In-Depth

Briefs

A new Internet Explorer security flaw; heading off phishing attacks

• By Mathew Schwartz
• 07/07/2004

Internet Explorer Security Flaw—Time for a New Browser?

CERT warned of a vulnerability in Microsoft’s Internet Explorer (IE) 6 browser, which “does not adequately validate the security context of a frame that has been redirected by a Web server.” An attacker could hide an attack script—written in JavaScript—in a Web page or HTML e-mail that, if viewed, would trick the browser into giving the script local privileges.

In essence, the script redirects an embedded frame (IFRAME) after a timeout to an error page, considered “local” by security settings, where the script then executes. The script would then be able to arbitrarily run programs, code, or delete information from the PC, at a permission level identical to the user’s.

Secunia rates the problem as “extremely critical.”

The problem can affect any program hosting the WebBrowser ActiveX control or which uses Internet Explorer’s HTML rendering engine, known as MSHTML.

Exploit code is already available, and there already have been reports of related attacks. Two are named Scob and Download.Ject.

No fix is yet available. CERT recommends several workarounds, including disabling ActiveX and active scripting. In addition, a currently available Outlook e-mail security update will limit e-mails to the restricted zone, at least fending off the threat of HTML e-mail-borne attacks.

Best-practices security rules still apply, such as not following any unsolicited links found in e-mail, instant messages, or other forums. Up-to-date antivirus software signatures will also help block at least some attacks.

CERT says organizations might also opt for a different Web browser altogether. “There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites.” That approach may, of course, reduce the functionality of other applications, and it may be in vain; some programs rely upon MSHTML anyway.

More information:
http://www.microsoft.com/security/incident/download_ject.mspx

----

Heading off Phishing Attacks

Phishing: the problem is growing. Within the past year, 57 million consumers have received a phishing e-mail, says research firm Gartner Group. Almost 2 million checking accounts have been attacked, leading to an estimated $2.4 billion in fraud.

Blame consumers’ lax security concerns, information overload, or social engineering. Whatever the problem, phishing attacks—fake e-mails and Web sites masquerading as the real deal to steal customers’ credit card and other information—continue to snare people. Unfortunately, businesses often foot much of the bill for fraudulent transactions.

To date, the customers of some companies—PayPal and several consumer-oriented financial services firms—have been especially targeted in multiple, large-scale phishing attacks. Many of those companies have responded by educating customers about the problem, plus information they should or shouldn’t disclose, and in which venues. For example, many companies remind users to double-check they have both a secure HTTP session, and that the URL in their browser matches the company’s actual URL.

Beyond customer education, messaging security vendor Sigaba offers some further tips for tackling the problem.

First, it says, “don’t require users to do anything differently.” Rather, give them tools for verifying the identity of the sender, it recommends, through secure messaging or tools that can verify that the sender is who the message says it is. For instant-messaging-based customer service, it recommends companies use only secure IM—possibly via an applet in an e-mail or on the Web site—to guarantee the company’s identity.

Consulting firm EDS also recommends that companies factor their response to phishing into their disaster recovery plan. That plan should include a healthy communication attitude. “It is the key to recovery,” the company says, and so it recommends companies have “a de facto process in place where businesses can quickly notify stakeholders that a breach has occurred, complete with any recommended next steps to limit exposure on their part.” Timeliness can also maximize evidence collection, since customers can share e-mails they’ve received—before they’re deleted—which can aid companies in prosecuting phishers.

For more tips from EDS on how organizations can tackle identity theft: http://www.eds.com/services_offerings/security/ov_8_identity.pdf

Related articles:

Combating Apathy with Free Security Check
http://info.101com.com/default.asp?id=6032

E-mail Fraud and Phishing Attacks Jump
http://info.101com.com/default.asp?id=5418