This Week in Security
There sure was a lot going on in the past couple of days in the world of cyber security. Let’s see, we have a fix for the fix and a new free phishing protection service from a major online player, all while another online giant gets criticized for its client software. So, read on and get the low down on what’s going on this week in the world of security.
Microsoft Fixes a Flawed Update
I know it’s hard to believe, but Microsoft dropped the ball again. This time, it’s with one of their scheduled monthly updates. The August 8, 2006 scheduled update from Microsoft covered a number of different flaws; several of which where highly rated security holes. Upon downloading the updates however, many users were exposed to an entirely new flaw in Internet Explorer 6 SP1.1. The flaw was a buffer overflow, which crashed IE when it attempted to view certain Web sites that use htp1.1 compression. The discovery of this bug in the IE patch also exposed the fact that the flaw could be exploited by cyber attackers in an effort to gain control of unsuspecting end user’s PCs.
This flawed patch only affects Internet Explorer 6 Service Pack 1, which can affect XP users that have not updated to Service Pack 2, as well as, Windows 2000 users with the Service Pack 4. Microsoft did come out with a fix last Thursday (August 24th) that completely fixes the patch and should allow all affected users to secure their browsers. Here is the link to the update.
Yahoo! Sign-in Seal
Phishing scams, as you all know, are a really big topic in the world of online security. These types of threats incorporate a number of different online attach techniques to fool end users into giving up sensitive personal information. With an increase in scam attackers, online business, such as banking institutions, have started combating them with Sign-in Seals. Sign-in Seals are basically ways to verify the Web sites and users who visit them to ensure they are who they say they are.
Yahoo! wants to get on board as well and has released (in beta for now) their own version of a Sign-in Seal that I believe may set the standard for others. Yahoo! approaches this arena of security in a different way by actually matching up configured information with user’s PCs, not simply login information (login name and password). This method allows Yahoo! to verify any Web page’s legitimacy before posting any of the users information on the site.
Although the Sign-in Seal isn’t officially out and only a few randomly selected Yahoo! subscribers get to use it for now, representatives from Yahoo! say they will roll out the service in the next couple of weeks. Don’t worry guys, I’ll let you know when it comes out.
Anti Spyware Group Calls AOL “Badware”
An anti spyware group called stopbadware.org, comprised of many reputable entities in the world of computer security, has called AOL’s free client software 9.0 “badware.”
So, what exactly is “badware” and how does AOL fit into all this, you ask? Well, I will tell you!
Badware is another general term used to encompass spyware, malware and other unwanted applications in the case of AOL. It’s more about the software and services that are installed on the side of their client software that is unknown or not fully explained to the end user. This statement from stopbadware.org should help shed some light on things.
“In our preliminary findings, we find that AOL 9.0 (free version) is currently badware because it installs additional software without telling the user; it forces the user to take certain actions; it adds various components to Internet Explorer and the taskbar without disclosure; it may automatically update without the user’s consent and it fails to uninstall completely.”
Some of the software they are referring to that is installed with AOL’s 9.0 free version without being completely clear are listed below:
- You’ve Got Pictures Screensaver
- Pure Networks Port Magic
- Viewpoint Media
- Adds Favorites to the Internet Explorer List
- AOL Deskbar to the Windows Taskbar, which includes icons for AOL Instant Messenger and AOL Mail
- Real Player
AOL has responded by saying that it has always been a leader in securing their customers and doesn’t warrant the “badware” title it has been given. AOL has shown they are serious about getting this straight and have already come out with a fix for the uninstall issue that has been pointed out to them. In addition, representatives state that all of these other concerns will be addressed with the introduction of their new version of the product due out in a few months or at the very least, update patches like our friend Microsoft. Let’s hope so!
Well, that’s it for what’s been buzzing around the world of cyber security this week. Isn’t it fun trying to stay on top of all the online threats?! : ) Until next week, stay safe out there.
~ Chad Stelnicki