Overlooked online threats
Security issues you should be aware of
By Serdar Yegulalp | Computerworld US | Published: 12:05, 06 March 2010
There's the danger you know, and then there's the danger you don't know.
Most of us are rightfully wary of downloading and running programs that have no pedigree, or of performing day-to-day operations as an administrative user. But with each passing year, new security threats march in to eclipse the old, many of them not getting their share of attention until it's too late.
Threats go unappreciated for various reasons. Some seem too obscure or unlikely to be valid until they actually materialize in the wild (such as the .pdf exploits I document later on). Others are overshadowed by more widely publicised problems (e.g., the way Firefox's issues take a backseat to Internet Explorer's).
Here I'll be giving a tour of a number of lesser advertised security issues that can bite you when you least expect it, and offering some advice on how to defend yourself.
Apart from Microsoft, Adobe may well be the one software maker whose programs run on every Windows-based PC out there. Nearly everyone has Flash, Acrobat Reader and/or Shockwave, and they are used by malware as delivery mechanisms. (Of course, Adobe's applications run on other operating systems as well, but it's the Windows PCs that are being targeted.) The danger comes when you use outdated versions of those programs, or current versions with unpatched bugs that are exploited as security holes.
One common manifestation, one I've been hit with personally a few times now, comes when the user visits a website with a Flash-powered banner ad. No clicking required: as soon as the ad comes up, it delivers its payload. Sometimes it also comes in the form of one of Adobe's other products, for example, an infected .pdf document, which opens spontaneously upon visiting an ad. (I've been hit with this one many times, too.)
Keep Adobe products updated and don't run your system as Administrator or root if you can possibly help it. That gives malware possible access to your system settings. Not running as an admin for day-to-day work in Windows is good advice anyway, and could easily be appended to any of the other threats listed in this article.
Adobe does have an auto-updater for its products, but its behavior is weirdly spotty; it tends to only report updates for whatever product is currently active. If you run the updater within Acrobat, for instance, you aren't informed about updates to other Adobe products, so a certain amount of manual research is needed to make sure Flash, for instance, is current.
Another possible safety measure: Disable thumbnail previews for Acrobat documents. The thumbnail previews in Explorer generated by Acrobat were part of how one proof-of-concept exploit worked, so turning off that functionality or upgrading to a version known to be safe removes another potential source of attacks.
I would like to say that moderating one's browsing habits or visiting only "known good" sites (via mechanisms like Web of Trust) is a good idea, but I'm not sure anymore. The syndication systems that serve up these types of infected ads now run on all sorts of sites. I've been hit with drive-by malware from sites that I visit regularly and which have good ratings from site review services, so it's no longer a question of simply keeping away from the web's poorly-lit side streets.
Some people take additional steps, such as blocking ads entirely by running a plugin like Adblock Plus, or selectively disabling scripting for sites they're dubious about by using the NoScript plugin.
Firefox add-ons are a potential security hazard, not as bad as IE ActiveX plug-ins, but still a potential threat. Many web-based attacks that target Firefox don't aim for the program executable itself. Rather, they seek to undermine add-ons, files which may not be binaries and so may not be assumed to be at risk, and the support structure for the program.
Most of the danger comes from add-ons that pretend to be legitimate. For example, one add-on pretended to be the Adobe Flash Player, insisted on "updating" itself and dropped malware into the system.
One would think that antivirus programs would be a good first line of defense, but they have a spotty record of detecting things like this. For instance, the overlay.xul attack described above was still being ignored by many prominent antivirus engines (Symantec, Panda, Kaspersky, Trend Micro) even after a month of being in the wild. The SANS researchers who examined this threat ran it through an online virus scanning service and were dismayed at how few applications flagged it as malicious.
One possible workaround is to use a non-installed version of Firefox such as Mozilla Firefox Portable Edition, which can run in any directory or even from a removable drive. If the program becomes infected, it can be kept segregated from the rest of your applications, and is easier to clean up and reset without damaging your user data (another possible workaround is to use a different browser entirely, but that might be more effort than it's worth).
Many people switch to the Macintosh out of a sense that the Mac's a safer platform. By and large, it is, but threats do exist in the wild, whether piggybacked on pirated software or as the result of vulnerabilities in the platform itself. Most dangerous of all, though, is a false sense of security: users can be duped no matter what they're running.
Mac security product creators Intego released a report (PDF) in 2009 that examined Mac malware and kernel vulnerabilities. There's not a lot of Mac malware in the wild, Intego found most of it in pirated copies of commercial applications (iWork '09, Adobe Photoshop) available on peer-to-peer filesharing networks.
The kernel issues are also worth noting (the report notes that one was discovered in April 2009), but more worrisome are vulnerabilities in Safari. The browser has been shown time and again to be a weak link in OS X's security chain. Debates rage on about whether Macs are attacked less because of their minority share or because they are less vulnerable, but that doesn't make any attack on the platform less troublesome.
Most important of all, though, is the user at the keyboard. Mac users are no less vulnerable to social engineering, and no less apt to download pirated software that turns out to be loaded with Trojans, than those using other platforms.
A false sense of security is a bad habit to cultivate, especially if Mac adoption continues to climb. What's crucial is that users not assume that simply changing platforms is by itself a defense mechanism. It can stave off some obvious problems, but it won't eliminate all of them for all time.
To that end, Mac users need to keep apps updated (not too hard by itself), but also stay conscious of their security as a platform-neutral issue. Ripoff artists are loyal to no OS, and a bug in Safari can be just as problematic as a bug in IE. The same goes for Linux as well: A scam run past someone using Firefox in Ubuntu is still a scam by any other name.
Users should also stay informed about threats in the wild that might not seem like any of their concern at first. Malware is not just becoming more aggressive, it's jumping platforms and diversifying across them, targeting the user rather than the platform. Consider the Firefox XUL hijack described earlier: that was an attack that could be staged on multiple editions of Firefox, since the files attacked were not platform specific.
And Mac users should avoid pirated software, for security (as well as ethical) reasons. The threat from such things may be marginal now, but that doesn't mean it'll always be that way.