Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • WinDeals
  • E-Books
  • Lounge
  • Polls
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>All browsers are vulnerable to clickjacking

Windows Secrets Newsletter • Issue 171 • 2008-10-16 • Circulation: over 400,000

Table of contents 
  • Bonus: All subscribers can get free PC buying advice
  • Introduction: Yay, Fred’s back! Readers give a big thumbs-up
  • Top Story: All browsers are vulnerable to clickjacking
  • Known Issues: Are criticisms of Vista bogus or legitimate?
  • Wacky Web Week: ‘Chicken or fish?’ may max out your credit card
  • LangaList Plus: Repair XP’s ability to format floppy disks
  • Best Software: Use a sandbox to improve your PC security
  • Known Issues: Put these file locations on your backup radar
  • Patch Watch: Patch knocks out Net for XP PCs with ZoneAlarm
 
Bonus

All subscribers can get free PC buying advice

We’ve obtained a license for you to download the best two chapters of How to Be a Geek Goddess: Practical Advice for Using Computers with Smarts and Style. The work is by Christina Tynan-Wood, who’s contributed columns for PC World and PC Magazine and written for Popular Science, Family PC, and other magazines.

The printed book won’t ship until mid-November, but Windows Secrets subscribers can get our exclusive excerpt right now. The PDF download focuses on how to get the best deal when buying a laptop or desktop computer — advice that applies equally to Geek Gods and Geek Goddesses. Everyone likes a bargain.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

 
Introduction

Yay, Fred’s back! Readers give a big thumbs-up

Brian Livingston 1 Yay, Freds back! Readers give a big thumbs up By Brian Livingston

Ever since I announced on Oct. 9 that our editor-at-large, Fred Langa, was coming out of retirement to bring you a new column every week, we’ve received hundreds of e-mails from readers who’re glad to see him back.

We’ve received only a couple of messages like, “Fred who?”

My favorite comment came from a reader named Sheri, who enjoys our paid content (including Fred’s new column) and also was a subscriber to Ian “Gizmo” Richards’ newsletter, Support Alert, which merged with Windows Secrets last July:
  • “A few years back, I found Gizmo’s newsletter. From the first issue, I knew I’d found advice I could trust, so that when I was doing repairs or upgrades for myself or my friends, I wouldn’t accidentally do something or install something that would make a computer unusable. Happily, every computer I’ve worked on has left my home in better shape than when it arrived! …

    “One time I wrote Gizmo and told him I got a lot of newsletters, but his was the only one I’d actually pay money to receive. That’s still true of Windows Secrets, and I can’t thank you all enough for the newsletter and for the opportunity to pay what I could to receive it.”
Fred’s using his new column each week to answer at least three or four questions sent in by readers. He’s committed to work through your problems for at least another year or two. (And I think we can keep him busy a lot longer than that!) His column appears in our paid content but, as always, there’s no fixed fee to get it — we accept any financial contribution in any amount from anyone.

All of our writers are working hard to dig up information on Windows that can help you work better and stay safe. It really keeps us going to see the positive responses from so many subscribers. Thanks for your support!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
 
Top Story

All browsers are vulnerable to clickjacking

Stuart Johnston 1 All browsers are vulnerable to clickjacking By Stuart J. Johnston

The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.

What’s worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you’re clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple’s Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.

The problem doesn’t stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe’s Flash player and Microsoft’s Silverlight streaming-media plug-in.

“If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security,” Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.

Disguised links lurk behind clickable buttons

In clickjacking, surreptitious buttons are “floated” behind the actual buttons that you see on a Web site. When you click the button, you’re not triggering the function that you expected. Instead, the click is routed to the bad guy’s substitute link.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.

They point out that even users who watch their systems like a hawk can be victimized.

“There’s really no way to know if what you’re looking at is real,” Hansen told Windows Secrets.

In fact, Hansen and Grossman found so many new ways to attack your PC — and your Mac — that they categorize these threats as a “new class” of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.

Clickjacking isn’t new. In fact, it dates back to at least 2002, Hansen said. What’s new is the range of browser vulnerabilities that make clickjacking possible.

Hansen’s blog posting describes the scope most clearly:

“There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them.”

This doesn’t mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites.

Disabling JavaScript has serious drawbacks, because so much of the Web’s interactivity is driven by JavaScript apps.

“[Disabling JavaScript] totally cripples the Web experience,” Skoudis said.

In addition, Hansen states, even browsing with JavaScript disabled will not protect against all possible avenues of attack.

“Most browsers are going to be vulnerable,” Hansen told Windows Secrets. Even the new version 8 of Internet Explorer, currently in beta, is susceptible — though Hansen said he expects Microsoft’s upcoming browser to be patched by the time it’s released later this year.

Flash apps may activate webcams and mics

Besides browsers, the bad guys can also exploit Web programs such as Adobe’s Flash player.

For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC’s webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop’s built-in camera and mic.

Clickjacking vulnerabilities don’t stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.

Hansen says that disabling browser plug-ins and scripting will help but is no panacea, given the threat’s complexity.

In fact, in the three weeks since Hansen and Grossman first revealed the discovery of the clickjacking vulnerabilities, Hansen says he’s received about half a dozen examples of proof-of-concept code and knows of several more — not counting the half dozen or so that he and Grossman have already found.

To date, there have been no attacks in the wild, although with proof-of-concept code already out, it’s just a matter of time.

Can you stay safe in a clickjacking world?

Browser and plug-in vendors have joined watchdog organizations in describing what you can do to stay safe.
  • Adobe: The Flash vendor has issued a patched version that will help keep you safe from Flash-based attacks. See the company’s download page. Previously, the company had posted a security advisory containing a workaround.

  • Mozilla Foundation: Install Giorgio Maone’s open-source NoScript plug-in to block execution of JavaScript except for sites you approve. NoScript is free, though the vendor requests a donation. The add-on lets Firefox users designate the sites on which scripts are allowed to run and blocks JavaScript on all other sites.

  • Microsoft: To date, the company has taken a noncommittal stance in regard to the clickjacking threat. Microsoft responds to questions by referring users to the company’s Security Support page.

  • U.S. Computer Emergency Readiness Team (US-CERT): The agency provides a document that describes how to protect IE, Firefox, Safari, and other browsers from a range of attacks.
Even taking all of the above precautions doesn’t guarantee that your system is 100% immune to the new threat. You’ll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.

While we’re all waiting for vendors to patch their products, Alfred Huger, vice president of software development for Symantec Security Response, has some down-to-earth advice. Since most malware attacks occur on adult sites, keep your browsing rated PG-13.

“You’re most likely to see [attacks] on porn sites or on sites that offer game-cracking software,” Huger adds.

When in doubt, ask yourself whether your mom would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

Despite the seriousness of this latest round of security threats, SANS Institute’s Skoudis says he is optimistic. While the threat of attack may be high for the next three to six months, Skoudis expects more complete protections to become available as early as next spring and no later than next fall.

“This is a very serious finding, but this is not going to be the end of the Web,” Skoudis adds.

Stuart Johnston is associate editor of WindowsSecrets.com. He has written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com.
 
Known Issues

Are criticisms of Vista bogus or legitimate?

Dennis OReilly 1 Are criticisms of Vista bogus or legitimate? By Dennis O’Reilly

Several readers were dismayed to read about the Vista problems reported by Stuart Johnston in last week’s Top Story, some going so far as to call it “Vista bashing.”

On the other hand, we heard from just as many readers who are struggling with the same problems as the readers Stuart quoted — plus other Vista glitches of their own.

Reader Victor Sacco left no doubt about where he stands on the issue:
  • “It’s simplistic and plain silly to say that Vista x64 is ‘junkware,’ or [that] ‘bugs abound’ in Office 2007 when run in Vista x64. And that business about 23 million Registry entries — how was this determined? Is it accurate? What does it mean?”
We’ve heard from many readers who struggle to get Vista 64 to work as advertised, not just Vince Heiker, the subscriber quoted by Stuart. (For the record, the application Vince used to count the lines in his Registry was Registry Easy.)

Reader John Douglas offers an explanation for some of these glitches:
  • “Most problems plaguing Vista — both 32- and 64-bit — are caused by poorly written apps and drivers. I strongly suspect that this is caused by the higher demands of the OS, but it’s not like the developers haven’t had time to get through it.

    “And likewise, it’s not like Microsoft didn’t do due diligence in making Vista betas available. Vista is simply an extension of Windows Server 2003 SP1, which was also the foundation of XP x64, which was my favorite OS until Vista 64 was introduced.

    “Of course, this is not the first time we are using applications that have a different code base than the OS. How many 16-bit apps did we use on 32-bit OSes? And some still are! Also, what applications would benefit significantly from a 64-bit extension? Video and high-resolution photo apps like Photoshop and Premier Pro, or perhaps database apps. …

    “Finally, I will agree on one thing: the Registry is overdue for some serious optimizing. I just exported my Vista 64 Registry using Regedit, and the file is 374MB! Good thing I have 8GB of RAM.”
There’s no doubt that many, many people are having problems with Vista almost two years after the product’s release. Stuart’s story wasn’t an editorial: it reported on real problems of real users, and their experiences are far from isolated incidents.

Whether someone’s Vista Registry has bloated itself up to millions of lines, hundreds of megabytes, or some other measure, the problems Stuart wrote about represent the experiences of many Vista users.

Ferreting out a disk-imaging bargain

One of my favorite things is saving money on what I consider an indispensable PC application. That’s why I stood up and took notice when reader John Sullivan wrote to tell us about a great deal he found on Acronis’s True Image disk-imaging software:
  • “While on a tech chat with Acronis one day recently, they told me to go to [this site]. Turns out, on that site they offer to give you — yes, give you — version 8 [of True Image] for free, then tell you that you can upgrade to the current version 11 for only $30 instead of the retail $50 or common street price of $35 to $40. And you don’t even have to install it (version 8), just get a free key from them to qualify for the upgrade. Here’s their page telling about it.”
Maybe you could use the money you save to treat your broker to a showing of “Beverly Hills Chihuahua.” He or she should have plenty of time to kill.

Victor, John D., and John S. will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

‘Chicken or fish?’ may max out your credit card

Chicken or fish? may max out your credit card By Katy Abby

Remember the good old days, when virtually every flight came with a full meal? Airline food may have become a synonym for any dubious cuisine, but it still nurtured us and ensured that we arrived home with a full belly and at least one harrowing mystery-meat anecdote to amuse our friends.

Today’s airline patrons are lucky if they get so much as a complimentary cup of joe, and the victuals that people everywhere once loved to hate now seem like a downright luxury. But cheer up, folks; the worst is yet to come! Watch this video for a hilarious glimpse into the airlines of the not-so-distant future. Play the video
 
LangaList Plus

Repair XP’s ability to format floppy disks

Fred Langa 1 Repair XPs ability to format floppy disks By Fred Langa

Why do some Windows XP installations lose their ability to format a floppy while others don’t?

There are three likely culprits, but (fortunately) fixing them is usually fast and free: even a worst-case fix costs only about $10!

Flustered and flummoxed by floppy-format foibles

Nathan Erlbaum sets up his PCs almost identically, but some of them mysteriously lose their ability to format ordinary 3.5-inch floppies:
  • “I have four XP machines on my home network. Three are SP2 and one is SP3. On all of the SP2 machines, I cannot format a floppy, but on the machine with SP3, I can.

    “On my main machine, I run AVG Pro, Zone Alarm Pro, and Counter Spy. On all of the other machines, I run the free versions of Zone Alarm and AVG. I searched with Google, and it suggests the resident portion of the antivirus software is doing it, but disabling it didn’t solve the problem. I don’t really need the floppy except for BIOS updates.”

Indeed, the most common cause of this kind of trouble is too-aggressive security software or, sometimes, two or more dueling security tools that step on each other’s toes. You said you tried disabling the security software; I’d suggest going a step further and uninstalling — not just disabling — the security tools one by one.

You see, disabling the top-level portions of a security tool doesn’t always completely shut down the deeply buried, always-on components, which are variously called “active monitoring,” “real-time protection,” “resident protection,” and so on. This type of always-on protection can be a source of subtle, hard-to-track problems, especially if you have more than one security tool running.

Write down any unlock keys or install codes used by the software and then remove your security tools one by one. Reboot after each uninstall to ensure that all active components are removed from memory. Then, after the reboot, try to format a floppy. If you suddenly find you can format normally, the last piece of software you uninstalled was the culprit.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Best Software

Use a sandbox to improve your PC security

Ian Gizmo Richards 1 Use a sandbox to improve your PC security By Ian “Gizmo” Richards

Sandboxes are a relatively new type of security product that can significantly reduce your chance of getting infected when you surf or when you download and install programs.

I’ll explain why sandboxes are so important and show you how to use my favorite sandbox program.

Block access to system files as you browse

A security sandbox is a program that creates an isolated environment on your PC within which other programs can run. It sets up a kind of virtual PC within your real PC. Programs running in that virtual PC are corralled from the rest of the system.

It’s like building a room in the deep interior of your house with no windows or doors. What takes place in that room cannot affect what takes place in the rest of your house. In the same way, what takes place in a security sandbox cannot affect your PC.

Now, this may sound abstract and theoretical, but it has some very practical implications.

First, if you run an infected program within the sandbox, the infection is restricted to the sandbox and cannot get to your real PC.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Known Issues

Put these file locations on your backup radar

By Dennis O’Reilly

The roster of files in need of backup that Ian “Gizmo” Richards provided in his Oct. 2 column was comprehensive.

But reader Timothy J. McGowan points out some additional file locations to back up.

  • “Firefox 3 and above no longer use bookmarks.html, at least not by default. The file doesn’t get deleted when you upgrade, but once the bookmarks are imported into the new storage file, the old bookmarks.html file is normally ignored.

    “Bookmarks are now stored in your profile folder in a file named places.sqlite. Other sqlite files contain your cookies, permissions, preferences, and more. Rather than just backing up your bookmarks, you should really back up the entire Profiles folder and its subfolders, or you’ll miss a lot.

    “To get Firefox 3 to start using bookmarks.html again (in conjunction with places.sqlite, not instead of it), start Firefox and press Alt+D, or click [in] the address bar. Delete the text that appears there, type about:config, and press Enter. The Filter control will be active; start typing autoexport until you see browser.bookmarks.autoExportHTML appear under Preference Name.

    “Double-click it to change the value from false to true; the entire line of text will become bold. Press Alt+Home or click the Home button to navigate away from this page.

    This article is part of our paid content. Subscribe.

    Already a paid subscriber? Click here to login.

 
Patch Watch

Patch knocks out Net for XP PCs with ZoneAlarm

Susan Bradley 1 Patch knocks out Net for XP PCs with ZoneAlarm By Susan Bradley

Once again, a Windows security patch is causing users of ZoneAlarm security software on XP systems to lose their Internet connection.

It’s important for users of many different ZoneAlarm products to update their programs before installing this week’s XP patches.

MS08-066 (956803)
ZoneAlarm users: postpone this week’s XP patch

This week, a special heads-up is needed for Windows XP users who have Check Point Software’s ZoneAlarm security products installed on their systems. Microsoft Security Bulletin MS08-066 (patch 956803), which updates the Microsoft Ancillary Function Driver, can throw your Internet connection for a loop.

The ZoneAlarm and Check Point products affected by the patch are:

• ZoneAlarm Internet Security Suite 6.5.645.000 to 7.0.482.000
• ZoneAlarm Pro 6.5.645.000 to 7.0.482.000
• ZoneAlarm Antivirus 6.5.645.000 to 7.0.482.000
• ZoneAlarm Anti-Spyware 6.5.645.000 to 7.0.482.000
• ZoneAlarm Basic Firewall 6.5.645.000 to 7.0.482.000
• Check Point Endpoint Security 6.5.645.000 to 7.0.865.000 (excluding 7.0.843.0007 and 7.0.866.000)

Before you apply the XP patch, visit Check Point’s download page and look for an updated version of your ZoneAlarm software. Don’t update XP until a ZoneAlarm refresh is available.

MS08-063 (957095)
File sharing may be hazardous to your PC

Normally, sharing files on a local or peer-to-peer network is a good thing. But there are times when it’s not such a good idea. Take the case of the Microsoft Server Message Block (SMB) bug described in MS08-063 (957095). This vulnerability allows an attacker to break into the network by sending malicious packets to file-sharing ports.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.56
  • LizaMoon infection: a blow-by-blow account 4.46
  • RPV: Win7′s least-known data-protection system 4.35
  • Recovery: the last step in total data security 4.31
  • The sorry tale of the (un)Secure Sockets Layer 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Get wired performance from your Wi-Fi network 4.24
  • Caution: Bumps in the road to IPv6 4.23
  • Patch Watch adds problem-patch update chart 4.23
  • ZeuS Trojan reinvents itself as bots rock on 4.22
  • Pros and cons of a ‘keyfile’ password 4.21
  • April brings showers of browser patches 4.20
  • Readers comment on the LizaMoon infection story 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • The advanced system-recover toolkit 4.18
  • One year and 99 security bulletins later 4.18
  • Don’t pay for software you don’t need — Part 3 4.17
  • What to do when Windows refuses to boot 4.17
  • Make the most of Windows 7′s Libraries 4.16
  • Keeping you up to date: say no to .NET — again 4.16
  • Internet Explorer gets another round of patches 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Big-time Wi-Fi security for the small office 4.14
  • Office File Validation patch leads to problems 4.14
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb