall with filters. Remember, Procmail For Security and good ipchain rules are your friends!

why disabling Active-X won't work

[Marvin_OScribbley]

There are just too many sites out there that use this stuff. Sure Javascript, Java, Active-X, etc. all have security issues. But every time I go disabling any of them guess what happens? My wife goes to use the computer and tries to bring up Playsite, or Uproar, Sony Play Station (etc etc), and what happens? Nothing works! Then she gets mad and I have to re-enable all that stuff.

The only real solution I see for myself personally is to simply have a separate computer for browsing the net. Computer are cheap these days, and how much resources does a computer need to browse the net? Since nothing important is kept on the net browsing computer these security issues don't really matter much to me. And having to reboot periodically isn't a problem either, since all the real work is being done on a more powerful machine else.

It makes for a lot less stress too. Heck if I did all the things some people advocate whenever a story like this comes up I'd be a paranoid cave-dwelling hermit! ;-)

funny how no one mentions...

[AshleyB]

that GoHip tells you exactly EXACTLY what they are going to do with your computer in its download agreement, but these people are 'too busy' to read it and 'feel they shoudln't have to'!

I don't see GoHip forcing people to their website and forcing them to download this stuff. Yet another example of personal responsibility taking a vacation within the walls of slashdot.

If you think this is bad, there is already worse..

[EoRaptor]

While GoHip isn't too great, there is already a company out there called Aureate, who bribe shareware and trial program vendors to install a few files on your system, along with the main program. These files (look for advert.dll) sit around as IE and Netscape plugins, and spy on everything you do, from personal registry information to every url you click on.

I could post a list of exactly which vendors install this thing, but it's too long. (GetRight and Globlascape Cute** probably being the most ocmmon source). If I were you, and using any windows based o/s, I'd look for advert.dll. Deleting it only partially solves the problem, but it's betetr than nothing.

Re:VeriSign

[David+Price]

From the PGP FAQ:

"Bear in mind that your signature on a public key certificate does not vouch for the integrity of that person, but only vouches for the integrity (the ownership) of that person's public key. You aren't risking your credibility by signing the public key of a sociopath, if you were completely confident that the key really belonged to him. Other people would accept that key as belonging to him because you signed it (assuming they trust you), but they wouldn't trust that key's owner. Trusting a key is not the same as trusting the key's owner."

This lesson is applicable to any public-key problem. VeriSign isn't to blame here - they did exactly what they were supposed to do.