Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    ...and neither will a lot of other things - some of which you might want.

    The site in question does not display a pop-up for me. Mind you, I am running NoAds (#82, from you know where...). it does not need to be configured.

  2. #2
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Correct -- "a lot of other things" like viruses and trojans! This is exactly how some people just stung with Nimda...

    There is nothing I want from a site that I cannot trust. I do not want Scripting running from I site I do not know and trust. If I trust it, it ends up in my trusted sites.

  3. #3
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    ...not if you're protected properly and aren't running on an IIS server. Even highly complex worms like Nimda can only hurt you if you haven't patched the security holes. A few posts ago I sent a visual illustration of what Nimda can do.
    There's several things you can do other than disabling the ActiveX utility.

  4. #4
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Sorry, but disabling Active Scripting is not the same as disabling ActiveX.

    Disabling the Host is not an option for me -- I write scripts!

    Pop-up Windows are not a Macro vulnerability. Niethier is Nimba.

    Outlook Security has nothing to do with Pop-ups on a web site.

    Pop-up windows are rarely, if ever, triggered by auto-running .exe files.

    Security patches from Microsoft do not block Pop-up Windows nor disable script on web sites.

    Personal firewalls do not block Pop-up Windows OR script!
    _________________________

    I fail to see any relevance to this poster's problem: "Advertisments in separate window ". However, those points are VALID and are good advice, they just have nothing to do with the topic...

  5. #5
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    ...that's because I wasn't addressing the posters problem, but your suggestion to disable Active X to prevent javascript running.
    If you've plugged the security holes, an infected web site can't drop a worm and if you take the other precautions Nimda (which you brought into the discussion) can't get you via email, or in any other way. (Always assuming you are not opening attachments willy-nilly). In my opinion disabling Active X is not necessary. You could, of course, set it to 'prompt' or just disable the potentially dangerous options.

    Actually, I would agree about the Scripting Host, but with MoOutlook Secuity running (which is by no means restricted to Outlook) disabling WSH isn't necessary either.

  6. #6
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Merc - I still have to disagree. Disabling ActiveX does not Disable ANY script -- JavaScript, or otherwise. I I did not recommend Disabling ActiveX to prevent these pop-up ads -- because it will not be successful!

    You can only Disable scripting by, eh, disabling scripting. These are two separate things. Just take two seconds and open the Security tab and select "Custom settings". You will see the ActiveX options come first. THEN, near the end you will see options for Scripting. Microsoft does NOT list together for one very good reason -- they are NOT the same thing!!

    Disabling ActiveX will prevent ActiveX controls and plugins from running -- such as Shockwave Flash or even Acrobat Reader. Both of these use ActiveX -- NOT scripting.

    Disabling ActiveX will in NO WAY block scripting. It will NOT prevent most pop-up ads. You must Disable *Active Scripting* to block scripts -- and therefore prevent many pop-ups.

    There is obviously a problem with terminology here. Let's start from the top. There are three major divisions of "Active Content" on a web page:

    1) ActiveX
    2) Scripts
    3) Java

    These are ALL "Active Content" -- but there are NOT all the same!! You cannot block one by disabling the other. Microsoft's IE user-interface has a Security tab under Tools | Internet options. You will note that on this tab there are several sections. Three of them are ActiveX, Java, and Scripting. They are all separate. They are not the same thing. Have I said it enough times??? ;-]

    And before you ask -- NO, JavaScript is NOT Java!!! You cannot block JavaScript by Disabling Java. You block JavaScript the same way you block any other script -- by Disabling Active Scripting. NOT by Disabling ActiveX.

    I appreciate the fact that Active Content, ActiveX, and Active Scripting all have the word "Active" in them -- but it does not make them the same.

  7. #7
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Hi

    <hr> The page in question appears to use one of the most common techniques to display this pop-up window -- it uses JavaScript. If you select to Disable Active Scripting in the Tools | Internet Options | Security tab | Internet zone | Custom settings box, this pop-up should not load.<hr>
    First : I misquoted you here. Obviously, you did not suggest disabling Active X disables javascript. For that, I apologise.

    Second : it does not alter the thrust of my argument. Turning off the Active Scripting options in Security would seem to be somewhat extreme, when they can be set to safe levels.

    In spite of your patronising attitude, you clearly appear to know about scripting and the rest. I thought I was aware of how the OS handles the very different Java and javascript but since running XP I'm not so sure.

  8. #8
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Merc, sorry to be a PITA, however, it seems like you keep trying to discredit my posts, so I have taken a defensive attitude to your responses. Frankly, I think you are a very helpful poster on this board, but you seem to have singled me out as someone you need to correct -- if I am right or wrong. Grant it, I am wrong just as much -- if not more -- than anyone else, and I don't mind being corrected if it is for the right reason. Let's get beyond the superficial stuff and move on.

    Let's turn this into a discussion of security options. OK, you may feel disabling Active Scripting is too harsh, but I argue it is not.

    Security will always be a personal decision. Some people use home security alarms and others do not. Who is right? I spend that silly $40 a month "monitoring fee" for my house. So far, it has caught no burglers and it has misfired twice. So it has done *nothing* good for me yet -- yet it makes my wife feel safer. Is this wrong?

    All "Active Content" (ActiveX, Scripting, and Java) can make the Internet far more Interesting and entertaining. It definitely adds 'value' to your Internet experience. However, they are a double-edged sword. These fantastic technologies can be used to nefarious ends. It is not the fault of the technology itself, it is just that people will take a convenience, find a loop-hole, and use it for other purposes.

    This is like those car "fobs" to which we have all become so accustomed. Do they even sell cars now days that don't have them? You push a button on your key chain and your car unlocks itself -- COOL! Until someone created a device that would capture your code as it was transmitted, and now they can unlock your car anytime they want. The fob itself isn't the problem, and if you use it in your neighborhood in front of you house, you are probably safe. But should you use it in a downtown parking garage? You might want to think twice.

    I look at the Internet like the world. Some areas are like my neighborhood and some are like the downtown parking garage. I put the areas that are like my neighborhood in my "Trusted sites" zone, and I let them run ActiveX, Scripting, and Java as they wish. I have *.wopr.com in there along with some other sites I frequent. I allow these technologies to enrich my Internet experience, but in a way that makes me feel safe.

    Other sites that I really don't know about are in my default "Internet zone". This zone is NOT set up like the MS 'default'. Instead it is more akin to the settings in the default "Restricted sites" zone. In both of these zones, I have ActiveX and Scripting disabled. I have Java disabled in my Restricted sites, but at "High safety" in my Internet zone. Java at High Safety is limited to a "sandbox", so it is fairly safe.

    Let me take a not-so-quick side step. You are just like everyone else -- and that includes ME. Everyone looks at the "Scripting of Java Applets" and says "JavaScript". Sadly, the terminology that we are forced to use is just confusing. Java is not the same as JavaScript and they are controlled differently -- as you have discovered.

    JavaScript was created by Netscape many years ago. While the coding maybe similar in some aspects, it is not the same as Sun's Java. Microsoft took the JavaScript technology and created their own "JScript" and took Java and created their "Virtual Machine" which it incorporated into IE. As you probably know, because of the lawsuit with Sun, MS had to pull their JavaVM from IE6.

    JavaScript and the related JScript are just other types of scripts -- like VisualBasic Script. All of these are run on your Windows computer by the "Windows Scripting Host". If you remove or otherwise disable WSH, then you will not be able to run script on your computer. This is a security solution that many people have chosen. While it is successful, it may be similar to using those bars over the windows and doors to secure your house. It works, but it may not be attractive. There are some very nice little applets that use WSH, so if you disable it you give up functionality. You also seem to feel that script on web pages may enhance your Internet experience, and if you remove WSH, you completely eliminate these enhancements.

    OK, back on track. What is the concern about Scripts and ActiveX? Well, one of the 'vectors' of Nimda was that it used JavaScript on websites to secretly download the Nimda virus/worm onto your computer. You would receive no warning or other indicator -- the dang thing was just installed itself behind your back!

    If you had a recently updated virus program, it would catch it. But if you did not, you were vulnerable. The only way to avoid this in the first place was to simply disable Active Scripting in your Internet zone. If you did't run script, you could not get infected. It was that simple. This is just one recent and relevant example of the problems of scripts on web pages. There are others, but to me, just one example of a serious vulnerability should be enough.

    Additionally, JavaScripting is VERY FREQUENTLY used as the mechanism for those annoying "pop-up" ads. Disable Active Scripting and test this theory. Give it the 'real test' -- go to some of those lovely adult sites that seem to have pop-ups occurring faster than you can count (eh, not that I ever have!). You will be pleasantly surprised (eh, and not just by the pictures!).

    ActiveX is also a very intriguing technology. This is an outgrowth of the old "Object Linking and Embedding" (OLE) from earlier versions of Windows. Many people -- including Mr. Leonard in his newsletter -- think of this as "scripting", but it is not script. This involves little programs or applets that may come with IE, or can be downloaded on to your computer. You will note the first two choices on the Security tab | Custom Level box are to allow you to "Download" various ActiveX controls and plugins. Scripts do NOT require you to download ANYTHING. Scripts use the Windows Scripting Host to run -- they don't need anything else.

    ActiveX does NOT use the Scripting Host -- it is not script no matter who says it is. Disable or remove WSH and AcitveX works fine. Instead ActiveX uses program files -- generally *.ocx files -- to run. Do a Search for *.ocx files and you will find many. For example, you will find "swflash.ocx". That is for ShockWave Flash -- remove this file and you will no longer see ShockWave Flash programs run on a website. You may also find "pdf.ocx". This is the ActiveX control for Acrobat Reader -- click on the properties of this file and you will even find that it's name is "Acrobat Control for ActiveX". Remove this and you cannot view .pdf files in you browser. Clearly, these are NOT script that are using the Scripting Host. They are relying on the downloading and/or installation of files to run on your computer.

    ActiveX is a technology that is a disaster waiting to happen. These programs can be made to do almost anything. Unlike Java, ActiveX CANNOT be run in a "sandbox" -- an isolated area of your computer. These program have full access to your entire computer. If you want to see which ones that have been downloaded by IE on to your computer, look in this folder: C:WINDOWSDownloaded Program Files. This can also be accessed by clicking Tools | Internet Options | General tab | Temporary Internet Files | Settings | View Objects.

    Are there specific examples of problems with ActiveX? Yes, but I will have to refer you to google to look for these (I don't have time to write all this and dig up links, sorry!). One example that quickly comes to mind is Comet Cursor. If you are not aware of what this does, then look on Google for information on it. It is not something you want on your computer. If you visit some web sites, the ActiveX control for Comet Cursor is secretly installed on your system and it begins transmitting information behind your back. Great, huh?

    And what did you have to do to get this 'infection'? Simply visit a website with ActiveX Enabled. That is it!

    Time to run. In summary,

    1) Certainly Active Content enhances the Internet Experience.
    2) However, these technologies can be used to do things you might find undesirable -- install viruses/worms, pop-up annoying ads, and install 'spyware' on to your computer.
    3) IE does give you the option to control these -- but it does NOT come that way 'out of the box'.
    4) There are many ways to control Active Content -- using IE's Security zones is one of them, but there are MANY third-party programs out there to do this.
    5) Simply Disabling Active Content -- especially ActiveX and Scripting -- in the Internet zone is one of the simplest ways -- and it is very effective.
    6) You can still enjoy a rich Internet experience -- simply add the sites you trust to your Trusted sites zone.

    Security remains a personal choice. You can choose whatever method you like, but an informed decision is a better decision.

  9. #9
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Hi
    Sorry for the impression. I had no intention of trying to discredit you - there's nothing personal in it. On occasion I find I have a different pov from yours. It's not a matter of correction for reasons, simply for balance.
    Sometimes I find myself playing devil's advocate : defending a position that is not necessarily my own. Naturally, it could be rather annoying to be told in the terms you used in your last post-but-one about the differences between javascript and Java when I have myself explained such differences (in less depth perhaps) on many occasions.
    However, like you, I admit that I often make mistakes (misquoting you was a slip I regret, as it made me look stupid) especially as I am often composing replies well after midnight.
    Inimical scripting can be guarded against using MoOutlook Security : it prevents scripts with a range of extensions commonly used by crackers from running within OE, Outlook, IE and WinZip. Instead it saves them to a file so you can look at them first.
    Nevertheless, I have learnt a great deal from your posts (and not only that you are more familiar with the subject matter than I am) and for that alone I may occasionally present an adversarial attitude. Sort of like poking a rattlesnake to get it to strike, so you can see what you can learn from it.
    My main argument regarding security is that I visit hundreds of web sites in a week. I have a suite of security options in place, and my IE options set to medium. I take the necessary precautions with email. There have been many attempts to penetrate my defences - so far with singular lack of success. I have had viruses sent to me as email attachments (who hasn't?) but have yet to get infected. I don't think it's mere luck. Am I being foolhardy?
    One question about Active X nasties. By what mechanism are they put on to your computer? Not via cookies, or you would have suggested setting cookies to a safer level. By using a port? My firewall has stealthed these. Downloading an *.ocx file? I only allow those that have been digitally signed.

    In your last post was a wealth of condensed and useful information. Mind if I edit it it and put it up as a text file for people to download from my site? I'll even acknowledge it as coming from you if you let me have your name.

    Rgds

  10. #10
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Merc, I really don't mind the alternative POV -- keep it coming. But if I seem patronizing, it is all tongue-in-cheek. No matter. I love to poke rattlesnakes all the time. ;-]

    ActiveX files are downloaded by IE itself -- my guess is through the same port you are communicating. It works the same way you download any other file. I suspect you already know this, but IE will use a random port over 1024 (the "ephemeral ports") -- the same way all TCP connections are made. Since you have initiated and established the connection, this is NOT something your firewall will block -- you choose to go to that web site. Your firewall see this as a connection you have permitted.

    I have not looked at "MoOutlook Security" -- so I have no idea what it does. However, the name seems to imply it is for "Outolook" -- not IE. Should it be called MoIE Security? ;-]

    I would be very interested in how it prevents scripts from running in IE. If it does, then it is doing nothing more than turning off scripts like I described above. In that case, you should get no pop-up ads as well. However, my guess is that MoOutlook Security ONLY works for files that have been downloaded on to your computer -- such as Outlook attachments. If this protects you from Outlook attachments, it UNLIKELY can protect you from scripts embedded in web pages. It will NOT likely do both.

    As for not getting infected yet -- well, there are plenty of people whose houses never get robbed if they leave the door open. I am not sure I am willing to try that method on my house. Again, it is a personal choice.

    ActiveX files are not cookies -- they are files that are downloaded. Cookies are just text files that can be read by a specific web site. A program file (such as an ActiveX control) is NOT a text file. It is a file that can perform a large number of functions -- including erasing your hard drive. ActiveX controls are program files and can do what any other program file can do.

    You must have downloaded files from the Internet before -- they are not cookies. They are real, active, functional files. If your Internet zone Security tab shows that you have Enabled the "Download signed ActiveX controls", then IE will download these files when it wants to or needs to. By not removing that check, you have given IE that priveledge.

    Do you believe digital signing is that secure? Fine. It is your choice. That only guarantees the control was digitally signed when the creator created it. HOWEVER, the creator is not sitting observing what other people have chosen to use their control for! Also, the signatures can be spoofed and re-used far too easily. Look into this further and you will realize that a signature is not enough. It is too easy to abuse.

    I recommend you look further into the securtiy MoOutlook really provides you for script embedded into web pages. I would also recommend you look further into the REAL security behind a signed ActiveX control. Let me know what you find out. Thanks.

  11. #11
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Hi : re <A target="_blank" HREF=http://www.mobiusware.com/>MoOutlook Security</A>

    Yeah, I reckon they've misnamed it.
    What is does is stop users (and their systems) executing certain file-types directly or inadvertently. e.g. if you have HTML email enabled, just reading it could cause certain worms to execute (e.g. JS.Offensive) if you have not plugged all the security holes in IE. Since it does this for the HTML embedded script in an email, I should imagine it protects you from infected web pages as well. I don't think it touches email attachments, unless they have one of those double extenders that includes one of those listed below. Anyway, surely nobody actually opens attachments directly any more? My usual advice is not to get into the habit of sending or receiving them. It's a good way to get and spread viruses.

    It controls the following script files :

    - *.vbs
    - *.vbe
    - *.js
    - *.jse
    - *.wsf
    - *.wsh
    - *.hta
    - *.shs
    - *.reg

    "These file types are often used by virus writers to spread viruses.
    MoOutlookSecurity prevents these files from being directly executed by the user. Instead of 'running' the applications MoOutlookSecurity displays them to the user".


    (example : If you have MoO running and click a *.reg file, it will not modify the registry, but will display in Notepad. To use the .reg as intended, you need to right click and select Merge.)

    It will provide "enhanced security" whilst running the following:

  12. #12
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Hmmm... first off, I seem to be mentally impaired more than usual. I cannot find MoOutlook on that MobiusWare site. I do not see it under the Professional Products.

    However, by your description it works on "certain file-types". If this is the case, then it unlikely works on embedded scripts in HTML. That means HTML on a web site -- AND also scripts embedded in HTML email.

    Want easy proof? Make sure THIS SITE (www.wopr.com) is in your Internet zone with Active Scripting enabled. Have MoOutlook active -- supposedly stopping "scripts" from running -- correct?

    Now, put your mouse pointer over the QuickStyleFlash: Show Lex's. Don't click yet, but instead look at the left end of the status bar (bottom of window). You will note it says "Shortcut to java script: changeSheets(2)". This is obviously a link to some script -- JavaScript to be exact. Now click the Show Lex's. Then click Show Mine.

    OK, that is JavaScript. It is on this HTML web page. If you are relying on MoOutlook to protect you from HTML embedded script, you are putting yourself at risk. From what I can tell, MoOutlook can ONLY protect you from "these files from being directly executed by the user".

    That means the FILES must be on your computer. MoOutlook simply changes the default association of those listed file-types from Open to Edit. This type of security works fine for Email attachments. They are just files that are downloaded on to your computer.

    **But it has NO effect on scripts embedded in HTML.** That includes HTML on a web page and in an HTML email.

    Now I know, you are going to say that the "Show Lex's" example required you to click something. That is true. But NOT all script requires you to click anything. Script can be running automatically by viewing a web site or opening an email. Even the "Preview Window" in Outlook makes you vulnerable. That is why some people recommend you disable the Preview Window.

    The simplest way to protect yourself against SCRIPT in HTML from running is to Disable Active Scripting in your Internet zone. For HTML Email, make sure your Outlook or OE open into your Restricted sites and make sure you have everything Disabled in you Restricted sites.
    ____________________________

    In a related issue: Microsoft is well aware of the dangers of script embedded in HTML email. So much so, that "HotMail" will not allow script tags in the body of the email. HotMail actually removes or disables the script in the document.

    HOWEVER, as always, some users have found a way around this. You can bypass the HotMail filters by inserting JavaScript into the "From" line!! Read more about this <A target="_blank" HREF=http://www.newsbytes.com/news/01/169934.html>here</A>.

  13. #13
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Hi
    From the Freeware page you mention, there should be a left-hand frame in bright blue. One of the clickable options is Downloads. Click this and on the new page MoO is the fifth down. If you could try it out, I would be very interested to know if it does or does not offer protection from unfriendly script. I am beginnning to think it won't, since it specifically refers to file extensions. One of them is .js, but the javascript I use on my web pages never uses it.

    I've also noticed that my virus scanner (NAV) has 'script blocking' enabled, yet it does not turn off animations or pop-up ads - or Lex's stylesheet. Under Internet, Web Protection the only option, called Netscape Navigator, is greyed out.

    I'm now beginning to wonder what exactly HTML embedded scripts we are talking about. I thought the term referred to worms sent to your system in an email page, or via a web page. (I was not talking about email attachments, which are a quite different thing). If this is the case, they must be trying to exploit some hole or other in your security. If you have all the holes blocked, any penetration would have to be via some as yet unknown breach.

    Am I correct in asserting that script worms cannot infect a system with correctly patched security, even with Active Content engaged? (Have a field-day with that one).

    I can see why you pour scorn on my reliance on digital signatures. I won't any more. Equally, I can't see how placing sites in your trusted zone would protect you, should one of them have been nobbled, Nimda-wise. As far as I can see (HTTPS:// apart) if you visited one of your trusted sites which had been innocently infected, your security settings are so low you, too, would have become contaminated.

    btw with Active Scripting set to Prompt, trying to preview a post here brings up a dialog box. With it disabled, it displays as normal. I wonder why that might be....



    Rgds

  14. #14
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    Ah... I'll bet I don't see the Programs under Freeware because the site is in my Internet zone -- which as you can tell is fairly disabled!!

    Let me add it to my Trusted sites and see what I get...

  15. #15
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Advertisments in separate window (5.5)

    ...I think you've just stated the nub of the argument for and against.

    a. if you have AC switched off, you can't enjoy that web page as it was intended.

    b. if you switch it on by adding it to your trusted site zone, you risk being attacked.

    Rgds

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •