Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
Cue the "Gee I'm glad I use FireFox on Linux" posts.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Why anyone is still running Internet Explorer when there are so many better alternatives?
Intrigued, I went to those scumware vendors and saw that they are, in fact, dishing out scumware. So, in the interests of justice:
whois refestltd.com
Domain name: reflestltd.com
Registrant: Jay Seaton (6PPPG) jay@tremjade.com
United States
(913)6814254
Not that I condone using that information for any nefarious purposes...
All's true that is mistrusted
that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?
Disconnect and self-destruct, one bullet at a time.
I'm simply stunned...where I work security is #1 and availability is #2. Judging by their output...it must be very different working at MS.
Blar.
Is why I transmit all of my passwords in plain text... not very secure, but a lot less obvious then all of these complicated 'security' or 'encryption' methods.
Help Brendan pay off his student loans
SF has an article regarding this.
Gates Defends Microsoft Patch Efforts
Free XBox, PS2
I imagine spybot's BHO inoculation should block this. Anyone know? I use firefox on windows myself, but not for any other reason than that it's just a better browser. ff on linux is actually kind of painful to look at and sluggish to use still.
I've finally had it: until slashdot gets article moderation, I am not coming back.
I wonder why the author of the code chose to only look for a certain number of SSL-enabled URLs. Why not just write the code to look for any URL or redirection that's prefaced by "https://"?
Just another good reason to switch to Firefox.
For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?
This is about your internet banking passwords, people! Your hard earned money is at stake here!
"Oooh, does that mean we get to kick some puffy white mad zionist butt?"
"laziness"
To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
This is why I do all my online banking using Gopher.
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
All's true that is mistrusted
Who says they haven't? Or more appropriately, who says they wont do so and fix it in some way?
Help Brendan pay off his student loans
This isn't Malware, this is advertising for Apple. THIS is why I buy Macintoshes.
What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?
By reading this you acknowledge that you have read it.
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Stuff like the google search bar? Does that count?
Sehr geehrter Toilettenbenutzer!
You know you really have something going for you when a single application in your product line helps defines it own genre of exploits:
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
The Army reading list
If my answers frighten you, stop asking scary questions.
From the article:
It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
Download my free songs!
I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser. It's beginning to look like there's a ton of exploitable stuff in IE.
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
-Ryan, with the unoriginal sig
netscape.
When there's no competition, M$ can get away with this crap. Let's face it, even with this 99% of people won't switch from IE, solely because they don't even realize they have a choice anymore. If there was actual competition in the industry (aside from nerds who run firefox), then this crap would NOT be allowed by M$, because it would mean certain death for any share of the browser market they held.
(Score: -1, Redundant)
sulli
RTFJ.
Not to discuss about IE, what about banks using different password entry schemes?
In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.
Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".
The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.
So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).
I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.
Marcelo Vanzin
Come on Bill, lets see you put your money (its not like you don't have enough of that) where your mouth is.
Your 48 hours starts now.
I gots ta ding a ding dang my dang a long ling long
When will us Linux users finally get to experience all of these exploits and viruses? It looks like Windows users have all the fun. :-)
Problem? What problem? It is still a "secure" connection.
It is not a problem until the media gets ahold of it an lets the public know that there is a problem.
Think of the number of "SECURE SITES" (banks) which only work with IE.
"Gee I'm glad I use Firefox on Windows"
FWIW the 0.9.1 upgrade may help convert a few more Invariably Exploited (IE) users.
The phrase "Invariably Exploited (IE)" is patent pending, though infractions won't be dealt with until SCO's lawyers have a bit more time on their hands
mailto:EatSpamAndDie@princeweb.com
Is switching browsers enough? After that business last week about the IIS + IE sucker punch, I very much distrust anything running on Windows, for fear that the entire system is so easily compromised. If every key stroke is logged, every file is scanned, any DLL can be replaced, you really need to adopt an "X Files" kind of mentality, or you aren't paranoid enough. (they ARE out to get you, where they = black hats; you = people with anything valuable on a computer)
:-)
I *do* use Windows -- as a home entertainment center. At this point, there is no way I would consider putting anything like bank account numbers or SSNs on a Windows box. I have no illusions about the perfection of Linux, but there is something to be said about a diversity of platforms. I've never loaded BSD myself, but maybe it's time to start diversifying my software portfolio (OTOH - I can hardly wait to try to find *those* drivers).
My opinion of businesses considering using (requiring?!?) Windows for any kind of accounting or personal information just sunk another notch lower today.
-- END RANT --
Yow! I'm supposed to have a plan?
"Oooh switch to firefox" is the most ignorant and misguided response to this. Does soccer mom really care about a firefox? Nope.
This activity needs to be ILLEGAL...and that's the only way to stop it. They're wiretapping without consent.
Oh, and before the pro-firefox people jump all over me...allow me to show you my browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.8.
...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.
If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.
Do the US banks only use username/password pair?
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Easy, automatic testing for Perl.
Just download the zip file, and extract it - you should be able to run it in place from a directory!
Also complain to your company security team about having to use an insecure browser.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I'm not a religious person... but I will now attempt to pray...
God, it's me, Anonymous Coward, I beg you, have the l33t hax0rs of the world unite to develop exploits and hacks against Linux and Firefox so that open source zealots can no longer scream about how secure their software is. Any competent person or deity (ie you) knows that there are potential exploits in both, but most have not been found because most do not look as hard as is done with Windows.
If you do this for me... I promise to sell my soul to your minions in Redmond and banish any Linux or Open Source related product from my home from now until eternity.
Amen
Are they even paying attention? At first it was .exe worms in email, then it was network-layer exploits, and then it was spyware, and now in the past week it seems that IE is totally unsafe for any purpose whatsoever.
What's amazing me is why Microsoft isn't *running* to provide patches, for at least XP and 2K, to mitigate this. They're offering non-solutions like disabling Active X and Javascript. Sure, fixing the problem may mean some serious breakage for some in-house software someplace, but does anyone care that Spyware+Malware+IE is rendering their operating systems junk?
Are they even paying attention? Is XP SP2 a magic fix? Is it just too badly broken to even BE fixed?
According to the "complete findings" linked from the article, the phone number belongs to a school in Kansas.
I have no problem with online banking et al, but I was talking to my accountant yesterday and he said he will never put a credit card number or transfer money using the internet. He is an older gentleman and I wasn't about to go on about how SSL and other tech keeps this stuff safe, but it makes you think. Why would I put my information so easily available out there? I will continue to use the internet for online banking and such because I feel I take the necessarly precautions to keep myself safe. Makes you wonder will there ever be a time when you will be safe on the internet? I would say no. What are your thoughts?
My well being does not depend on my slashdot score.
What fancy-ass security feature in Firefox would prevent somebody from writing a plugin like this? Anything besides 'not a big enough user base to attempt it'?
"Derp de derp."
How ironic... this gets posted just as finished reading Steven J. Vaughan-Nichols article on dumping IE after seeing a link to it on NewsForge.
And the phone number's bososity is both noted at the end of the complete write up linked to at the end of the article, and something which Google would tell you, if you thought to look.
//Information does not want to be free; it wants to breed.
Microsoft's software doesn't have any problems, it's always at the fault of the user.
*rolls eyes*
... you are preaching to the choir here? I mean, there are atleast a few Mozilla/Firefox/Thunderbird stories on here a week! We all know what it is! Rather than preach your comments about switching here, instead, preach to your parents and friends that still might use IE. Send them news stories for them to read. Unfortuntely, it takes a real experience for them to have a change of heart. Don't let that happen!
Hmmm.
Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning
The reason why people still use IE - EVEN when an alternative is shown - is because it's familiar, and because: - "my favourite websites don't work!" - "It's slow!" - "What is this crap." Coming from people like my sister. I even tried the IE icon trick but she insisted that I put IE back on. However, articles like this - where your bank password will be stolen if you use IE - well here we go, this is something that I could convince my mom with, as well as my sister.
"How many time does it have to be said? DON'T USE IE. Period. End of story. Fin."
Has anybody ever used the term 'end of story' and it has really been the end of story?
Here, I'll un-end it: There are still sites that IE renders properly that Opera/Firefox do not. Not enough? Okay: Alt-browsers aren't that widely known yet. Not enough? Okay: The IE rendering engine is stupidly used all over the place, so the app still needs to be secured. Still not enough? Fine: Not everybody thinks alt browsers are so hot.
Don't use the phrase 'end of story', end of story.
"Derp de derp."
And how many times does it have to be said. "If everyone switched to Mozilla today, this same exploint would be available for it tomorrow."
You should keep your mouth shut about Mozilla/firefox. It's 5% market share is the ONLY safety mechanism is had. Keep it secret, keep it safe.
It seems that some people have been studieng...
It looks like hunting season has been opened...
IE users, do yourself a favor and start listening to all the bright people on here telling you to use Firefox or Opera...
I use Phoenix/Firebird/Firefox since 0.4 and am happy since.
This is a huge opportunity for Mozilla if they really mobilize and take advantage of it before I.E.'s team and Dave Massy get going on their "renewed effort on Internet Explorer."
I'm not a windows user, but tons of my friends and family are. I worry more and more that they will fall victim to IE-based exploits. This recent issue is finally causing me to act.
Can someone point me to an easy-to-read article that explains the problems with IE, what alternatives like Firefox exist, and how to switch? I want to send it to everyone I know, urging them to switch away from IE.
_______
2B1ASK1
... on http://www.refestltd.com/. Also, Infoworld, "the Globe and Mail" (?).
Now, given that the website only claims "as mentioned in" those publications, there may not be much they publishers can do. "Mentioned" covers a wide range of possibilites, from "recommended", to "stay away from this at all costs".
Anyone care to tip off PCWORLD, etc?
The real "Libtards" are the Libertarians!
"The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis."
.gif name to .exe or attempt to unzip the .gif file? If not, why does IE allow .gif's to be installed?!
Does another exploit change the
I'll consider it as soon as they come out with a formal release (ie: v1.0+). It's still in beta, from what I can tell (v0.9). I don't run beta software on any of my business machines.
Microsoft has reviewed the problem and their recommendation is that you continue to buy more Microsoft products.
A feeling of having made the same mistake before: Deja Foobar
Gates says MS is getting faster fixing security holes.
I finally got my money back (only after a threatening, certified letter stipulating hard deadlines and escalations), but some crook (my guess is from the dealership) got off scott-free. Thanks to the FBI and so-called anti-terrorism. I feel safe.
So apparently these password thingies are working out too well... how about a new option....just say the password we want outloud, then everytime we want to login, our dead relatives will relay the message to John Edward, who is conveniently stationed at our bank! He will then call us with any information that we require! (of course a service charge of $9.99 will apply)
Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.
[joke]
"This is your computer.. this is your computer on Internet Explorer"
-or-
"Friends don't let Friends use Internet Explorer"
-or-
"Just say No to Internet Explorer"
[/joke]
Seriously, there needs to be a TV campaign or even public service banners on high traffic sites like google or CNN.
What surprises me the most is that the AVERAGE user does not really rely on any IE specific functionality? Sure, corporate users my have specialized apps that require IE because of plug-ins and ActiveX and what-not, but not most users, and not even most business users. So why do they not switch to something like one of the Mozilla flavors? Do they not know they are there? Do they think they don't work with Windows (only that Linux thingy), that it lacks functionality they need?
I switched my wife to Firefox, it even sort of LOOKS like IE...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Unlike the domain name, that will not be fraudulant:
host www.refestltd.com
66.226.64.11
whois 66.226.64.0
Abacus America Inc.
ABAC
5276 Eastgate Mall
San Diego
CA
support@aplus.net
All's true that is mistrusted
These are some of the things molecules do...... given 4 billion years -Carl Sagan
After last week's CERT advisory, there should only be a handful of them left.
Not saying that something similar couldn't be done for Firefox or Opera of course ... it stands to reason that if something can be "plugged into" an application, like these BHOs, and that they can do stuff with the page content, or intercept form data before any transport stage, that this was bound to happen at one stage or another.
... it happens on IE, and thus IE's entire design is flawed. Quite how any corporate institution can continue to use IE instead of wiping it from all hard drives for security reasons is beyond me.
But
And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
Our ability to think and reason was not the product of evolution
I'd like you to prove that.
Our ability to think and reason could easily be a product of evolution. Just because you can see the possibility doesn't mean that it doesn't exist. Making such a blanket statement does not show your intelligence or knowledge, it shows your ignorance.
One only has to compare the security woes of Microsoft or Linux with the rock-solid experience of OpenBSD for an example.
Are you saying that these operating systems haven't evolved in an iterative process? Riiiiight... "Release early, release often"
"I've actually had online banking sites force me to use MSIE when they decided Mozilla 1.5 wasn't a modern browser."
The debug build of Safari would let you spoof the user agent. A site requires MSIE? (click) Oh look! I'm MSIE now.
Looks like there's an extension for Mozilla that does the same.
Might help. Of course I then set it back to the regular Safari/Firefox/non-MSIE user agent ID so that any webmasters gathering stats will see that there are folks who (gasp) actually don't use IE.
New and credible eh? Well crafted but a troll nonetheless.
There is no interface to just blatantly let software attach itself to firefox, you can install plugins, but a page has to call a certain type of plugin for it to be used.
Javascript nor Java would cause any type of vulnerability, since the bank pages would not be running either. Applet's have very little power to begin with, so you'd have to download and run a java program for it to even think about keylogging and sending.
So no, not all browsers are weak and just not targeted, IE is just an incredibly insecure POS. I worked for 9 months at a university tech-help center where the VAST majority of our time (we're talking 90% of a multimillion tech help budget) was spent on cleaning spyware from IE. I answered a hundred or so calls on a shift, every few weeks I'd get a call from a mac user....almost always because exchange wasn't configured right on their mac. And yes, I run FireFox on FreeBSD....
No, I just meant the whois query was for the correct domain but when I was typing the response here I accidentally added an "l". That info is the whois query for refestltd.com.
All's true that is mistrusted
Oh, it's the big 'e' on my computer.
To get around the "teaching others to use a new browser", I just loaded Firefox, added a luna skin to make it look like IE, and then used firesomething to change the name to "internet explorer". They barely know the difference!
But for those that are unfortunately enough to have to help those that insist on IE, for whatever reason, a program called BHODemon might help you. It lets windows users see what BHO's are loaded at any particular time, so I would assume that this malware would show up here as well. Its a quick way that someone can find out just what is running in the background.
http://www.definitivesolutions.com/bhodemon.htm
BHODemon 1.0
Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.
- go to http://www.mozilla.org/products/firefox
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.I am NaN
I worked for the Canadian govt for a while and they use a product called secureID. It basically generates a new number every 40 seconds this number forms the last half of your password. If banks forced customers to use one of these then your passwords would be a lot more secure and almost all of these security problems would be a lot less of a problem.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
Sure, it's interesting. But any tool can be used for practically any purpose, good or bad. Whether it be FOSS or proprietary software, in this case.
The fact remains, we won't ever be able to control what purposes tools will be used for, unless of course we're willing to give up more basic freedoms. Think RIAA for example.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
There's a good explanation of BHO and how malware authors tend to exploit it here.
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Wearing pants should always be optional.
Somewhat Ironic, considering Most banks -- at least here in the UK will send an error, or physically stop you from using their system in the interests of security :)
Is there, somewhere, a good, complete list of recent (say for all of 2004) IE exploits to show the PHB?
Thanks
"Would it kill you to put down the toilet seat?" -- Maya Angelou
There are many programmers who would love to do that... If they could get the source.
Don't you know the proper way for citizens to solve their problems today?
1. Incorporate yourself
2. Make a $1000 contribution to the Corporate Party (DNC or RNC, doesn't matter which)
3. Sue them for $10000, and get your pol friends to bring in the FBI
4. PROFIT!!!
"The Justice Department's spending on cybercrime would leap from the $157 million allocated by Congress for the 2003 fiscal year to $265 million. The agency's Internet Crimes Against Children program, which investigates child pornography and "enticement" cases, would receive a $2 million increase, to reach $14.5 million."
Even if the Justice Department "only" had $157M in 2003, you'd think there would be a bit more to show for it. But this is the US government we're talking about. There are doubtless a good number of motivated and competent people in the US government who are dilligently working to combat cybercrime.
The problem is that US government agencies are notoriously slow to adapt to change. Having worked in one before, I can attest to how frustrating it can be to try and get even simple, obvious tasks completed when groupthink prevails. It must be incredibly frustrating for the folks working in those departments who are trying to go after cybercriminals.
Read the EFF's Fair Use FAQ
...thats why I said 'patches'. These would need to be small, running processes that protected various elements of the known holes. A temporary fix until the large, slow, but effective MS machine got around to closing them.
Is there a skin that acts exactly like IE? I'm looking to swap my family computers over and would like an IE interface. I've tried education to the family and it just hasn't worked really well. Tabs? What do they care? Adblocking? Who's got the time? They're just ads. Every feature I introduce doesn't really sell them. So basically, they would like to stick with Internet Explorer. However, clearly, I can't let them with all this crap flying around these days. That being said, I just want a way to make Firefox look like IE so I can do a swap. Anyone?
Disagreeing with me does not mean you get to mod me troll.
obviously, the bhodemon is a very useful little tool, but why does the icon for the little executeable look like someone took the napster cat, doused him with kerosene, and flicked a match in his direction?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Unless, of course, I've lost all my marbles...
Dream as if you'll live forever.
Live as if you'll die tomorrow.
~Anonymous~
Okay folks, now is the time to DEMAND your online banking providers to switch to a one-time pad system for passwords.
Many banks in the EU have already done this. Why are banks like BANK OF AMERICA and others still using simple passwords?
My passwords are just little black dots when I type them.
------ How can making people laugh lead to bad karma?
That's assuming the file was named xxx.gif.exe, but the article doesn't say that. Obviously there was a payload inside of it, obviously Microsoft blocks executables (generally) from being run. I'm just trying to figure out how the gif file (assuming that it doesn't have the .exe extension) could get executed if you're using reasonable security.
It is an compressed Exe-File with a .gif ending. The user didn't run as admin and the Windows XP policy was in place so the file couldn't install. Through this it came to the admins attention. I guess Firefox wouldn't have be a more difficult target.
As soon as a trojan gets executed on your machine you can just hope you didn't do it with root-powers and that the trojan won't find a way to raise it's priviledges.
According to the linked article, this BHO phones the mothership located at:
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
Many people work on big (or small companies) that use Windows on desktops and have opted to not install any other browser than IE. Corporate users don't have a choice. The lazyness is not only of home users, but also of PHBs.
... cost. The silly device and the licensing and support (those things go out of sync) cost a bundle. They figure that the cost outweighs the benefit, I guess.
A two-factor authentication would be the way to go, for sure. Someone else in this posting thread mentioned that his Finnish bank gives me a one-time use list of passwords (known as a strikelist).
Which is nice.
Wearing pants should always be optional.
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not? Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere? I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any). Aargh.
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
I boycott signatures
I DO use FF. But how do I really know it's any more secure than IE? Or Some Other Browser(TM)? I don't. Seems to me we have come to the point where the computer just can not be trusted. (If you say some other OS is safer, you may be right today, but wrong tomorrow.)
Is it possible to have a truly secure box that is used for
and doing online transactions? How many banks allow their employees or customers to use their ATM network for all of these purposes? What's needed is a more robust model: Specialized hardware and software, maybe something sinilar to VPN. I don't think a generic PC will ever be secure enough, regardless of OS. It's time to think of new solutions for security problems.
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
So apparently I'm the frist one to RTFA, because I would think someone would have commented on this by now. This bug sends your passwords to a script at , and refestltd.com appears to be in the business of (or at least it points to someone who is in the buisness of) selling anti-spyware software. Coincidence? Conspiracy? Joe-job? Bueller? Bueller?
Media that can be recorded and distributed can be recorded and distributed.
-kfg
A lot of developers seem to have chosen the alternative of working on Mozilla, or Linux, or a variety of other projects. Really, isn't MS big enough to fix their own problems? What's their cash reserve up to now - $50 billion? And after something like 2 years of a new focus on security the holes get bigger & the exploits arrive more quickly? And you want a bunch of volunteers - that don't have access to the source code they're trying to fix - to create temporary solutions until Microsoft gets around to it? Are you fucking kidding me?
The whole Microsoft direction seems to be as friendly as possible to hostile code. That's a case for a neligence class action.
Who is going to do that with IE? Its getting to that point now isn't it?!
How are we going to migrate a whole bundle of non-technical users off IE anyway? Firefox payload super-virus perhaps?
Ah, okay. The CHM exploit is what this whole shebang has been all about...
As much as I'd hate to agree with you...
Shouldn't it be possible for someone to create a browser helper object that closes all the doors, shuts the windows, throws the deadbolt, and covers all the other security holes.
Or along those same lines, shouldn't it be possible to create an ActiveX drive-by that downloads and installs Firefox, and edits all the IE shortcuts to point to firefox.exe instead.
Bank One works fine with Firefix and it is a modern naionwide bank. Not that I am saying their service or anything else is better, but they are not bad.
Just switch. The ones that adapt and survice, the rest, thankfully, will disappear.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
They've been getting away with inferior (and dangerous) products long before they became they gained monopoly over the browser domain. Using their existing OS monopoly to force vendors to not package Netscape or Opera they effectively nulled out the competition. Customers knew they had a choice then exactly as much as they do now: hardly at all.
Microsoft doesn't have to listen to customers any less now than they have ever have been. The only thing they listen to is the ka-ching of the cash drawers whenever another customer buys a machine bundled with Windows.
><));>
I once saw a door with a keypad where the numbers were LEDs under funny plastic. Every time you entered the numbers would be rearranged but your pin was the same. The numbers were pretty much only readable from directly in front of it. An on-looker could not get your pin (as easy). An interesting additional security measure.
There are still sites that IE renders properly that Opera/Firefox do not.
What is your definition of "properly"? Firefox is far more standards compliant than IE. It's true that some sites look better in IE, but that's because they are coded around IE's deficiencies.
The IE rendering engine is stupidly used all over the place, so the app still needs to be secured.
s/ly used all over the place//
What the hell!?!? Microsoft promised me that Windows was more secure then Linux1?!?
-=-=-=-
And yes, a bug in Explorer counts as a bug in Windows, after all they're the ones that were so insistant on building the web browser directly into the OS.
Freudian slip?
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Obligatory 'install the patch' link here...
I wouldn't have realized, because like you say, I don't use them. I don't use firefox because it's got a lot of features. I use it because it works, it renders pages correctly, and it doesn't hose my system.
What have extra features got to do with it? Unless "working right" is an "extra feature" in your world...
While this naively may seem like a good idea, it has enormous potential to blow up in your face.
By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.
Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.
Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
We'll just add the following Javascript into websites:
//
var userAgent = navigator.userAgent;
var MSIEIndex = userAgent.indexOf("MSIE");
if (userAgent.indexOf("Win") != -1 &&
userAgent.indexOf("MSIE") != -1 &&
userAgent.substring((MSIEIndex + 5),(MSIEIndex + 8)) >= 5.5)
window.location.replace("IE_BAD.htm");
and let those still using IE suffer.
---
IMHO, of course.
May the SOURCE be with you.
Also, the FBI did specifically confirm that due to the multiple states involved, it would normally be their case, but that due to their new focus they could not handle it. So it's their word against yours that "'anti-terrorism' has nothing to do with it."
I have such little respect for the FBI now, that I will never lease or finance again, to ensure that the transaction stays within the same state and I retain access to redress.
I'm sure a huge percentage of people out there won't/can't/too-lazy-to download any of the alternatives. It's nice so long as they don't affect other people when malware like this hits. But there've been cases where software have been used to effect a DoS.
Nothing to do but keep informing people as we meet them.
I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
What's wrong with taking a 4x4 shopping? I have successfully migrated my various family members in far-flung states to Firefox, people who call IE "the Internet." Either install it during a visit, or, if need be, talk them through it over the phone. If they don't want extra features, they don't have to use them. Once they're comfortable, though, casually suggest they try, say, tabs. Then eventually they're installing their own extensions! If they're not part of the solution, you know, their part of our problem. So you have to do a little free tech support. Big deal. Consider the opportunity here to create a user base for open source software in the general public. This is beautiful opportunity to wow them with better software. Don't squander it.
grammar-lesson free since 1999. (rescinded - 2005)
Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.
IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.
Maybe you should be happy that IE is used by so many.
Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.
Read the EFF's Fair Use FAQ
There's a risk associated with accepting credit cards, but most merchants choose to accept that risk to increase their customer base.
Similarly banks put themselves at risk by providing online banking, but that risk must be sufficiently small compared to the number of customers they'd loose if they didn't provide that service.
I know theres a risk in using my credit card online, but the financial and time cost of credit card fraud (in my personal case) is far lower than the financial and time savings i've made through buying online.
Isn't Firefox with its plugins system also susceptible to malware? How secure is the area in which plugins can play? It would be interesting if someone would take up the challenge of writing a similar piece of software as a plugin for Firefox and see if they can insinuate it in the Plugins repository.
It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.
Here in Switzerland, the online banking system is the same with "scratch-list" or a list of one-time passwords that are used one by one for each access to the online banking service. Recently, UBS and some other banks have even a better solution. Instead of a paper list that somebody may secretly take a copy of, they give the customers some type of smartcard and a special small calculator-like device to read it. Each time you access the bank's website to do some banking transactions, you enter your user and password, then a number is displayed on the screen. You enter this number in the card-reader holding the smartcard you have, and it returns back a hash value that you enter in the webpage. Now, each user have a unique smartcard and the number that the webpage generates is random so there is practically no way to predict the needed hash value to access the banking record unless you can physically access the smartcard. And needless to say the smartcard has itself a user selectable password that can be changed using the card-reader to protect it against theft. This way, even bank employee can't steal your password and/or scratch-list!
However, I'm just trying to offer an alternative to complicating peoples live even more than they already are. If we can handle it we should.
If someone exploited the fact that American's drive on the right, would you want all American's to start driving on the left...or fix the exploit? Just because you don't know how the road is made, doens't mean you can't make the car drive properly on it.
IE is a very robust, useful program...a fact that many people miss.
I could also get petty and go this direction:
Linux is supported and patched by a community. Volunteers for the most part. Imagine what could happen if we turned that power towards something everyone ALREADY uses like Windows/IE. Come at me with the 'source code' argument if you want, but what I'm proposing is a simple quick fix system while we wait for MS to get moving.
If you are willing to do it for Linux...but not Windows...wouldn't that make you elitist?
Just a thought
I sent a mail to all the company when last friday's attack hit the media. I told people to be careful with IE and if they wanted a browser that didn't have that problem download firefor (provided a link).
The company's CTO mailed me back and told me:
"Despite we give users admin right in the [w2k and XP based workstation] machines, you cannot install software without first checking out with the IT department. This is more important when we are talking about basic OS components, specially to those doing web development because it could lead to diferent rendering results."
My answer was: "I never told them to install anything in the office PC, I assume some might have a PC at home."
What I like is the part where he think a browser is a basic OS component.
"What is your definition of "properly"?"
It works? It's broken on other browsers?
" Firefox is far more standards compliant than IE."
Firefox may be more WC3 compliant. No argument there. However, IE is the de-facto standard. Firefox is not standards compliant with IE, and frankly, that's what's keeping the IE shortcut on my taskbar despite having Opera and Firefox ready to go.
"s/ly used all over the place//"/i.
Sorry if I'm being dense, but I don't understand that comment.
"Derp de derp."
I really must stop watching Comedy Central.
I don't want knowledge. I want certainty. - Law, David Bowie
Tear everything down and start again. If you can get someone to properly document your kernel, so that your own employees will have a chance of understanding it, go that deep.
Go as far as you need to to actually secure your OS and supporting suite. People aren't going to put up with this crap forever.
Windows had the potential to be a good system when you originally bought DOS, until you started piling "functionality" onto it.
Do you see what I did there?
So does this mean BHO really stands for "Butt-Hole Objects"? (Apologies to Mac 7100 owners and the late Carl Sagan)
Will finally consider officially supporting browsers other than IE ;-)
Umm...
Dude I use Moz 1.6 to go to Fleet's site all the time, works great.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Okay, this idiot must want to get caught. To you aspiring virus/trojan writers out there: DO NOT have your virus/trojan send information to a web site. Send it to a newsgroup. Geez. Encrypt it if you must, but don't send it somewhere where you can be tracked. Send it somewhere where you can get it anonymously. Man, moron hackers out there. It's like that idiot Slashdot reported on yesterday who got caught on the extortion deal when he told them who to make the check out to.
You must have missed the part where the poster pointed out that lesser jurisdictional law enforcement agencies weren't allowed to handle the problem because it crossed state lines - The poster DID try those first, and they passed the buck upward to the FBI. So by saying the poster shouldn't bother the FBI over this, you are simultaneously telling the poster there exists NO law enforcement agency that can be used, so just suck it up and take the $1000 hit.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
The report says that the malware contacts http://www.refestltd.com/cgi-bin/yes.pl and if you go to http://www.refestltd.com/, it points you to download a spyware scanner.
Here is a sample of an email I sent recently:
With the almost daily anouncements from Microsoft about security vulnerabilities in Internet Explorer web browser, I now use the Mozilla.org web browser. Unfortunately, the BANK-NAME web site requires Internet Explorer. I very much enjoy BANK-NAME's online services, but do not feel secure using software that has a negligible sercurity record. I will be doing all my banking and account access directly at my branch office until I am able to access my online account with a more secure browser. Thank you much for your time.
Sincerely,
my-name
itadakimasu
"s/ly used all over the place//"
Sorry if I'm being dense, but I don't understand that comment.
That's VI's substition command, changing your sentence:
The IE rendering engine is stupidly used all over the place, so the app still needs to be secured.
To the more accurate (in my opinion):
The IE rendering engine is stupid, so the app still needs to be secured.
Just a joke.
With IE security holes and exploits being announced almost daily, it might make you wonder why people would continue to use a piece of crap like IE. I wondered the same thing until recently when I had the following conversation with a friend, who is not exactly "computer savvy".
Friend: [asks me a bunch of questions about IE and Outlook Express]
Me: "I really don't know. I never use those programs"
Friend: "Oh. [looking very surprised] I thought you *HAD* to use them."
Similar issue here the other day with my wife's Mac (safari and mozilla both).
Not sure I can use the brackets, but you'll get the idea here anyway.
input type="text" " name="foobar"
(Note the extra ")
Safari/Mozilla (rightly?) barfed on that portion of the form, and wouldn't submit a value for foobar. I *suspect* IE works just fine with it, as the company hasn't yet replied to us about it not working for them. We're demanding a refund because they can't/won't fix the problem after 5 business days.
creation science book
Our ability to think and reason was not the product of evolution, argues a new and credible scientific theory called intelligent design, but was deliberately chosen for us. Perhaps this is a thought that should again be applied to the creation of software.
You're right. Fire everyone at MS, and wait for a diety to come up with a better OS!
Don't you wish your girlfriend was a geek like me?
If you can't get that program when sp2 comes out for xp it adds management for plugins to ie. You can disable them but not turn them off. M$ got it half right I guess.
This was my first thought too. However its the wrong people you have doing the mobilising. *We* need to mobilise. I'm mailing out to all my friends and family to make sure they know about this threat to their assets. All they need to know is "Your IE bookmarks appear under Imported Bookmarks". Mozilla market share through the roof, standards win, open source wins...
Sig pending!
"The IE rendering engine is stupid, so the app still needs to be secured. Just a joke."
Ah.
Heh.
Stupid? Eh I dunno. One thing that is VERY nice about making web pages for IE is that it is very error tolerant. One thing I really despised about Netscape was that it wasn't too difficult to accidently mess up a tag in such a way that the page wouldn't scroll. Serious, it'd draw the page, but it wouldn't draw the scrollbar. GRR.
"Derp de derp."
penalize them for failure to reveal risk.
Actually, there have been scams like that, for some time. There was even a great online documentation of one such device that someone found attached to an ATM.
Amazingly these crimes aren't being tracked down by the FBI either.
Right now if you're not threatening national security by using DeCSS or Kazaa then you're off the FBI's radar, they have bigger payoffs... er lobbyists... er... I mean problems to take care of.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
I won't link to the Mozillazine Forum thread on this issue (since they are having bandwidth problems), but you could just search for my username there (Jimmy_C) for the origional thread. Rest assured that this is backed up. The latest Mozilla FireFox builds have a feature where only extensions from white-listed urls can be installed. The UI for this feature works almost exactly the same as for popup-blocking.
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
Damn it, I was just browsing something before going home and thought it was HBO stealing my bank account number.
There is a spark in every single flame bait point.
I won't link to the Mozillazine Forum thread on this issue (since they are having bandwidth problems), but you could just search for my username there (Jimmy_C) for the original thread. Rest assured that this is backed up.
The latest Mozilla Firefox builds have a feature where only extensions from white-listed urls can be installed. The UI for this feature works nearly the same as for popup-blocking. The only default white-listed site will be hosted by Mozilla.org. In addition to the no-silent-install policy and the built-in delay before the accept button is activated, this new feature should help prevent these types of attacks against Firefox from being practical.
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
Don't mod him down because he's a creationist. Mod him down because he's an idiot.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Sorry; I pressed the "enter" key by accident. Since I'm online with a slow connection (dialup), there is often a large delay before a submitted form page is displayed. One did not display for me and I didn't realize that I already submitted this. Why, oh why, doesn't /. have a mandatory preview before comment submission like any sane forum? :-&
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
I'm sick of this argument. There are plenty of ways to add stuff to you're Honda; and if you don't know how to work on cars you pay someone lots and lots of money to add them. You're right, BHO are an awful idea, but the poor design of one piece of software does not mean computers aren't meant for regular people. All a "regular" person has to do is use mozilla. It's not like knowing how to build a differential, it's like knowing what grade of oil to put in your car. If you don't know, ask somebody who does.
Not that it isn't also the companies fault. They go out of their way to tell people that they can turn their brains off when they plop down in front of a monitor (just like TV), and you can't do that. But there is a happy medium between deep internal knowledge and dangerous ignorance, and most end users are way on the dangerous ignorance end.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Did you RTFA?
.gif file. Even those who are smart enough to disable Microsoft's filetype hiding (because, obviously, users are too stupid to deal with file extensions) would think that this is a quite safe, viewable file. But Microsoft, in their infinite wisdom, ignores the extension and determines what type of file it is by examining the file structure directly (exe) and goes ahead and executes it. Designed this way e-mail filters that deliberately exclude executables (to prevent this very kind of attack) are fooled into passing this right along.
.NET Longhorn?
This is a
Don't you see a number of design problems with this approach? Don't you have to wonder whether Microsoft actually wants trojans and spyware when you see this? And if they do want trojans and spyware, what kinds of holes do you think they will design into
Using open source software without developing open source software would make me a greedy, self centered prick - not elitist.
I happen to agree with the argument that diversity is beneficial. Thats true at the OS level, the browser level, the hardware level, the router level, the food crop level, etc. Competition is good. Its good for the consumer in terms of lower prices & added features. Monoculture/homogenaity is a negative. Isn't it great to live in a world where if I don't like something, say MS products for example, I can pick a different one! What a concept! If I don't like Bud, I can drink Miller. Or brew my own. If I don't want to drive a Trabant, I can buy a Jeep. Or ride a motorcycle. Or walk. What a horrid world it would indeed be if I didn't like the Trabant, but my only choice was to either fix it myself or not use it.
Happy Mozilla/Netscape user. Since before there even was an IE.
I think it was this line that got to the Mod:
But what do I know, my brain is already half-washed. Can somebody get me some friggin bleach so I can finish the job?
is why the heck the site that COLLECTS the stolen usernames and passwords is still online!?
It's in the advisory: http://www.refestltd.com/cgi-bin/yes.pl
That's the Perl script that the browser object reports to. It's still nice and responsive. Isn't there some fraud dept of the FBI that should have shut this down already? Or are we all just chatting about this and doing nothing, and no one has even notified the ISP?
And interestingly enough, the home page purports to sell a spyware scanner. Nice.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
Uh like the kind of person he is talking about ever uses the update feature anyway and there is always the Auto Update for those who don't.
1) This is a trojan. While IE could be improved to help prevent this, this type of trojan can be used with any browser (albeit with a bit more social engineering effort would be required with most other browsers).
2) Yes, XP SP2 is a magic fix. I've seen the dialog screens for BHO's and the like. They're rediculously obvious. Furthermore, I believe that MS is _finally_ sandboxing this stuff (I remember reading it somewhere, but I can't verify). Finally, SP2's super aggressive firewall would detect that an unauthorized application was trying to send data via port 80 (or any port, for that matter) and warn the user. SP2 isn't bullet proof, but MS has put a LOT of resources into it to help minimize it's embarassing history. From what I've seen it looks promising, and hopefully my firewall will stop reporting so much NIMDA etc. traffic.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
>Don't mod him down because he's a creationist. Mod him down because he's an idiot.
Now I have to mod you down for being redundant.
Doh!
Belief is the currency of delusion.
Tear everything down and start again.
Look at Windows 2003. They don't have the same usability req's as XP, so it's easier to secure. And it IS secure. It's not bulletproof, it's not OpenBSD, but how many serious exploits have made it into the wild, especially when compared to competing OS's? Windows XP SP2 looks to be a huge improvement - we'll just have to see. Either way, it seems they have a handle on it, without having to tear everything down and start again.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Here's the real and true account of my attempt to put Firefox on a friend's machine when I did a clean reinstall (at her request):
I: Okay, now, this is Firefox---
She: WHAT HAPPENED TO MY INTERNET EXPLORER?!
I: This is better. Here, let me show you---
She: PUT IT BACK PUT IT BACK!!
I: Really, it does everything IE does; if you'll just look at it---
She: YOU KILLED IT! AAAAHHH!!
I ended up leaving IE as her default browser. True frickin' story. People fear change.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
No, it is an issue because windows update is non-standards compliant crap and needs ActiveX. Try and validate this windows update. Yes this is the "latest and gratest" version of windows update that you use with WinXP SP2. It still sucks and is non-standards compliant. It would be much easier for MS to have just had a small executable GUI app that replaces all of that windows update junk. Think how much they spend on server resources for windows update vs. having a simple windows GUI app check the local PC against the most current updates and then just download as needed.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
something as simple as the OS prompting for an account password (ala just about any flavor of *nix comes to mind), would do wonders for windows pathetic security...i looked around all the new features that are said to be included with win xp sp2...this wasn't among them....
why is it that the second that i have logged in, anyone could sit down and my system and if i happen to not have a password on the screen saver or have the system set to automatically log me out after x minutes of activity, ANYONE could install ANYTHING on my system...and just extend that a brief moment to any perpetrator online installing malware and any other executable trojan to turn a windows box into a spam zombie....
i just don't buy that MS is serious about security...this is a pretty easy solution that shouldn't take months of ripping apart the OS for implementation....
i don't get it...?
PS - i'm not trolling, i'm serious...this seems like a pretty simplistic fix that wouldn't take a rocket scientist to figure out...
- bliSS
the only difference between a rut and a grave, are the dimensions
As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.
If this is another case of sloppy programming by M$, everyone that looses money can sue. A class action suit for negligence, starting price 10 Billion. We will of course demand actual reimbursement of damages besides that fine, and we are always willing to negotiate.......UP.
Break the bank, problem solved.
Professional Politicians are not the solution, they ARE the problem.
not on the list and let me tell you our managers are shitting pink twinkies these days and for the first time in a LOOONG time actually listening to tech's vs sales people. We'll see how far it actually goes $$$ wise but if your corp's browser allows for 3rd party or IE installs without prompt and enable any script to run...*shudder*
errr....umm...*whooosh* *whoosh* Is this thing on ?
For those of you who don't take the time to read the analysis of the trojan, here's what is said:
.chm file. At the same time, it appears to have executed a script on .chm exploit, shown above is likely used to rename and execute this
The HTML here attempts to exploit a known flaw in Internet Explorer to load and
execute a
www.mymaydayinc.com called photos.php. At this point, the packet captures provided
by the victim end, but it is possible to make some intelligent guesses as to what happened
next.
The victim of the attack found a file called "img1big.gif" had been loaded onto their
machine. Because of the account restrictions on the person running the machine, it had
failed to install properly, which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file "img1big.gif" is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX.
(Hypothesis: the
file.)
So basically, it allows a CHM file (Compiled Help, used in your standard help files) to auto-install a DLL, which in turn regisers itself as a Browser Helper Object (BHO). BHO's are typically used for things like Browser Toolbars (like the one Google provides).
Microsoft should not allow auto-execution of any file type. It should be an easy fix to IE though.
News about Microsoft products based exploits will pretty soon cause the users of these products to become "immune" to this information. It can be compared to watching bad news on your local news channel. Everyday someone is killed, robbed, raped; and they feed you this information to the point where you can become somewhat "immune" to this terrible news. Eventually the next time you watch the news you're like "well, what's new? next!".
Car bombed killed 20, American beheaded, IE BHO exploit, blah, blah, blah...."what's new? NEXT!" The more you hear about it, sad to say, the less important it can become.
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
on these turkeys:
http://www.refestltd.com/cgi-bin/yes.pl
where the data gets shipped after it's hijacked, according to the analysis summary
nada, then I tried google just on the domain. No entries, no pages containing the term, no nuthin.
anyone else get any better results
well, I will admit I didn't look at the PDF, maybe it's answered there.............
In Windows XP there is such an app that checks your computer against the updates available on Windows Update. It's called "Automatic Update", and it's on by default and recommended to be on when you install.
-]Phreak Out[-
Really, most of those people who won't switch are just plain afraid to do it. They get their machines broken and stuffed with malware while doing nothing wrong! No matter what they did last week to make it better, this week there's something else that will break their machines. They barely can run what they have now, so they get scared to start from scratch with a brand new learning (and potential expense in their minds) experience. These things -das komputarz- are sold all over as "easy to use", All you are supposed to have to know is click here, fill in the blank, click again, get online, open browser, go surfing. Really, see the ads for computers all over. NEVER do they claim it's hard and you will need to jump through hoops daily. People know that kindergarteners 'can use computers' now, so in their minds any normal adult can just get one, turn it on and use it.
So, they do that, they buy one, get online, 15 minutes later they get borked. They surf for a week, they got 293 weirdo scripts, cookies, warez, whatevers crawling all over their machines and the thing barely moves. They haul it to the local shop where the helpful windows computer expert trusted computar guy charges them 50$ to run a few cheap programs against it, it gets cleaned up. They drop another 50$ on an antivirus program at his recommendations. Next week it's broken again, back to the shop. 50$ to fix it, another 50$ to get a "firewall". Back home. Next week they get borked again, then they say "FxxK IT! Enough!" they won't care after that point, and no way do they want to start fresh all over with something new that is pushed the same exact way they got borked in the first place, with the recommendation of "go ahead, drive it, it's easy, a kid can do it, it's the same as you had before, just different".
Uh huh, that's gonna make them want to switch. Yep. Sure it is.
That's my theory anyway
There's little to no long term money in making windows or explorer secure or functional. What would they sell from then on if they actually released a product like that? They'd sell it ONCE, that's it. You wouldn't have a need to upgrade. You wouldn't need mr. fixit and even more expensive mr. consultant. And now MICROSOFT is going to sell antivir because their crap is so lame and PEOPLE WILL BUY IT!
There's a cubic metric boatload of megatons of money in making MSOS and browser (and server and email client and etc) *almost* secure and *almost* functional, for microsoft themselves down to the thousands of helpful windows/computer experts at the local whitebox stores and in the consulting yellow pages.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
If every end-user is an idiot,
ok, i'll raise my hand. imma end user of debian sid and i roof for a living. i think i have 12 college hours that'll never be used for anything remotely constructive. i need a calculator for doin my guzintus. i am an idiot.
if you were a NASCAR driver, would you want your race car built by UAW wage slaves or a bunch of rednecks that enjoy building race cars? no offense meant to the UAW or rednecks or linux geeks. it's a piss poor beer powered analogy, but this idiot is happy he has a choice. i like the fact that the linux how-tos don't talk down to me. i may be an idiot, but i know how to read. actually, for an idiot, troubleshooting debian is a lot easier than cleaning up all that shattered glass when ms windows shatters.
suppose there was a sig and nobody read it
Serenity now, insanity later.
I am about over Microsoft not doing anything about this security hole. The whole "We are going to let the Anti-virus" Stance just doesn't sit well with me. I still like Windows XP and will have to continue to use it so long as I have to for Work but I am not forced in any way to used IE and have switch to Firefox. I will continue using it until Microsoft gets off their butts and deals with this problem.
Very well put. I have to (sadly) agree. Most non-geeks are simply overwhelmed by what is supposed to be easy but is truly annoying and difficult.
But I'm starting to notice that normal folks are starting to realize that Microsoft can't be trusted. The avalange of security problems, etc., are starting to slowly blunt the notion that "Microsoft makes it, so it must be good."
Much of the problem is that the computer industry is rife with overpromising and underdelivering products. In the US at least, they can make all kinds of vague marketing claims, so people think that they're stupid if their Windows computer isn't running glitch-free.
But now people are starting to talk amongst themselves. I've noticed a lot more of my relatives and friends no longer look at me like I'm a freak when I tell them that I don't have malware or constant security problems with my Macs. They usually still don't have enough wherewithall to break away from Windows, but their perception of Windows as the gold standard seems to be eroding.
Perhaps as Linux continues to advance, OS X continues to advance, and Longhorn continues to languish while Windows users suffer, a few more cracks in the wall will appear and the Windows desktop hegemony. I think malware and virus-riddled email may actually be the straw that breaks the camel's back.
Read the EFF's Fair Use FAQ
HijackThis! - lets you see & delete all BHO's, browser hijacks, host file entries, etc. Some caution is required tho, as it does NOT differentiate between the good & the bad, it's up to you to decide what to kill & what to keep. (Lamers can submit the list it generates to some forum to be told what is good or bad, but i've never used this service myself.) This prog is quick & clean, but again, can be dangerous if used carelessly.
Two quick stories... About six months ago I declared to my dear wife that I was switching the PC to Linux full time... I set up a profile for her in KDE complete with a win2k theme.. widgets icons everything and pointed her to Mozilla... She logged in ONCE on her own.
Usually when she takes over my PC, the first thing she does is logout of Linux and reboot into Windows bitching the whole time about how complicated Linux is.
I have both Opera and Mozilla installed in both partitions and I suggested she use Mozilla, explaining that it's "the newest version of Netscape"... no good..She spends most of her time on the Win98 box (HER PC) and only uses IE.
My Brother-in-law has managed to infect his computer with so much malware that at this point whenever he clicks on a download link in IE, it takes him instead to one of those generated on the fly search pages..
When I was over there last month, I installed and ran spybot search and destroy and ran a system scan in Norton and installed Mozilla... and suggested he use it.
Two days ago he called me to tell me he couldn't look at any pictures in his Hotmail inbox. He said he was getting the fake searchengine site again instead.
"Oh, I didn't think that would happen in Mozilla," I said.
"I'm not using Mozilla."
"Okay.. try this... open Mozilla"
"Okay"
"Now type in wwwdothotmaildotcom in the address bar."
"Okay. Now what?"
"Log in." I said."Can you look at the attachments now?"
"Ya."
Now that said...I bet that right after I got off the phone he closed Mozilla and openned up another session of IE. Hey, what can you do?
-- Cheers!
sorry, just realised that i didn't answer your question at all. well, i have no idea about definitivesolutions.com, never heard of them before, but i do use and trust hijackthis.
Try "BHO Cop", kinda old but Source Code is included.
http://www.pcmag.com/article2/0,4149,270,00.asp
HTH
L053R
Which virtual machine are you trying to install? I just browsed to this simple Java applet example and it worked out-of-the-box. Note that I installed Java2 SDK 1.4.something a long time ago, before installing Firefox 0.9 (from scratch) using the Windows installer. In fact, I installed all my plug-ins before using Firefox 0.9. What are you referring to? Is it possible that your unfortunate situation is just a special case or an anomaly?
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
5. Profit!!!
emt 377 emt 4
Is there anyone here that is still using IE?
I'd been using Firefox for ages without dramas. I switched to Linux in the end because I wanted something that:
Not to sound like I'm preaching to the converted here but a very large portion of the issues I experienced were directly related to IE bugs. Bugs experienced despite: latest patches, up to date anti virus software, decent firewall, solid security practises (and I work in ITsec too btw).
Funnily enough, the above is all Microsoft tells you that you need to do when using their products to remain "safe"...*chuckle*
Sysadmins should be forcing all their users to switch to Firefox and see just how long before Microsoft finally pull their heads out of their asses and get the job done properly.
I'm typing away in a form,
the website had a meta refresh to install software,
the prompt pops up just as i'm hitting enter and BAM, i got fucked
"people who really honestly like IE and dislike FireFox... I don't see why, I'd think that from the lamans view they'd be identical"..... /heresy:
/heresy
I use ffox, Opera & IE, and keep returning to IE.
Why?
1. On Win (which I must still use sometimes), ffox is the slowest of the 3 (especially re-draw), even though I'm always on the latest release.
2. I can't get the other browsers to do the simplest, stupidest things I can do in IE, e.g.: drag/drop shortcuts between address-bar & folders, or File=>Send=>Shortcut To Desktop, or drag a link from a page to the address-bar (a sure-fire "use the same window, dammit").
I dunno, maybe I just didn't RTFM.
3. I make genuinely productive use of toolbars (e.g. Google) unavailable on other browsers.
4. I don't grok the excitement of tabbed windows. I much prefer being able to position pages independently in separate windows. And if one of those windows crashes or hangs, I don't lose the others (or their back-traces).
As for security, I do quite well with the combo of common sense, frequennt AV updates, SpyBot, AdAware, WebWasher, and very aggressive/paranoid firewall settings. (I love Agnitum Outpost, which lets me control cookies, ActiveX, JavaScript, etc. -- each *separately* -- on a per-domain basis.)
The easier solution is to make a browser that does not allow plugins to be installed without root user consent. For my clients, that means a phone call to me because they forgot their root password. Problem solved.
Friends don't help friends install M$ junk.
The only bank account that could actually be hacked with a PIN was my citibank.com account in the US.
I have two bank accounts now:
- One of them uses HBCI with a smart card: essentially my EC-card with an added encryption device. The encryption is done *externally* and authorized using a PIN on the external card reader.
- the other one is a little backwards: a PIN/TAN combination. All these people could eventually find out with the static PIN is the negative amount of money in my bank account. I hope they will pity me and transfer some money into my account.
Maybe I am overlooking something here. But maybe your average bank just doesn't care about your account security.
I hate to gloat but there is nothing like getting hirt for a wake up call!
Hallowed are the Ori
All was well for about five minutes, when I realized I had lost my Google Toolbar(!!!)
So, yes, I can confirm Google Toolbar is a BHO.
I went right back and rechecked the box - life isn't worth living without Google. :-)
IEButton
Includes Unicode DLL build + source
I switched to Firefox on Friday. Finally I was sick of the security holes in IE.
By Saturday I had come across three bugs:
1. Opening a pdf file froze Firefox temporarily. I quit it normally and it wouldn't open because it thought the user profile was still in use. Even worse, it had somehow killed Acrobat Reader so I couldn't read pdf files on my own computer. When I clicked on the same pdf link in IE, IE froze and soon computer (Win XP) hard crashed. Restarted and it soon hard crashed again. Restarted again.
2. The photography forums at www.fredmiranda.com don't work properly. When I control click to open a thread in a new tab, it opens it both in a new tab and in the current tab.
3. Sun's iPlanet Messaging Server for accessing IMAP email doesn't work properly. Even with popup blocking turned off, Firefox still for some reason blocks the Compose and Reply popup email composition dialog boxes. Perhaps there is another popup blocking setting that I don't know about. For now, I still have to use IE.
The first problem is a serious fault with Firefox/Mozilla. The second and third problems have to do with Firefox but may also be due to poor webpage design. Regardless, the switch to Firefox has not been transparent, even for someone not afraid of computers. And I still need to keep IE around. In my book, Firefox has a ways to go. (Still, love the tabs and the google search dialog. Reminds me of Apple's Safari.)
I wonder if MS even COULD make any of their Windows flavors - new or old - secure. To begin with, It seems that in order to do that they would have to set up a permissions system on the registry which is accessed by most programs and also disallow installing of any file containing executeable code in any location, unless the user is an administrator. However, if they did this, much, if not most already installed sofware may no longer run. That would be a quick way for MS to ensure the loss of many users and thus big $$$ loss.
I got a program once on a CD for my Mac, which was obviously a quick and dirty PC port. This program would not even start up if it was run under an ordinary user account on my OSX Mac. It always wanted to have admin priv. which I did not give. I have no idea to what forbidden part of my system it wanted access. I have NEVER been able to install *any* software on my Mac without supplying an admin password unless I installed it into my own private applications folder. If the software STILL asks for an admin password even though I tried to install it into my OWN home folder, then I did not install it at all.
Sometimes I do wish to surf to unknown places and I set up a special restricted account for just that. Then, if something nasty DID get through the normal protections, it could not access any other parts of my computer and transmit personal info. since that account contains nothing I care about. The worst that could happen is for the malware to hose that account.
Most of my browsing is now done with Safari, but I still use the old MSIE occasionally and I did get to some site once where a request for an admin password came up unexpectedly -- which I did not give it.
The bottom line is that the OS should disallow any installation or running of code from an unauthorized location unless the user is asked for permission and has the ability to give such permissions.
All theory is gray
"When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE."
:(
So if I write protect this section of the registry so no user can write to it then IE will never load the BHOs? I starting to think that read-only for the entire "\Software\Microsoft\Internet Explorer" might be a good idea.
FYI: I work at an internet gaming cafe, I don't think I've ever seen so much spyware
I've experiments to run, there is research to be done on the people who are still alive.
That's a great system. Defeats any keylogger, plus the bank can deploy it to selected users if they are worried of scaring clients away with the RSA acronym . A bank in greece uses one-time transaction validation codes (you get a list of one-time "PINs" from the bank and go rof a refill when you use them up) but this is better still.
Furthermore, IE makes it very easy for a user to be duped into allowing a plugin to be installed.
:)
Yeah all you need to do is tell people that Internet Explorer will popup a security window and that they should ignore it and click the "Yes I want to install untrusted software" button!! sort of like this
Not that I've thought about whether the comment was right or not, I should point out that I don't think the suggestion was that it examines the entire structure, just reads the beginning of the file, all executables starting with the same bit pattern, most likely.
The firewall is what was changed to on by default for SP2, the auto downloader is set to on by default for XP already. Yes it asks you if you want to use it, but it's still on when that happens.
-]Phreak Out[-
. . . someone said about IE vs. Linux.
Let's pause a moment to regain our bearings.
The article was about an IE vulnerability.
Someone responded by questioning the virtues of IE and recommending other browsers (for his/her parents), but still WITHIN the context of Win.
I prefer *n*x variants (over Win) as much as the next person; but, in the context of this article, Linux is irrelevant, because there *is* no IE on Linux.
As I said before, there are times when I have no choice but to use Win; and, at those times, IE best fits my needs. When another Win-based browser can do the things I mentioned, I'll switch gleefully.
In Germany and Austria, online banking requires a TAN (Transaction Authorization Number) for any operation that changes the account.
the TANs come one a one-time-pad kind of sheet and you can use each number once before they become invalid. Therefore, if somebody is scanning my TANs (along with other things), they can do exactly nothing with it.
The sheet of TANs is generated on some bank server and sent to me via postal mail.
Admittedly, i wouldn't want anyone browsing my bank account. But the damage they can do with that is limited (changing passwords and so on requires a TAN too).
Yet another sheep without a clue.
On previous installations of various Linux distros, the first step I've taken is to download the various patches and updates. Same procedure with Windows.
Linux isn't a magic silver bullet that will solve all of your security problems.
"permissions embedded in the file system" is always overcome by people using the magic chmod 777 fix. "Real users" is useless if all the important personal data is stored by the user using the web browser.
I'm typing this using Firefox 0.9 under XP. I don't particularly like Windows, but there are other people who need to use this machine. For the many millions of people using Windows, using software other than IE/OE is a great choice.
What a great idea, lets ignore posts from now on however interesting they may be and moderate people based entirely on the contents of their signatures. Could produce some 'interesting' results...
There was a recent /. story about how the new SP2 will break some XP programs. Apparently it's NOT possible for Microsoft to introduce security without breaking stuff! And I'm sure SP2 will STILL be far less secure than Linux.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I contacted my bank yesterday about the inability to access my account with Firefox. Their reply astounds me:
"[My bank] will make enhancements to [the Online Service], in 2004, which will allow for
compatibility with the Mozilla (Netscape) web browser as well as other web
browsers.
The Hardware/Software Requirements Section of our web site at
[Bank's FAQ Online] lists the browsers currently
supported at [my bank]. Using a browser listed on the web site will ensure that
you have the highest level of stability and security in accessing your
account information in [their online service].
a browser listed on the web site will ensure that
you have the highest level of stability and security
. . . not so much when the only browser suggested is IE 5.5 or later. What a load of crap.
I used to write off all these Microsoft problems as "well, they have 95% of the market, so that's why they get targeted for these things."
But this latest problem made me reconsider! I switched to Firefox (and Thunderbird!) yesterday, and don't miss IE and Outlook one bit.
Thanks, /., for encouraging me!
Best Buy can have you arrested
We're doing our own internal time-tracking applications (as mainly an exercise to keep us busy as more work comes down the pipe.)
I decided to fire up the RC2 version of the web app under Firefox.
Worked without a hitch.
Granted we're not using anything really complex... (we're using some 3rd party data grids built off the MS grids, that's it)
But still.
Worked fine in Firefox.
If people actually bothered to TEST their applications, they may find that they work in alternate browsers. Or at least, they could hack around any incompatibilities.
I followed your suggestion and am recruiting the family. All I had to do is explain the new BHO trojan and they were eager to have an alternative.
With Windoze, nothing, and I've heard stories of people getting virused up before they have finished Windoze update. Of course, with Windoze you get owned even if your computer is on the Redmond campus.
With reasonable distros, you download a nice recent net install from a server you trust and check it with an MD5 sum. You then get all the packages you want. This compares favorably with the average Windoze user installing from their two year old CD, which itself was mass produced with year old code and stored in a warehouse for months before they ever got it.
The other thing that prevents mass ownership of Linux computers through net install attacks is the cluelessness and pathetic numbers of people who would actually do such a thing. M$ is desperate for bad news about free software, but all he can do about it is pay liars, like yourself.
Suck away.
Friends don't help friends install M$ junk.
Is really expensive...
Windows Update
Office Update
hang on...
give me a sec...
I'll come up with somethin....
nope.
That's it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.