Security Basics mailing list archives
Re: XML based software interfaces and browser hijaking
From: Adam Jones <ajones1 () gmail com>
Date: Wed, 6 Oct 2004 09:16:26 -0500
I think the problem lies more in the way that XML is used than in the XML itself. The problem you encountered was an IE problem experienced through the use of IE in an XML implementation. If it were possible to redirect the AV software's interface to another browser that did not have some of the security issues or ubiquity of Internet Explorer you probably would have been able to use the software's interface without a problem. I guess my short answer is that since this trend of using XML generally seems to require software that has a strong track record of insecurity, we will continue to see problems with XML interfaces. If, however, someone gets smart and uses a seperate web engine (gecko perhaps) to implement their interfaces it would solve a lot of these problems. (and create a few more with the loss of activex as a medium for distributing content, but I think the extra security and product usability is worth the effort) On Mon, 04 Oct 2004 08:52:40 -0800, Carey Myers <cmlist170 () hotmail com> wrote:
Recently I have spent a significant amount of time restoring a few computers of friends/family that have had the following problems: One or more of any number of downloader trojans were installed, presumably from using an unpatched browser to access a malicious site. Their browsers were severely hijacked. Neither machine was current on virus definitions. Neither machine could be updated for virus definitions or scanned because the AV software was using an XML interface with a modified Internet Explorer browser window, which was immediately redirected to the hijacked browser web page. The same went for any "scan my computer" function I tried. Only by installing an alternate browser and doing a scan from online (importing AV defs from another PC was not possible as there was no PC available) was I able to identify and remove the virus. Internestingly, corporate editions of the same brand of AV product still use a standard window-based interface. To extrapolate further, any software product with an XML interface would become unusable, making the impact of browser hijacks deeper and more damaging. I was just wondering if this XML trend seems as potentially dangerous to others as it does myself. With current virus definitions, the AV product would have prevented the infectious components from being written to hard disk. But with computers shipping with 3-month trial subscriptions to AV software, it is very easy for AV to become outdated. I don't want this to break down into "Users should take care of their computers or get off the net" debates, I just want to see what others think about XML interfaces for software (especially AV) products and the consequences of this shift in the consumer market. Is XML interfacing a potential security liability? Should AV vendors protect their user interfaces better? CM _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Current thread:
- XML based software interfaces and browser hijaking Carey Myers (Oct 04)
- Re: XML based software interfaces and browser hijaking Adam Jones (Oct 07)