E-Musings Mon Immorata

Not My IE No More Internet Explorer is proven unsafe making alternates like Firefox, Opera safer than MyIE2 The appearance of proof-of-concept virus strains as live infecters that cause data loss. And losses in productivity appears to be the trend for 2004. New infecters written in Javascript and embedded within HTML pages are the new propagation medium. All browsers support scripting which is used commonly for menus, link handling and image transitions. But its the way Internet Explorer (IE) handles scripted requests that puts users most at risk. And what makes IE more dangerous than alternates like Firefox and Opera is because the former allows remote scripts to execute files on a local computer with nearly the same user privileges as a logged-in user. When the latter's account has administrative capabilities is when the real damage begins. About 10 days ago, the first reports of a strange Trojan that was being auto-downloaded then installed on computers worldwide appeared. The users didn't need to visit a specific web site. A security breach at several popular web sites running Windows Internet Information Services (IIS) allowed a remote attacker to upload a Trojan that downloaded a Javascript-powered exploit onto any visitor computer that used IE to access the compromised site! The Scob Trojan (JS_JECT.A, JS.Scob.Trojan, JS.Toofeer) affects Windows 95, 98, ME, NT, 2000, XP (excluding XP SP-2) and 2003. The Javascript-powered infector when run loads MD.HTM then replaces this file's content with SHELLSCRIPT_LOADER.JS. Which in turn creates an IFRAME "myiframe" that downloads SHELLSCRIPT.JS. This last script file exploits the IE's ADODB.Stream vulnerability in that allows download and execution of binary executables. In this instance, Scob downloads MSITS.EXE from an infected Web site, renames it as WMPLAYER.EXE and installs to \Program Files\Windows Media Player folder overwriting the existing file. As of writing the download.ject attack contained various Trojans including keystroke loggers, proxy servers and back doors for full access to infected systems. Although Microsoft has released a patch. And the Russian web site that first propagated the Trojan has been taken off-line by its ISP. Like other proofs-of-concept that mutated, it's just a matter of time before Scob too changes its colors! To check if you've (accidentally) downloaded the malicious code, check your computer for KK32.DLL and SURF.DAT. And if found, use one of the many on-line cleaners available to clean your computer. You should also download and install the update for Windows 2000, XP and 2003. Users of other Microsoft Windows versions will need to manually disable IE's ADODB.Stream object. You can manually add a Registry Key by

1. Click Start, and then click Run.
2. In the Open box, type Regedit, and then click OK.
3. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility
4. Right-click ActiveX Compatibility, point to New, and then click Key.
5. Type the following name for the key: {00000566-0000-0010-8000-00AA006D2EA4}
6. Right-click the new key, point to New, and then click DWORD Value.
7. Name the value Compatibility Flags.
8. In the right pane, right-click Compatibility Flags, and then click Modify.
9. In the Edit DWORD Value dialog box, make sure that the Hexadecimal option is selected, type 400 in the Value data box, and then click OK.
10. Close Registry Editor.

This Key is recognized by IE which then blocks the component from running and displays an error dialog ActiveX component can’t create object: ‘ADODB.Stream’ is displayed for each instance. However, if you'd rather not fiddle with the Windows registry, patches to resolve download.ject are available for Windows NT/2000/XP/2003, for Windows 9x/ME and for Windows 64-Bit Editions. The key problem with Internet Explorer is that its development has stagnated for past 3+ years. And while Microsoft periodically issues updates to resolve specific vulnerabilities. IE's technology platform is quite obsolete and lacks features like tabbed windows and mouse gestures; feature enhancements included in the free MyIE2, or in the shareware GreenBrowser or NetCaptor (which started it all). I'm now beginning to use the free Firefox browser because it does everything IE can. And more too! Firefox is also safer to use since it's not accorded the system-level access privileges IE gets. Plus with the beginnings of a W3C standards-compliant Internet, sites that work only with IE and no other browser have declined considerably. Even Microsoft sites like MSN, Hotmail and MSDN work at 98% or better with non IE-browsers as does Google's GMail Beta which I can access using Firefox 0.9.1. Of course, post the download.ject exploit alert, Firefox downloads increased exponentially! But I don't think this free browser will be able to sustain its high propagation rate if IE development shifts back into high-gear. As it is Microsoft has a possible contender in MSN Explorer, included with Windows XP. Unfortunately this browser needs an MSN Network (or Passport) user ID to connect. The Longhorn web browser Beta leaked a few months ago showed promise but was too buggy to use. Of course the Key to IE's insecurity is because its has a 95% market share. When the current 2-3% market share by alternate browsers increases to 25-30% or more, be prepared for security issues and other vulnerabilities. As it is Firefox is plagued by buggy extensions that often cause the browser to crash before it even loads! Outlook Express may be a neat (and free) email client. But it's insecure because it too depends on the IE engine to render HTML. It's also equally vulnerable to scripted content. And while you can restrict, or completely disable access to scripting, ActiveX controls, and more. This behavior so cripples browsing and reading email messages, that its better to switch to an alternate that doesn't even support the technology. Which is why I now use Firefox for browsing. And Thunderbird for email. Both versions installed are the MOOX-optimized for Windows versions. I have also installed the free Spoofstick extension in Firefox to reassure me I'm browsing the real site. That's it for now. Stay Safe! Click Here to Email Me