Wednesday, July 29, 2009

Why you should switch to Firefox

Executive summary: If you're using Internet Explorer v7 or earlier as your web browser, you should seriously consider switching to Firefox. Even if you're using the new v8 of IE, you're still not going to have as much protection from malware as with FF and the NoScript plugin.


I have been using Firefox as my primary browser for several years, and generally try to avoid Internet Explorer as much as possible. (Sometimes, though, it's not possible - my previous employer only supported IE for all of its Oracle infrastructure.) IE, being the most popular browser in the world - primarily because it is essentially built-in to Microsoft Windows - has been the primary target of cybercriminals for quite a while. Also, I like the fact that Firefox's user community has developed any number of (occasionally) useful plugins for it.

One (free) Firefox plugin that I run religiously on all of my systems is NoScript. Although there's a little bit of a hassle factor involved with using it, I feel a lot more "protected" from malicious web sites with it turned on. With its default settings, it will initially block all JavaScript, Java, Flash, etc. content and require you to specifically allow that content to be downloaded and displayed. You have the option of temporarily allowing content from a specific site, or adding the site to a "white list" of sites that will always be allowed through. (It protects against several other potential exploits, such as cross-site scripting.)

What prompted me to finally write something about Firefox and NoScript (this has been on my to-do list for a while) is the zero-day Adobe exploit that I posted about earlier today. NoScript can protect you from the exploit described in that post.

Finally: At the top I mentioned IE v8, which was released recently. I was hoping that Microsoft would take some steps to improve IE's resistance to malware, and I think they've made some good progress, but I found an article that seems to indicate that IE still has a ways to go. So although I'll continue to evaluate IE v8 on my Vista install as an intellectual exercise, I'll be keeping Firefox (and NoScript) as my favored "surfboard" for the indefinite future.

Urgent: Majority of Windows systems vulerable to Flash/Acrobat zero-day exploit

Firstly - you may be hearing the term "zero day exploit" more often these days in discussions about security issues. It basically means that the exploit under discussion is already being taken advantage of by the crooks.

Anyway, here's all of the details about the Flash/Acrobat Reader weakness. What is a little different about this one is that more than a few "legitimate" web sites have become infected with malicious Flash content, and so it's quite possible to be exposed to Eeeevil Stuff even if you're not snooping around the darker corners (and tubes) of the Internet. (Flash is used everywhere these days - e.g. YouTube basically runs on it.) Also, unlike some earlier exploits, disabling Javascript in Acrobat (which you should do - it's turned on by default when Acrobat Reader is installed) does not provide protection against this malware.

What seems almost criminal about this is that Adobe has apparently known about this defect for seven months. However, the exploit that actually takes advantage of it is apparently much more recent. I guess they decided to wait until really bad stuff happened before actually fixing their software...

Tuesday, July 21, 2009

A Pathetic Example of a Hacker...

First: the good news - this guy is probably wearing a bright orange jumper at the moment. The bad news - the accused was a security guard at a Texas hospital, and in his idle moments, he figured out how to break into some of the hospital computers - including the system that controls the hospital's heating and air conditioning systems. It doesn't seem that killing anyone was his real goal, but it gets hot down there and if he had wanted to turn off the AC on a hot day, he could've, causing all kinds of problems for the hospital. Fortunately his ego got the better of him and he posted Youtube videos of his adventures and other clues which led to his sudden wardrobe adjustment.

The whole story is here, which has a link to his last couple posts (prior to getting arrested!) on a hacker forum that he was a member of. (The best part about that thread is where someone labeled him a Massive Chunk of Fail after he was caught - that made me cackle.)

While we're on the topic of computers and health care - did you hear about the MRI machines that were infected with the Conficker worm a while back? Of course, that only happened because the machines had an internet connection. Doh!

Friday, July 10, 2009

New "zero day" Microsoft IE exploit

This has been in the news quite a bit over the last few days, but the nature of it prompts me to briefly post about it: there is a vulnerability in Internet Explorer versions 6 and 7 that can cause your Windows XP or Server 2003 system to be "hacked" just by visiting a site that is serving up the exploit - you don't even have to click on anything. The Microsoft Security Advisory about it is a pretty technical read, so check out this link first for information that is actually readable 8^) . There is a link there that will use MS's relatively new "Fix It" technology to download a ".msi" installer file that will install a workaround. I just tried this and it is pretty easy to do!

Here is yet another example of why it might be smart to use a browser other than Internet Explorer - most casual (and some not-so-casual) Windows users have it as their default, and sometimes only browser. I have been using Firefox for several years - it's not perfect, and as it becomes more popular it's getting its own share of attention from the crooks, but it's still not as prevalent as IE by about two-thirds. Other alternatives are Opera and Google Chrome (neither of which I've used much).

If you insist in using IE, at least update to the latest version, IE 8 (read about it here). You might already have it, as MS has made it a critical update for most or all Windows versions - which I'm not sure I agree with. I suppose (and hope) that their motivation might be that it has enough significant security updates so as to make it "critical" for most IE users.