Have the Recent Virus Horrors Brought the Browser Wars Back?

Computer security experts warned of another raft of new Internet threats circulating on the Web that can steal sensitive financial information, passwords and account information of Internet users.

The United States government's Internet defence experts, along with other computer specialists, have taken the highly unusual step of urging users to consider a switch away from Microsoft's widely used Internet Explorer (IE) because of the new security problems.

This highly rare - and for Microsoft, embarrassing, warning comes because of a security hole that has allowed hackers to secretly install software on many websites that use Microsoft's Web server programs. When visited using Internet Explorer, this in turn, downloads spyware programs to personal computers, including one that steals credit card numbers and other forms of financial information.

Unfortunately many people don't worry too much about viruses, but last week's attacks has snapped many of them awake. 'This is a wake-up call for us to advise users to switch to an alternative browser,' said a spokesperson for the SANS Internet Storm Centre in the US, which tracks immediate threats on the Internet. With Internet Explorer, you're playing Russian roulette and hoping the sites you visit aren't compromised they went on to say.

How does this particular “nasty” get spread?

The bug exclusively targets users of the Microsoft Internet Explorer browser. Hackers have apparently infiltrated advertiser servers and effectively "poisoned" certain pop-up ads to install a program that reads keystrokes that you type in and then relays them to a website operated by hackers located in Europe.

The particularly evil part of at least one of these schemes is that it has a list of about 50 banks, and if it detects that your browser is going to that bank, it looks for login passwords, and intercepts that information before it gets encrypted.

This latest threat is a variant of “spyware” which installs programs on the computers of those browsing the Internet and has also been known to sometimes hijack browsers. Many Experts are now saying the only way users can protect themselves from these bugs is by installing and using a Web browser that is not made by Microsoft.

What exactly does this bug or virus do?

Somewhat unusually, software on computers that pick up the bug will record the keystrokes of users who visit infected Web sites.

The attack causes users to pick up keylogging software merely by visiting infected Web sites. This attack targets users of financial services sites or banks. Another infects computers via pop up advertising alone.

Where banks and online commerce sites use encrypted connections between a user's computer and the company's computer, this new strain of software records a user's keystrokes from outside the encrypted connection on a user's computer. In other words, seasoned Internet users who look for the padlock in the bottom corner of IE when they make transactions could still be vulnerable to theft if their computer is infected with this program.

Why is this particular outbreak different to others?

Whilst Internet administrators sterilised one infection by shutting down the Russian server that hosted the spyware it was not before one commentator zeroed in on why the attack was so scary. "This time," he wrote, "the flaws affect every user of Internet Explorer." That's about 95 percent of all Net users. No matter how well they had protected themselves against viruses, spyware, and everything else in the past, they were still vulnerable to yet another flaw in Microsoft's browser.

Is everybody – that is all Internet users affected?

None of the most prominent alternative browsers, Opera, Mozilla or Netscape, is vulnerable to the flaw. Nor are computers running Linux or the Macintosh operating systems.

It only targets users of IE and can be picked up from pop-up ads that secretly download software capable of capturing users' keystrokes or visiting infected sites.

These recent attacks highlight new risks to transmission of sensitive financial information on the Internet. And whilst the websites involved in the stolen data have been shut down for now, and thus removing the immediate threat, it certainly doesn't mean the perpetrators of these particular techniques can’t put it in place somewhere else.

So, just who are the people producing these types of illegal systems?

It is thought organised crime syndicates are producing these types of malware. The bug apparently tries to send the stolen information to a Web site based in Estonia.

This particular clever assault is thought to have been carried out by Russian criminals who managed to infiltrate a number of corporate Web servers and then used them to infect computers that visited those sites.

Getting back to these people that make the alternative browsers – do they know their stuff?

Firefox, for instance, is built and distributed free by the Mozilla Organization, a small non-profit corporation spun off last year from the famous but now fading remains of the once ubiquitous Netscape. Microsoft all but wiped out Netscape in the Browser Wars of the late 1990s, some would say because Microsoft pushed the boundaries of business ethics.

Six years later, there is a resurgence of Mozilla and it’s staging a comeback. The latest version of Firefox has a very professional look, online help, and a tool that automatically imports your bookmarks, history, site passwords, and other settings from Explorer. Meanwhile, all-conquering Internet Explorer has been stuck in the mud for the past year, as Microsoft stopped delivering new versions. The company now rolls out only an occasional fix as part of its Windows updates.

So has this major security hole in Microsoft's Internet Explorer become little more than a golden marketing opportunity for alternative browsers such as Mozilla and Opera?

As of last Sunday, at least 130 Web sites were still attempting to infect visitors, according to Internet security firm Websense, which discovered that more than 200 of its customers attempted to download the Trojan horse from the malicious Russian site in the past week.

Non-Microsoft browsers, such as the Opera browser and the Mozilla and Firefox browsers simply don't have many of the vulnerable technologies and tend to focus more on just providing Internet browsing features alone, to a large extent keeping the project separate from the operating system.

Such a focus differs from Microsoft, which has chosen to tightly integrate IE into the operating system, in part to sidestep antitrust issues.

Firefox and others eschews well-known infection paths. You can configure it to automatically download most files when you click on them, but not .exe files, which are runnable programs. Exe files could be viruses or stealth installers.

Are these new browsers very different, are they easier or harder to use?

Once you're set up, it may take a day or two to get used to the new interface and feature differences between Explorer and say, Firefox. Your favourite sites may also look a little different for a start.

But there are also some great advantages. Firefox also adds a productivity features that Explorer has never gotten around to, namely tabbed browsing. You can open several Web pages in the same window and flip through them as tabs. It's hard to explain why tabbed browsing is such an improvement until you've tried it. Tabbed browsing is an order of magnitude more efficient and organised than popping up a whole new window for each link.

Will these new browsers make your computer hack proof? Well, no software can be guaranteed to be 100 percent safe. But for now, there's safety in numbers – or more precisely - the lack of them, that is. Internet Explorer is used by 95 percent of the world. Other browsers account for less than 5 percent at most. Which browser do you think the Russian hackers are busily trying to break into again?

A few sites may not display properly, but they're pretty rare. More common are those that foolishly turn non-Explorer browsers away by claiming they're "unsupported." Some useful ActiveX-powered sites such as Windows Update won’t load at all, but that's Ok. You can always launch Internet Explorer for those when you need to.

Can this type of vulnerability be cured in the future?

The Mozilla Foundation, along with Opera, Apple, Sun Microsystems, and Macromedia, announced plans to extend the Netscape Plugin Application Interface (NPAPI) in order to furnish an open source, scriptable, and secure plug-in model, thus standardizing plug-in functionality. Opera, Apple, and Mozilla all produce browsers, while Sun and Macromedia control the software employed to make many of today's plug-ins.

They are said to want to keep clear of the danger of one reigning browser with its own specs and having them embraced as legitimate standards because they are popular. A dominant browser is the major source of concerns over security.

Microsoft's Internet Explorer (IE) has suffered from many security shortfalls, including the recent critical security hole enabling hackers to install spyware onto Web servers that has gone unpatched for several weeks.

Late breaking news?

Microsoft has released a work-around the Internet Explorer vulnerability that left Windows users open to attacks and allowed an install of a malicious program on victims' computers. Microsoft plugged the hole by turning off the ability for the ActiveX component to write to the operating system. They have published the work-around on their Web site and advised customers to use the Windows update service to download the patch.

While Microsoft intends the change to become a standard configuration for Windows, they are still working on a more comprehensive solution.

Arthur Hissey
Computer Research & Technology
www.crt.net.au