I Debug, Therefore I Exist

Icon

Tag Line

New Internet Explorer Exploit

It was reported on the 11th of February on Heise-Online that a new exploit was found for Windows users running any version of Internet Explorer.

As usual, the nature of the exploit is related to Microsoft trying to soften web standards, in order to make the web a “friendlier” place for everyone. I wish someone would explain to Microsoft that the job of a web browser is to take a bunch of semantic code and render it. It’s not supposed to think on behalf of the user or the developer. I suspect the decision (way back when) to add this “feature” was made by non-tech literate managers, to whom an image is an image (“Who cares about formats! I don’t want to see web pages break or act funny… just make it work the way I want it to“). Ultimately, poor decisions coming from a company as predominant to the lives of most people as Microsoft is – a company, who knew that releasing a web browser by default on their operating system, would amount to an instant grab of 80-90% of the browser market (although, fortunately, this is no longer the case) – causes more headaches for everyone in the long run.

At the end of the day, this makes life more difficult for:

  • developers having to apply fixes in their increasingly hacked code and feel constantly paranoid
  • users end up having more of their systems compromised by clever black hats (that’s what the rest of you would call ‘hackers’, although this is a false use of the term)
  • and for Microsoft, who ends up having to layer patch on top of patch – not only to fix the original problem, but to fix the mess it created (meaning an endless supply of patches, which users eventually will ignore, because they see them so often that they become apathetic).

Ok, well, rant aside… this new exploit has to do with images. If you are using Internet Explorer (and if you are, you should really consider downloading Firefox or some other alternative instead), this exploit allows hackers to inject JavaScript into images, which is then run on your system in your browser.

This may seem harmless to you, but consider this: If a malicious coder uploads a profile image to some forum or some other site, which does not filter the image (ie. run it through ImageMagick or some other image processor), then they can embed JavaScript into the image. When you load the page, Internet Explorer then loads in all the elements on the page (HTML, CSS, JavaScript, Flash, etc) and when IE loads in one of these nasty images, IE instead runs the code in them. If you are still wondering why this is bad? Because this allows these malicious users to control your browser in some unexpected ways, such as giving them the ability to steal your cookies. If you are yet still wondering why this is a bad thing: this gives those malicious users the ability to login into your account, view your personal information, change it, steal it, pretend to be you or even lock you out of your own account.

I hope you realize by now how bad this exploit can be.

I tested this exploit on Microsoft Internet Explorer 6 & 7, Mozilla Firefox 3.0, Opera 9.6 and Google Chrome. I can confirm that this exploit affects only Internet Explorer 6 & 7. None of the others had this problem. I haven’t tested IE 8, but I would be surprised if it were any different until Microsoft decides to patch it (if they ever do).

As always, if you want to stay secure:

  1. Don’t use Internet Explorer. Install Firefox instead.
  2. Install NoScript. It may make your internet surfing a bit more painful at times, but the security implications are far more worth it than the annoyance it can cause. Remember, you always have to compromise between ease-of-use and security. You can’t have your cake and eat it too.
  3. If you absolutely have to run any version of Windows, instead of the more secure alternatives (Apple Mac OS X, Ubuntu or other flavors of Linux), make sure you keep your system up-to-date as soon as you are notified of something. Don’t think you just need to keep your operating system up-to-date. You need to make sure your other software is also up-to-date as well.
  4. Make sure you run your computer behind a router (NAT router, specifically. Good home routers are quite cheap these days. Even those under $50 would be sufficient). This protects you against remote execution vulnerabilities, such as the recent Conficker, because your computer will be hidden behind a router, which does not provide any direct route for people to access your computer unless it somehow expects it. This shields you largely form malicious people scanning the internet for vulnerable computers. If your computer is connected directly to your internet modem, you are asking for trouble.
  5. Maintain a “Trust No One” frame of mind, while connected to the internet. Don’t trust anyone or any site unless you can establish a reasonable degree of trust.
  6. Some of you will say, “What about a firewall or anti-virus?” If you are a Windows user, the unfortunate reality is that an anti-virus application is absolutley necessary, so give AVG or ClamWin a go. They are both free (although AVG is only free for personal use). I recommend you install both. And, as for firewalls: it can’t hurt to have a firewall installed, but, ultimately, if you follow steps 1-5 above, it will be highly unlikely you will ever need one, unless you run a big network with lots of computers and users. If you are maintaining your own home network with few computers, then there isn’t too much benefit.

Well, I hope you got something out of this security alert.

If you have any questions, just leave a comment. Good luck.

Advertisements

Filed under: Security

Dino*Run: Escape Extinction

I have to say, I’m usually not a big fan of flash games, but this one, I have to say, impressed me a great deal.

You are a dinosaur in a retro, pixelated setting, trying to escape doom from above. You run through the wilderness trying to avoid obstacles that would slow you down, devouring snacks on the way and climbing over other dinosaurs to reach your goal.

Dino*run

That’s as much as I will say about it, because I don’t want to spoil the surprise. I only want to say this: your heart will be pounding quite a few times. And that’s no small feat for a Flash game.

The music is also very retro and everything in the game is actually very visually appealing – especially if you like the style of Another World and Flashback. The environment has a lot of vivid detail and, while the controls aren’t perfect, it feels authentic to the retro-style of the game.

In any event, I’m sure after you give it a go, you’ll agree that it’s one of the finer mini games out there (lots of unlockable goodies!) and you’ll keep coming back for another run.

Go play it!
http://www.pixeljam.com/dinorun/

Filed under: Uncategorized, , , ,

Miss the old Mac rounded corners? Displaperture is for you

I have to admit, while I didn’t use to be a Mac user and spent a good deal of time criticizing it in the way a Windows user usually does, I always had a deep, hidden admiration for the UI. ‘Course, now I’m out of the closet (since getting a MacBook a year ago), so now I can admit things freely.

One thing that kind of disappointed me when I first booted OS X on my fresh new MacBook was the missing rounded corners. I don’t know why, but it gives the UI a slightly more polished and friendly touch. The square borders make it feel just that – square. So I was quite pleased to find Displaperture. Amusingly enough, it even lets you adjust just how far into your screen the border goes.

So, if you miss a bit of curve, check it out:

http://www.manytricks.com/displaperture/

Filed under: Uncategorized

Introductory Note

I hate starting a blog and then getting stuck on what to say in your very first post. That’s really the reason why I haven’t started one yet. Really, I much prefer to just get right into the swing of things and pretend this blog has always existed. So, I’m going to avoid all that, other than to say, ‘Hey dear visitor, thanks for visiting my blog. Sorry there isn’t much content yet, but there will be soon.’ 😉

– i debug

Filed under: Uncategorized

Calendar

February 2009
M T W T F S S
    Jun »
 1
2345678
9101112131415
16171819202122
232425262728  

Pages