Scripting & Security Discussion [5.5]

Topic

New Reply

…and neither will a lot of other things – some of which you might want.

The site in question does not display a pop-up for me. Mind you, I am running NoAds (#82, from you know where…). it does not need to be configured.

Reply | Quote

Replies

Correct — “a lot of other things” like viruses and trojans! This is exactly how some people just stung with Nimda…

There is nothing I want from a site that I cannot trust. I do not want Scripting running from I site I do not know and trust. If I trust it, it ends up in my trusted sites.

Reply | Quote

…not if you’re protected properly and aren’t running on an IIS server. Even highly complex worms like Nimda can only hurt you if you haven’t patched the security holes. A few posts ago I sent a visual illustration of what Nimda can do.
There’s several things you can do other than disabling the ActiveX utility.

Reply | Quote

Sorry, but disabling Active Scripting is not the same as disabling ActiveX.

Disabling the Host is not an option for me — I write scripts!

Pop-up Windows are not a Macro vulnerability. Niethier is Nimba.

Outlook Security has nothing to do with Pop-ups on a web site.

Pop-up windows are rarely, if ever, triggered by auto-running .exe files.

Security patches from Microsoft do not block Pop-up Windows nor disable script on web sites.

Personal firewalls do not block Pop-up Windows OR script!
_________________________

I fail to see any relevance to this poster’s problem: “Advertisments in separate window “. However, those points are VALID and are good advice, they just have nothing to do with the topic…

Reply | Quote

…that’s because I wasn’t addressing the posters problem, but your suggestion to disable Active X to prevent javascript running.
If you’ve plugged the security holes, an infected web site can’t drop a worm and if you take the other precautions Nimda (which you brought into the discussion) can’t get you via email, or in any other way. (Always assuming you are not opening attachments willy-nilly). In my opinion disabling Active X is not necessary. You could, of course, set it to ‘prompt’ or just disable the potentially dangerous options.

Actually, I would agree about the Scripting Host, but with MoOutlook Secuity running (which is by no means restricted to Outlook) disabling WSH isn’t necessary either.

Reply | Quote

Merc – I still have to disagree. Disabling ActiveX does not Disable ANY script — JavaScript, or otherwise. I I did not recommend Disabling ActiveX to prevent these pop-up ads — because it will not be successful!

You can only Disable scripting by, eh, disabling scripting. These are two separate things. Just take two seconds and open the Security tab and select “Custom settings”. You will see the ActiveX options come first. THEN, near the end you will see options for Scripting. Microsoft does NOT list together for one very good reason — they are NOT the same thing!!

Disabling ActiveX will prevent ActiveX controls and plugins from running — such as Shockwave Flash or even Acrobat Reader. Both of these use ActiveX — NOT scripting.

Disabling ActiveX will in NO WAY block scripting. It will NOT prevent most pop-up ads. You must Disable *Active Scripting* to block scripts — and therefore prevent many pop-ups.

There is obviously a problem with terminology here. Let’s start from the top. There are three major divisions of “Active Content” on a web page:

1) ActiveX
2) Scripts
3) Java

These are ALL “Active Content” — but there are NOT all the same!! You cannot block one by disabling the other. Microsoft’s IE user-interface has a Security tab under Tools | Internet options. You will note that on this tab there are several sections. Three of them are ActiveX, Java, and Scripting. They are all separate. They are not the same thing. Have I said it enough times??? ;-]

And before you ask — NO, JavaScript is NOT Java!!! You cannot block JavaScript by Disabling Java. You block JavaScript the same way you block any other script — by Disabling Active Scripting. NOT by Disabling ActiveX.

I appreciate the fact that Active Content, ActiveX, and Active Scripting all have the word “Active” in them — but it does not make them the same.

Reply | Quote

Hi

[indent]

---

The page in question appears to use one of the most common techniques to display this pop-up window — it uses JavaScript. If you select to Disable Active Scripting in the Tools | Internet Options | Security tab | Internet zone | Custom settings box, this pop-up should not load.

---

[/indent]
First : I misquoted you here. Obviously, you did not suggest disabling Active X disables javascript. For that, I apologise.

Second : it does not alter the thrust of my argument. Turning off the Active Scripting options in Security would seem to be somewhat extreme, when they can be set to safe levels.

In spite of your patronising attitude, you clearly appear to know about scripting and the rest. I thought I was aware of how the OS handles the very different Java and javascript but since running XP I’m not so sure.

Reply | Quote

Merc, it seems like you keep trying to discredit my posts, so I have taken a defensive attitude to your responses. Frankly, I think you are a very helpful poster on this board, but you seem to have singled me out as someone you need to correct — if I am right or wrong. Grant it, I am wrong just as much — if not more — than anyone else, and I don’t mind being corrected if it is for the right reason. Let’s get beyond the superficial stuff and move on.

Let’s turn this into a discussion of security options. OK, you may feel disabling Active Scripting is too harsh, but I argue it is not.

Security will always be a personal decision. Some people use home security alarms and others do not. Who is right? I spend that silly $40 a month “monitoring fee” for my house. So far, it has caught no burglers and it has misfired twice. So it has done *nothing* good for me yet — yet it makes my wife feel safer. Is this wrong?

All “Active Content” (ActiveX, Scripting, and Java) can make the Internet far more Interesting and entertaining. It definitely adds ‘value’ to your Internet experience. However, they are a double-edged sword. These fantastic technologies can be used to nefarious ends. It is not the fault of the technology itself, it is just that people will take a convenience, find a loop-hole, and use it for other purposes.

This is like those car “fobs” to which we have all become so accustomed. Do they even sell cars now days that don’t have them? You push a button on your key chain and your car unlocks itself — COOL! Until someone created a device that would capture your code as it was transmitted, and now they can unlock your car anytime they want. The fob itself isn’t the problem, and if you use it in your neighborhood in front of you house, you are probably safe. But should you use it in a downtown parking garage? You might want to think twice.

I look at the Internet like the world. Some areas are like my neighborhood and some are like the downtown parking garage. I put the areas that are like my neighborhood in my “Trusted sites” zone, and I let them run ActiveX, Scripting, and Java as they wish. I have *.wopr.com in there along with some other sites I frequent. I allow these technologies to enrich my Internet experience, but in a way that makes me feel safe.

Other sites that I really don’t know about are in my default “Internet zone”. This zone is NOT set up like the MS ‘default’. Instead it is more akin to the settings in the default “Restricted sites” zone. In both of these zones, I have ActiveX and Scripting disabled. I have Java disabled in my Restricted sites, but at “High safety” in my Internet zone. Java at High Safety is limited to a “sandbox”, so it is fairly safe.

Let me take a not-so-quick side step. You are just like everyone else — and that includes ME. Everyone looks at the “Scripting of Java Applets” and says “JavaScript”. Sadly, the terminology that we are forced to use is just confusing. Java is not the same as JavaScript and they are controlled differently — as you have discovered.

JavaScript was created by Netscape many years ago. While the coding maybe similar in some aspects, it is not the same as Sun’s Java. Microsoft took the JavaScript technology and created their own “JScript” and took Java and created their “Virtual Machine” which it incorporated into IE. As you probably know, because of the lawsuit with Sun, MS had to pull their JavaVM from IE6.

JavaScript and the related JScript are just other types of scripts — like VisualBasic Script. All of these are run on your Windows computer by the “Windows Scripting Host”. If you remove or otherwise disable WSH, then you will not be able to run script on your computer. This is a security solution that many people have chosen. While it is successful, it may be similar to using those bars over the windows and doors to secure your house. It works, but it may not be attractive. There are some very nice little applets that use WSH, so if you disable it you give up functionality. You also seem to feel that script on web pages may enhance your Internet experience, and if you remove WSH, you completely eliminate these enhancements.

OK, back on track. What is the concern about Scripts and ActiveX? Well, one of the ‘vectors’ of Nimda was that it used JavaScript on websites to secretly download the Nimda virus/worm onto your computer. You would receive no warning or other indicator — the dang thing was just installed itself behind your back!

If you had a recently updated virus program, it would catch it. But if you did not, you were vulnerable. The only way to avoid this in the first place was to simply disable Active Scripting in your Internet zone. If you did’t run script, you could not get infected. It was that simple. This is just one recent and relevant example of the problems of scripts on web pages. There are others, but to me, just one example of a serious vulnerability should be enough.

Additionally, JavaScripting is VERY FREQUENTLY used as the mechanism for those annoying “pop-up” ads. Disable Active Scripting and test this theory. Give it the ‘real test’ — go to some of those lovely adult sites that seem to have pop-ups occurring faster than you can count (eh, not that I ever have!). You will be pleasantly surprised (eh, and not just by the pictures!).

ActiveX is also a very intriguing technology. This is an outgrowth of the old “Object Linking and Embedding” (OLE) from earlier versions of Windows. Many people — including Mr. Leonard in his newsletter — think of this as “scripting”, but it is not script. This involves little programs or applets that may come with IE, or can be downloaded on to your computer. You will note the first two choices on the Security tab | Custom Level box are to allow you to “Download” various ActiveX controls and plugins. Scripts do NOT require you to download ANYTHING. Scripts use the Windows Scripting Host to run — they don’t need anything else.

ActiveX does NOT use the Scripting Host — it is not script no matter who says it is. Disable or remove WSH and AcitveX works fine. Instead ActiveX uses program files — generally *.ocx files — to run. Do a Search for *.ocx files and you will find many. For example, you will find “swflash.ocx”. That is for ShockWave Flash — remove this file and you will no longer see ShockWave Flash programs run on a website. You may also find “pdf.ocx”. This is the ActiveX control for Acrobat Reader — click on the properties of this file and you will even find that it’s name is “Acrobat Control for ActiveX”. Remove this and you cannot view .pdf files in you browser. Clearly, these are NOT script that are using the Scripting Host. They are relying on the downloading and/or installation of files to run on your computer.

ActiveX is a technology that is a disaster waiting to happen. These programs can be made to do almost anything. Unlike Java, ActiveX CANNOT be run in a “sandbox” — an isolated area of your computer. These program have full access to your entire computer. If you want to see which ones that have been downloaded by IE on to your computer, look in this folder: C:WINDOWSDownloaded Program Files. This can also be accessed by clicking Tools | Internet Options | General tab | Temporary Internet Files | Settings | View Objects.

Are there specific examples of problems with ActiveX? Yes, but I will have to refer you to google to look for these (I don’t have time to write all this and dig up links, sorry!). One example that quickly comes to mind is Comet Cursor. If you are not aware of what this does, then look on Google for information on it. It is not something you want on your computer. If you visit some web sites, the ActiveX control for Comet Cursor is secretly installed on your system and it begins transmitting information behind your back. Great, huh?

And what did you have to do to get this ‘infection’? Simply visit a website with ActiveX Enabled. That is it!

Time to run. In summary,

1) Certainly Active Content enhances the Internet Experience.
2) However, these technologies can be used to do things you might find undesirable — install viruses/worms, pop-up annoying ads, and install ‘spyware’ on to your computer.
3) IE does give you the option to control these — but it does NOT come that way ‘out of the box’.
4) There are many ways to control Active Content — using IE’s Security zones is one of them, but there are MANY third-party programs out there to do this.
5) Simply Disabling Active Content — especially ActiveX and Scripting — in the Internet zone is one of the simplest ways — and it is very effective.
6) You can still enjoy a rich Internet experience — simply add the sites you trust to your Trusted sites zone.

Security remains a personal choice. You can choose whatever method you like, but an informed decision is a better decision.

Reply | Quote

Hi
Sorry for the impression. I had no intention of trying to discredit you – there’s nothing personal in it. On occasion I find I have a different pov from yours. It’s not a matter of correction for reasons, simply for balance.
Sometimes I find myself playing devil’s advocate : defending a position that is not necessarily my own. Naturally, it could be rather annoying to be told in the terms you used in your last post-but-one about the differences between javascript and Java when I have myself explained such differences (in less depth perhaps) on many occasions.
However, like you, I admit that I often make mistakes (misquoting you was a slip I regret, as it made me look stupid) especially as I am often composing replies well after midnight.
Inimical scripting can be guarded against using MoOutlook Security : it prevents scripts with a range of extensions commonly used by crackers from running within OE, Outlook, IE and WinZip. Instead it saves them to a file so you can look at them first.
Nevertheless, I have learnt a great deal from your posts (and not only that you are more familiar with the subject matter than I am) and for that alone I may occasionally present an adversarial attitude. Sort of like poking a rattlesnake to get it to strike, so you can see what you can learn from it.
My main argument regarding security is that I visit hundreds of web sites in a week. I have a suite of security options in place, and my IE options set to medium. I take the necessary precautions with email. There have been many attempts to penetrate my defences – so far with singular lack of success. I have had viruses sent to me as email attachments (who hasn’t?) but have yet to get infected. I don’t think it’s mere luck. Am I being foolhardy?
One question about Active X nasties. By what mechanism are they put on to your computer? Not via cookies, or you would have suggested setting cookies to a safer level. By using a port? My firewall has stealthed these. Downloading an *.ocx file? I only allow those that have been digitally signed.

In your last post was a wealth of condensed and useful information. Mind if I edit it it and put it up as a text file for people to download from my site? I’ll even acknowledge it as coming from you if you let me have your name.

Rgds

Reply | Quote

Merc, I really don’t mind the alternative POV — keep it coming. But if I seem patronizing, it is all tongue-in-cheek. No matter. I love to poke rattlesnakes all the time. ;-]

ActiveX files are downloaded by IE itself — my guess is through the same port you are communicating. It works the same way you download any other file. I suspect you already know this, but IE will use a random port over 1024 (the “ephemeral ports”) — the same way all TCP connections are made. Since you have initiated and established the connection, this is NOT something your firewall will block — you choose to go to that web site. Your firewall see this as a connection you have permitted.

I have not looked at “MoOutlook Security” — so I have no idea what it does. However, the name seems to imply it is for “Outolook” — not IE. Should it be called MoIE Security? ;-]

I would be very interested in how it prevents scripts from running in IE. If it does, then it is doing nothing more than turning off scripts like I described above. In that case, you should get no pop-up ads as well. However, my guess is that MoOutlook Security ONLY works for files that have been downloaded on to your computer — such as Outlook attachments. If this protects you from Outlook attachments, it UNLIKELY can protect you from scripts embedded in web pages. It will NOT likely do both.

As for not getting infected yet — well, there are plenty of people whose houses never get robbed if they leave the door open. I am not sure I am willing to try that method on my house. Again, it is a personal choice.

ActiveX files are not cookies — they are files that are downloaded. Cookies are just text files that can be read by a specific web site. A program file (such as an ActiveX control) is NOT a text file. It is a file that can perform a large number of functions — including erasing your hard drive. ActiveX controls are program files and can do what any other program file can do.

You must have downloaded files from the Internet before — they are not cookies. They are real, active, functional files. If your Internet zone Security tab shows that you have Enabled the “Download signed ActiveX controls”, then IE will download these files when it wants to or needs to. By not removing that check, you have given IE that priveledge.

Do you believe digital signing is that secure? Fine. It is your choice. That only guarantees the control was digitally signed when the creator created it. HOWEVER, the creator is not sitting observing what other people have chosen to use their control for! Also, the signatures can be spoofed and re-used far too easily. Look into this further and you will realize that a signature is not enough. It is too easy to abuse.

I recommend you look further into the securtiy MoOutlook really provides you for script embedded into web pages. I would also recommend you look further into the REAL security behind a signed ActiveX control. Let me know what you find out. Thanks.

Reply | Quote

Hi : re MoOutlook Security

Yeah, I reckon they’ve misnamed it.
What is does is stop users (and their systems) executing certain file-types directly or inadvertently. e.g. if you have HTML email enabled, just reading it could cause certain worms to execute (e.g. JS.Offensive) if you have not plugged all the security holes in IE. Since it does this for the HTML embedded script in an email, I should imagine it protects you from infected web pages as well. I don’t think it touches email attachments, unless they have one of those double extenders that includes one of those listed below. Anyway, surely nobody actually opens attachments directly any more? My usual advice is not to get into the habit of sending or receiving them. It’s a good way to get and spread viruses.

It controls the following script files :

– *.vbs
– *.vbe
– *.js
– *.jse
– *.wsf
– *.wsh
– *.hta
– *.shs
– *.reg

“These file types are often used by virus writers to spread viruses.
MoOutlookSecurity prevents these files from being directly executed by the user. Instead of ‘running’ the applications MoOutlookSecurity displays them to the user”.

(example : If you have MoO running and click a *.reg file, it will not modify the registry, but will display in Notepad. To use the .reg as intended, you need to right click and select Merge.)

It will provide “enhanced security” whilst running the following:

Reply | Quote

Hmmm… first off, I seem to be mentally impaired more than usual. I cannot find MoOutlook on that MobiusWare site. I do not see it under the ">Professional Products.

However, by your description it works on “certain file-types”. If this is the case, then it unlikely works on embedded scripts in HTML. That means HTML on a web site — AND also scripts embedded in HTML email.

Want easy proof? Make sure THIS SITE (http://www.wopr.com) is in your Internet zone with Active Scripting enabled. Have MoOutlook active — supposedly stopping “scripts” from running — correct?

Now, put your mouse pointer over the QuickStyleFlash: Show Lex’s. Don’t click yet, but instead look at the left end of the status bar (bottom of window). You will note it says “Shortcut to java script: changeSheets(2)”. This is obviously a link to some script — JavaScript to be exact. Now click the Show Lex’s. Then click Show Mine.

OK, that is JavaScript. It is on this HTML web page. If you are relying on MoOutlook to protect you from HTML embedded script, you are putting yourself at risk. From what I can tell, MoOutlook can ONLY protect you from “these files from being directly executed by the user”.

That means the FILES must be on your computer. MoOutlook simply changes the default association of those listed file-types from Open to Edit. This type of security works fine for Email attachments. They are just files that are downloaded on to your computer.

**But it has NO effect on scripts embedded in HTML.** That includes HTML on a web page and in an HTML email.

Now I know, you are going to say that the “Show Lex’s” example required you to click something. That is true. But NOT all script requires you to click anything. Script can be running automatically by viewing a web site or opening an email. Even the “Preview Window” in Outlook makes you vulnerable. That is why some people recommend you disable the Preview Window.

The simplest way to protect yourself against SCRIPT in HTML from running is to Disable Active Scripting in your Internet zone. For HTML Email, make sure your Outlook or OE open into your Restricted sites and make sure you have everything Disabled in you Restricted sites.
____________________________

In a related issue: Microsoft is well aware of the dangers of script embedded in HTML email. So much so, that “HotMail” will not allow script tags in the body of the email. HotMail actually removes or disables the script in the document.

HOWEVER, as always, some users have found a way around this. You can bypass the HotMail filters by inserting JavaScript into the “From” line!! Read more about this here.

Reply | Quote

Hi
From the Freeware page you mention, there should be a left-hand frame in bright blue. One of the clickable options is Downloads. Click this and on the new page MoO is the fifth down. If you could try it out, I would be very interested to know if it does or does not offer protection from unfriendly script. I am beginnning to think it won’t, since it specifically refers to file extensions. One of them is .js, but the javascript I use on my web pages never uses it.

I’ve also noticed that my virus scanner (NAV) has ‘script blocking’ enabled, yet it does not turn off animations or pop-up ads – or Lex’s stylesheet. Under Internet, Web Protection the only option, called Netscape Navigator, is greyed out.

I’m now beginning to wonder what exactly HTML embedded scripts we are talking about. I thought the term referred to worms sent to your system in an email page, or via a web page. (I was not talking about email attachments, which are a quite different thing). If this is the case, they must be trying to exploit some hole or other in your security. If you have all the holes blocked, any penetration would have to be via some as yet unknown breach.

Am I correct in asserting that script worms cannot infect a system with correctly patched security, even with Active Content engaged? (Have a field-day with that one).

I can see why you pour scorn on my reliance on digital signatures. I won’t any more. Equally, I can’t see how placing sites in your trusted zone would protect you, should one of them have been nobbled, Nimda-wise. As far as I can see (HTTPS:// apart) if you visited one of your trusted sites which had been innocently infected, your security settings are so low you, too, would have become contaminated.

btw with Active Scripting set to Prompt, trying to preview a post here brings up a dialog box. With it disabled, it displays as normal. I wonder why that might be….

Rgds

Reply | Quote

Ah… I’ll bet I don’t see the Programs under Freeware because the site is in my Internet zone — which as you can tell is fairly disabled!!

Let me add it to my Trusted sites and see what I get…

Reply | Quote

…I think you’ve just stated the nub of the argument for and against.

a. if you have AC switched off, you can’t enjoy that web page as it was intended.

b. if you switch it on by adding it to your trusted site zone, you risk being attacked.

Rgds

Reply | Quote

No, it was not related to zone settings. I just somehow did not do the right clicks at the right time!!! I was not following directions. DUH!! I see it now and I just downloaded it. I have to go to a lunch meeting, so I will look at it later.

I disagree with you last post. If you switch off Active Content the web page cannot enjoy your computer’s personal information as well!

YES, sites in the Internet zone will be limited — and THAT is OK with me.

If I trust a site enough and I WANT it to run Active Content, then I have to make the conscious decision to add it to my Trusted sites zone. Yes I could then be vulnerable, but I have made the decision to open the door for that web page.

I suspect you would agree that it is unlikely http://www.wopr.com is going to use script against you. So, there is no problem adding this site to your Trusted zone. There are plenty of sites that you will want to trust. For example, if you don’t add *.microsoft.com to your Trusted sites, you cannot use the Windows Update, MSKB, or Search the microsoft web site.

Again, this is OK. I don’t mind trusting them — well, maybe a little! But for other sites that I do not know and do not trust, I don’t want them to be able to run AC without my permission.

Reply | Quote

Hopefully, this will put an end to this insanely huge thread:

There are several steps you can take to make yourself more secure. Woody has already addressed the issue when speaking at length about Nimda, and anyone will tell you, “Your best defense is to locate a good Virus Protection Package, and Use it AND update it religiously.” It won’t be the last time you’ll hear that either. True, it will not protect you against malicious scripts…

In all honesty, it’s not a matter of how secure you are, but when your security will fail. Nimda was a nasty bug that took a whole lot of people by surprise. While it didn’t require relatively massive amounts of reconfiguration, or restoration of entire drives, it did cause many, many problems. Bearing this in mind, it’s wise to have some method of restoring to some previous state should it be required. While somewhat off the topic of Internet Security, I’ve seen simple program installations literally fry hard drives.

As to whether Boosting options in IE can protect you… I think that with every upgrade of I.E. you’re exposing yourself to potential security holes. (that’s not to say that if you’re using i.E.5.0 with all the patches that you’re safe…) If Mr. CyberCriminal spends enough time on it, he can and will crack anything.

The absolutely bona-fide safest thing to do is to Junk your computer and go knitting.

The Safest REAL Option: Run an Anti-Virus Package, Install Proven Security Patches for all Internet Software, Use Basic Firewall Software, Check daily for AV & Firewall updates. Keep in tune with latest virus warnings. Establish Trusted Site List.

The use of trusted sites is a good feature. It allows you to check your hotmail without prompts, but if there’s a target out there on Mr. CyberCriminal’s Agenda, Hotmail is high on the list… The fact is, if you’re connected, you’re not 100% safe. Simple as that. I always recommend at least Medium Security, it usually keeps Grandma safe, as long as grandma knows if she’s not sure about a prompt, the answer is No. Personally, I use Very Low security, It works for me because I know what to do to restore my system.

That said, the bottom line is, it all depends on the confidence and preference of the user, I can’t think of a single instance where ‘High’ would be necessary. I believe it is far too restrictive, and causes more problems for your average user than solutions. I always recommend Medium, but use Very Low. I also sit behind a firewall, run AV religiously, and update my software with PROVEN patches on a regular basis. That makes me feel the most comfortable.

Simply put, if you have no problem viewing the world at large via monochrome text, you may as well disable everything, for most people however, this isn’t a Real option.

Now whether anyone will read this entire thread to find this out… who knows..

Regards,

Reply | Quote

End this thread after a post like that? Unlikely!

Well, well, well. Where do I start? Like I always say, security is a personal choice. You have to do whatever makes you feel safe. But you need to make informed decisions. Yes, you can drive your car at 100 mph and have no problems, but that does not make it safe.

Everything in life involves risk. If you get behind the wheel or get on an airplane, you are taking a certain amount of risk. However, you want to do whatever you can to minimize your risks. Where you draw the line and feel ‘enough security is enough’ is your decision. If, to you, that means junking your computer — then so be it!

Yes, the question is *when* your security will fail. EVERY security expert believes a multi-pronged defense is the best way to go — in ANY aspect of security, whether it be your house, your car, or your computer. You need a backup plan. One of the key words is “redundancy” — you want redundant systems in case one system fails. This is a basic principal of security.

“Your best defense is to locate a good Virus Protection Package, and Use it AND update it religiously.”

This is correct, but it is only one system — and it will clearly fail if you rely simply on this. Let’s look at the facts. The majority of the major virus/worm attacks of the past several years (LoveBug, Melissa, Nimda, etc.) were successful for one reason — they were NEW infections and the Anti-Virus companies did not have definitions for them. Any Anti-virus plan that relies solely on pre-defined definitions will fail. The above examples are not trival — they cost this country MILLIONS of dollars! Yet, each of these could have been stopped by taking simple precautions…

“True, it will not protect you against malicious scripts… ”

Well, “… not protect you from ALL malicious script”. If the script satisfies a previously defined viral definition, it will protect you. The problem remains the NEW scripts that NAV and McAfee (et al) don’t know about yet. And when they hit, they hit fast and spread quick — frequently doing their damage before the definitions can be made and distributed.

“I think that with every upgrade of I.E. you’re exposing yourself to potential security holes.”

How true it is — and in more ways than one. The more do-dads and whats-its that get added to a program, the more ways Mr. CyberCriminal has of defeating your security system. Additionally, IE has a nasty habit of reversing some of your security settings each time you upgrade. It wants you to use the default settings. Nice, huh? So after you upgrade, spend a few minutes looking over what MS has changed for you.

“The Safest REAL Option: Run an Anti-Virus Package, Install Proven Security Patches for all Internet Software, Use Basic Firewall Software, Check daily for AV & Firewall updates. Keep in tune with latest virus warnings. Establish Trusted Site List.”

This list is good but incomplete. Since the VAST majority of major virus attacks were spread via email — and particularly email attachments — a pro-active approach to this vulnerability needs to be added to this list. Perhaps it should say nothing more than “don’t open attachments”, but if you do that, we are destined to relive the past.

People should have learned that lesson with Melissa — they did not. Then maybe with the LoveBug — they did not. As a systems administrator, you simply cannot rely on your employees “doing the right thing”. You will get stung every time. You need a mechanism to protect malicious code from entering your system through email. Microsoft’s heavy-handed Email Security Patch is one method, but many of us believe this is simply too aggressive and too restrictive.

There are better options. First, make sure your Email client is opening mail into a fully Disabled Restricted sites zone (that is the NEW MS default, but this was NOT the case in the past). Get SOME type protection from Email attachments. Frankly, MerC’s MoOutlook program looks pretty good — and it is free. Also, Jason Levine’s Script Sentry (http://www.jasons-toolbox.com) is a similar solution and similarly free. Lastly, some — but NOT all — firewalls come with the an addtional Email attachment screening function. For example, ZoneAlarm’s “MailSafe” is quite effective. If everyone used ONE of these techniques, many of the major virus attacks would have NEVER started in the first place…

“The use of trusted sites is a good feature… Personally, I use Very Low security”

But this is where I loose you. If you are setting your INTERNET zone settings on “very low” security, then I really have a difficult time seeing what the purpose of the Trusted site zone is. If both your Trusted sites and your Internet zone are set at low security, then there is no rationale to spending your time dividing sites into certain zones.

The benefit of using the Trusted sites zone comes about if you make your Internet zone more restricted. If both zones are equally secure, then what is the point? As for using anything set to ‘prompt’, well, that just drives me crazy after awhile. I only use the ‘prompt’ setting if I am testing a site out to see what it is trying to do. Otherwise, I find the ‘prompt’ setting too annoying for general use. Again, this is a personal choice.

“I can’t think of a single instance where ‘High’ would be necessary. I believe it is far too restrictive, and causes more problems for your average user than solutions. ‘

Well, let’s see. High can prevent malicious script from running from a web site — scripts that even your Anti-virus program and your firewall cannot stop. High can prevent annoying pop-ups and pop-unders from overpopulating your screen. High can prevent unwanted ActiveX controls from being downloaded behind your back and run without your knowledge. I guess those *might* be considered insignificant — it depends on your viewpoint. As for “problems” — in my book, the security you gain is certainly worth any minor inconveniances.

‘Simply put, if you have no problem viewing the world at large via monochrome text, you may as well disable everything, for most people however, this isn’t a Real option.”

This is the funniest thing you said. Either you were trying to be competely facetious, or you have never written anything in HTML before. Given your moderator status, I must assume the former. However, making such a statement could be misleading to the other members of this forum.

*Disabling everything on the security tab does NOT lead to monochrome text.*

I realize you were joking or speaking off the cuff, but someone is bound to believe that. Active Content is NOT responsible for making the colors, the fonts, the tables, or many of the other interesting aspects of a given web page. Those are controlled by HTML itself or by the use of Cascading Style Sheets. Users who choose to restrict their Internet zone for security reasons will *not* see a monochrome, monospace Internet!

I contend that it IS a REAL option for MANY of us who are security-minded. I have used it for years. Furthermore, using a Trusted sites zone with a similarly secure Internet zone is completely illogical.

SECURE your Internet zone and USE your Trusted sites zone to allow the sites your trust to run all the do-dads and whats-its you like! You CAN be secure — even more secure than MOST every other user — and still enjoy the benefits of the Internet. The choice is personal, but KNOW your options before you decide.

Just my humble opinion. Use it if you wish.

Reply | Quote

I think you’ve pretty much re-iterated my points. The simple fact, is that it’s all a matter of personal preference, Ian is right, there is a lot to digest here, the first thing i want to point out to whomever reading this epic on security is that one should do what one is comfortable in doing. You can always seek further advice in the lounge, just be careful what you ask for!
[indent]

---

Let’s look at the facts. The majority of the major virus/worm attacks of the past several years (LoveBug, Melissa, Nimda, etc.) were successful for one reason — they were NEW infections and the Anti-Virus companies did not have definitions for them.

---

[/indent]True, but I think you’ve misread my recommendations… the key here is USE and Update Religiously. I still get hit daily with Sircam, Melissa, et al. Using an AV package entails the research required to ensure you’re on top of the game. New bugs will ALWAYS floor you, frankly, it doesn’t matter what you do. If code is malicious enough, it will bite your system.
[indent]

---

One of the key words is “redundancy”

---

[/indent]
Hence my ‘Real’ recommendation: The Safest REAL Option: Run an Anti-Virus Package, Install Proven Security Patches for all Internet Software, Use Basic Firewall Software, Check daily for AV & Firewall updates. Keep in tune with latest virus warnings. Establish Trusted Site List. I will admit that I left out e-mail, but then that’s an entirely different discussion.

That said, I feel I should define my ‘Very Low’ security settings. All active Scripting, Enabled, however, programs cannot be started on thier own, I get prompted for that. My system is not an open door to the world, but compared to some, it is ‘Very Low.’ Works well for me that way.

It’s all a matter of preference.
[indent]

---

People should have learned that lesson with Melissa — they did not. Then maybe with the LoveBug — they did not. As a systems administrator, you simply cannot rely on your employees “doing the right thing”.

---

[/indent]
Having spend a good many years behind the scenes in IT, I can relate with that point. The fact is, they will more often than not, do the ‘Wrong Thing.’ As a systems administrator, you have a duty to setup your systems using the most secure means possible, while maintaining the effeciency of your peers.
[indent]

---

Either you were trying to be competely facetious, or you have never written anything in HTML before. Given your moderator status, I must assume the former. However, making such a statement could be misleading to the other members of this forum.

---

[/indent]
You’re misreading here again. Surely you can identify constraints in the presentation of most ‘new’ internet pages with specific items disabled in your options… (that is, IF they load at all…) True, I’m not overly versed in the composition of HTML pages, but I don’t think I’m too far off the mark when I state it’s a hairy business. Web Authors are tasked not only with making thier content appear the same on multiple platforms, but also protecting thier own masterpeices from invasion… Again, Another discussion entirely.

I don’t find it time effective to manipulate my settings every time I want to view a JavaScripted page, nor do I find the prompts helpful at all, on the contrary, I believe settings are as buried as they are for a reason, and should only be accessed as absolutely needed. For me, it’s paramount to have a method of recovery. That averts any concern for internet security. While I recognize that a bug could possibly fry my hardware, all I need to be comfortable is an adequate backup. I’ll never lose more than a few hours work, that’s what works for me.

Finally, if anyone has any further questions on security, please feel free to post in another thread, as apparent here, it’s one hot topic, but mostly dependent on personal preferences. Your key, always have a way to recover everything, that makes you redundant, not only with regard to Internet Security, but just about everything. (Consequentially, we can offer help on this too, just ask!)

Warmest Regards,

Reply | Quote

Thread Split

Posted by dale.lacey on Oct. 11th, 2001
[indent]

---

I guess the only outstanding question I have is, how can you get one of these ads popping up from a site that doesn’t host ads (like http://www.cooper.com)? I don’t understand what the mechanism could be.
Thanks again for all the help
Dale

---

[/indent]
rmucker’s original reply:[/b]
The mechanism is usually through Active Scripting. Occasionally through ActiveX. There are many reasons for disliking pop-up ads. There are the obvious annoying obstacles they create, but in IE6 they also create a new “first-party” site that the user has not authorized.

The page in question appears to use one of the most common techniques to display this pop-up window — it uses JavaScript. If you select to Disable Active Scripting in the Tools | Internet Options | Security tab | Internet zone | Custom settings box, this pop-up should not load.

Edited by DrkRealm: Split Thread

Reply | Quote