http://www.eweek.com/article2/0%2C1759%2C1621438%2C00.asp

Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes.

In short, Mozilla hands off the unknown command to the OS to take care of. This causes the OS to run the program, with no warning.

http://www.mozillazine.org/talkback.html?article=4960 has information about new releases of Firefox, Thunderbird, and Mozilla that fix this problem by disabling calls to the shell: scheme. If you don’t want to upgrade, you can manually turn off scheme: calls.

1. Type about:config in the URL bar.
2. Right-click and select New -> Boolean.
3. Enter the preference name network.protocol-handler.external.shell in the box.
4. If it already exists, the Value box will have the current value. Type false to add/edit the value.

If you’re not comfortable doing that manually, the MozillaZine link above has an XPI installer to change the default preference for you. Once you’ve installed the XPI, you can use about:config and filter for network.protocol-handler.external.shell to make sure the value is properly set to false.

The IE vulnerability I mentioned is actually present in many browsers, including Mozilla and Opera. http://secunia.com/advisories/11978/ has details. Since Windows Update will only work with IE, my demo won’t work on these other browsers. Use the Secunia demo or this new one I made up. It’s the first site I found on Google searching for frames.htm – http://www.isp.state.il.us/sor/frames.htm. Click that to open it in a new window. Once that’s open, come back here and inject invisibill.net into the other window. Good fun!

I just wanted to post this update so that people didn’t think I was purposely trying to hide the fact that other browsers have this bug also…

Well, it’s newly discovered, but it’s a six year old bug… http://secunia.com/advisories/11966/ Basically, IE doesn’t check which window a frame is in, so window #1 can open a page inside a frame in window #2. This has been verified on a fully patched WinXP/IE6.

Here’s an example. www.windowsupdate.com will open in a new window. Once that’s loaded, come back here and inject invisibill.net into Windows Update. Switch back to the Windows Update window, and tell me what you see.

Now imagine if I had used a fake updates page linked to spambots and keyloggers instead of my obviously-not-WindowsUpdate page… It seems like no matter how many major IE bugs get fixed, there’s always another one coming up…

Business Week Online – Internet Explorer Is Just Too Risky

In late June, network security experts saw one of their worst fears realized. Attackers exploited a pair of known but unpatched flaws in Microsoft’s Web server software and Internet Explorer browser to compromise seemingly safe Web sites. People who browsed there on Windows computers got infected with malicious code without downloading anything.

I’ve been growing increasingly concerned about IE’s endless security problems, and this episode has convinced me that the program is simply too dangerous for routine use.

eWeek – Internet Explorer Is Too Dangerous to Keep Using

In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen.

Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.

Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope that’s all there is to it and continue to use IE. But as for me, I’m done with it.

Use whatever browser you wish. You know my feelings on the subject by now.

Stop and think about what every security professional already knows. Once an unknown program is installed on a system, the only true way to be totally safe is to wipe the whole system and start over. It sounds extreme, but you don’t know what the program can do. There are ways to limit what a program can do, but on most home PCs these measures aren’t in place (because it also makes it harder to use legitimately). Perhaps it rewrote system files, so that now anything you type is sent to the author. Even if you don’t do any financial stuff online, it could log the account numbers you type into your spreadsheet or financial program. “But my firewall will stop it!” If it could get into your system files, I guarantee it could modify your firewall’s files as well. In general, your overlapping security systems (you do have at least one firewall and anti-virus, right?) should detect problems before they do damage, but it’s not always possible. If one of these malicious programs wanted to be really devestating, it could rewrite itself after doing its dirty deeds – when the final version was analyzed, it would appear to be harmless (or at least less harmful), hiding the true damage.

http://webstandards.org/buzz/archive/2004_06.html#a000366

There is no question in my mind that the consumer has far more power than we poor schmucks fighting for Web standards. With coverage like this, we can help facilitate a more important revolution: Get people to use well-built software and let the losers dig their own graves.

Get people to use well-built software and let the losers dig their own graves. That about sums it up for me.

I’m working on getting rid of my old hosting stuff, so I’ve been monkeying with my DNS settings. If stuff stops working, that’s why, and I’ll most likely fix it relatively soon. Hopefully everything goes smoothly though…

Another site update. I swiped some code from Ben Goodger an added a warning banner at the top for people using IE. It doesn’t interfere with the site’s operation, but it will show up.

Why? Because I’m sick of IE. It’s a simple fact that many of the cool features of CSS are going unused simply because IE has very limited and buggy support for even CSS1. Check out css/edge. His menu popups are pure HTML and CSS. Most of it is CSS1, with just a bit of CSS2 for the hover stuff (which IE does support). That menu CSS could probably replace half of the Java/Javscript/Flash on the internet. Less code with better fallback. In some cases CSS even looks better. Unfortunately, much of these features go unused right now, simply because IE doesn’t support them or handles them incorrectly.

If you continue to support a browser with a horrible security record, poor support for open standards, and poor implementation of many of the standards it does follow, that’s your choice. However, the fact that many users choose to use this poor browser means that websites I visit are developed using the “lowest common denominator”. I get to view pathetic websites because the authors need to support this product that so many people use. It does affect me. Therefore, you have to put up with this from me if you choose to use IE.

Ok, I did some updating today. I was looking at my template, and noticed that it used tables for layout. Tables are designed for holding tabular data, not for layout. So I changed it to CSS. The only real difference is that the gray sidebar doesn’t extend all the way down to the bottom now, only enough to contain all the links in that box. After that, the main content area spreads wider, so it’ll make my page a little shorter (height-wise), and there will be less wasted space if you’re reading stuff toward the bottom of the page. I changed all my links that open in new windows too. I’ve decided that if people want to stay at my site, they will. External links are now using rel=”external”, the XHTML standard. I don’t know of any browsers that currently support this, but the more pages that use it, the faster browsers will have to add support for it. So if you want to open something in a new window, you’ll have to do so manually for now.

I also added a Firefox logo to the corner. By no means am I saying that you have to use Firefox to view my stuff. However, IE has utterly awful support of large chunks of even CSS1, despite claiming to fully support it. And that’s not even getting into IE’s security issues. Opera seems to be halfway between IE and Mozilla. It chooses IE’s non-standard route sometimes, in order to go with usability. It’s nice now, but it’s still providing a means for people not to use the standards, which are designed around usability. It’s also closed-source adware. If you have two programs that do the same thing, but one is free and one isn’t, which one would you pick? I just can’t justify spending $40 when there is equivalent (or better, depending on your preferences) software available for free.

I chose the Take back the web logo for a reason. I use Firefox and encourage standards-compliance because it leads to a nice uniform experience. Authors don’t have to code for 10 different browsers. It shows up properly everywhere, whether the user is on a PC or Mac or phone or PDA or some sort of handicapped-access device. A standards-compliant browser runs into some issues when proprietary (usually Win/IE-specific code) is encountered. Many people see it as a problem with Firefox when a site doesn’t work, since it does work in IE. However, if you looked at it with more than just two browsers, you’d most likely see that it works in IE, but nothing else. Often not even Mac/IE, just Win/IE. People say that Firefox should accomodate IE code to gain a userbase. However, supporting IE’s code gives MS (the sole ruler over their MSHTML “standard”) more power, and less incentive for authors to use standard code. Because of Microsoft’s standard methods, it is simply impossible for any outside party to mimic IE’s behavior exactly. No matter how much time was spent trying to copy IE, it would never work exactly the same. Also note that Microsoft is a contributing member of the W3C. They help create these rules that they (and many webmasters) ignore. If IE doesn’t support standard code, it’s due to bad programming by MS. That fact inspires even more confidence in using Microsoft’s “standard” for HTML, right? Depending on what your website does and where you’re located, using IE-only code may even be in violation of accessibility laws, if you need some good monetary incentive to update things.

If you’re interested in making your site standards-compliant, check out W3C’s Validator. It will look at your pages and tell you what’s wrong. The errors aren’t always the easiest to decipher, but it will tell you if it’s correct or not. MozillaZine’s Web Development / Evangelism Forum can also provide help on figuring out errors, or converting code. Note that these are just supporters of Mozilla’s goals who want to see a standardized web, so they may not have every answer or be able to help you instantly. But the collective knowledge there is pretty impressive.

http://secunia.com/advisories/11830/

Similar to older bugs, this one involves a URL that begins with a trusted site name, then some funny characters, then the real site name. The real site is then handled under the trusted site’s permissions. It does require the real site’s DNS to accept wildcards and invalid “Host:” header values.

Solution:
Set the security level for all zones to “High” in Internet Explorer. This will impair functionality on many web sites.

Don’t follow links from untrusted sources, but input URLs manually in the address bar.

Use another browser.

Don’t think I could say it much better myself. Either disable all the fancy stuff that people use IE for (leaving you with a browser that supports even fewer features than IE-alternatives), or switch to a different browser.

Ok, did it again. =) http://pctech.invisibill.net/testbar.php uses PHP server side includes to pull the percentage from a text file on the server. As you can see, http://pctech.invisibill.net/barprogress.txt simply contains “80”. The <? include(“barprogress.txt”) ?> tells PHP to open up the text file and insert its contents there. Instead of hard-coding the percentage in the progress bar code, I’m telling it to insert whatever number is in the text file.

This means that you can edit or upload a new barprogress.txt file to change the progress bar. You don’t even have to get into the code. It could be handled similarly to uploading a new image representing the current progress, or you could edit the text file on the server if you needed to. Even if you uploaded a new copy of the file for every change, the upload would still be smaller than sending a whole image every time.

A user on a board I frequent wanted to make a progress bar on their website. You know, to show how pregnant you are, or how close to the total donations are, stuff like that. My first thought was to use CSS boxes to make a box of fixed width box containing two other boxes. The first box would have a width of whatever percentage you have completed. The second box would expand to fit the rest of the space. Others suggested just making an image for each percentage that needed to be shown, and just copying each one to currentprogress.gif or something.

Mine was a decent idea, but I wasn’t really familiar with CSS enough to just spit out the code for it. Someone else used the same basic idea and did it with tables. The row had a background color of red, with a green first column and a blank second column. I’m all for standards and getting people away from using tables for layout stuff, so I looked up some CSS stuff and figured it out.

<div style="width:400px;">
  <div style="text-align:center; float:left; width:90%; color:white; background:green;">90%</div>
  <div style="text-align:center; background:red;">&nbsp;</div>
</div>

Here’s what that looks like:

It’s just a small bit of code, and you simply change the first “90%” to change the width of the “completed” bar, and the second “90%” to change the caption. If you don’t want a caption, just replace it with a non-breaking space like the second box has (the box needs to contain something, or it won’t be displayed). If you want, you can change the text alignment to right and the caption will show next to the green/red intersection. Here‘s a page showing that. Also, I believe it should show up as just “90%” on browsers that don’t support CSS. It’s not automatic as if it were linked to a database, and it may or may not be more work than simply uploading a new copy of an image. Depending on your host, you may be able to edit the page from a shell and not have to bother with uploading anything. It may or may not be easier for you, but this is just one more thing to show off the abilites of CSS.