Re: Spyware becomes increasingly malicious (let's return to reality)

[Curtis Maurand <curtis () maurand com>]

The problem is Active-X, not the OS.  Anything running from the browser 
should be in a sandbox as it is with Java applications, the same is true 
for the email client.  Active-X gives scripts running from the browser 
and the email client access to the entire machine in the name of 
functionality.  In some cases users are prompte to authorize the 
installation of software when they get to a web page.  Even when they 
choose "No," the software continues to install.  Its a security hole big 
enough to drive a tank through.  Mozilla is your friend.

Curtis

--
Curtis Maurand
mailto:curtis () maurand com
http://www.maurand.com


On Thu, 15 Jul 2004, Brett wrote:

> -----
> First of all, even if OS have not any caveats, it will not protect it from
> spyware/adware. if I want to install my 'Cool-Search' into million of
> computers, all I need to do is to write fancy game, and offer it 'free of
> change' in exchange of 'Allow to show you ads once / day'.
> That's all - you will have everything installed explicitly.
> -----
>
> Not necessarily true.  Security/permissions plays a major part in the
> effectiveness of adware and spyware.  A majority of consumer Windows
> OS's run with the default login as an admin user.  When a user chooses
> to install "Cool-Search", their user rights allow for registry changes
> and alterations of system libraries, which cause ads to display when
> using IE.
>
> Can this be prevented by running Windows as a non-privileged user,
> yes.  But people want to install their "Cool-Search" and
> non-privileged users can't install anything.
>
> When using OS's other than Windows, users can install their own
> binaries, but they do not have access to modify the system binaries.
> Then can still browse with the system wide Mozilla/whatever, but their
> actions will not have the ability to alter anything that will allow
> for ads to be served when browsing, or for browsing habits to be sent
> to a third party.
>
> User information is still vulnerable, and the potential is still
> there, but a single user's infection/installation will generally not
> have the same impact on the system.
>
> -b
>
> On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev <alex () relcom net> wrote:
> > Ok, let.s return to reality (sorry for moving this thread into the OS
> > related flame).
> >
> > First of all, even if OS have not any caveats, it will not protect it from
> > spyware/adware. if I want to install my 'Cool-Search' into million of
> > computers, all I need to do is to write fancy game, and offer it 'free of
> > change' in exchange of 'Allow to show you ads once / day'.
> > That's all - you will have everything installed explicitly.
> >
> > But 'hidden' installation makes it much more easy for spyware, and is (in
> > general) a very big evil. System must distinguish between 'USER' mode (use
> > applications but do not change system behavior) and 'INSTALL' mode
> > (install/delete/add software, processes and so on). In many cases, system
> > must ask password to do any such action. (If you know MS, you can image
> > which nightmare is to implement it -- I worked with IDS such as Osiris and
> > had a fun, guessing what system decide to change today. But it is not a
> > problem in most other OS).
> >
> > Second, but even worst, problem is absense of ANY system interface showing
> > you, what is starting, stopping and running. It is not any problem to remove
> > spyware, from common point of view - just open 'list of running processes'
> > and 'Startup list' and uncheck everything you do not want to see. Problem -
> > such interface does not exist, is not possible because of complexity (there
> > are milluions ways of starting anything) and can not trace a history of
> > processes (because of, again, extra complexity, unlimited usage of 'classes'
> > and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change
> > history' system could easily revert such changes back so that instead of
> > very complex 'adaware' scaners we will have just 'change history, revert ?'
> > button.
> >
> > Third is more easy for ISP - if we can not fight with bad software, fight
> > whith those who got a profit using it. For SPAM - ok, there is not ANY way
> > to stop sending spam (fort now), but any SPAM advertices someone, and this
> > someone is always 100% identified - so fight (limit, flood by calls,
> > overload by false information, etc) SPAM benefitiants, learn them do not
> > purchase 'We will send your advertice to 10M people over the world'. The
> > same in case of adaware. For spyware, fight those who receive information
> > back - by any way.
> >
> > ----- Original Message -----
> > From: "John Underhill" <stepnwlf () magma ca>
> > To: "Niels Bakker" <niels=nanog () bakker net>; <nanog () merit edu>
> > Sent: Wednesday, July 14, 2004 1:12 PM
> > Subject: Re: Spyware becomes increasingly malicious
> >
> > > Ok.. but has BSD been attacked on the scale that MS code has? I would
> > argue
> > > no, not even close. Do you believe BSD is invulnerable to attack? Hardly..
> > > Unless you want to go back to text based browsers and kernals that fit on
> > a
> > > floppy, it is extermely difficult to eliminate all vulnerabilities in the
> > > code of a sophisticated OS. The more complex the system, the easier it is
> > to
> > > break, and with the level of automation currently expected by most users,
> > > this requires a very complex build.
> > > Could MS be made more secure, of course. Do I think they are actively
> > > working on the problem, yes. If Novell or Mac had risen to the top of the
> > OS
> > > heap, would they be catching all the viruses now? I think they would.
> > > Really, my point was not to argue this, but that there is no justification
> > > for malicious code, that you can't simply pawn it off on MS as being the
> > > real problem. By doing that, you are saying that people creating spyware
> > and
> > > viruses are not culpable for their actions, that they should be allowed to
> > > create havoc and destroy systems, because really they are only leveraging
> > > 'features' built into the operating system.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Niels Bakker" <niels=nanog () bakker net>
> > > To: <nanog () merit edu>
> > > Sent: Wednesday, July 14, 2004 3:31 PM
> > > Subject: Re: Spyware becomes increasingly malicious
> > >
> > >
> > > > > > Sorry, it was a _technical_ question - is MAC OS known as having
> > pests
> > > > > > and ad-ware in the comparable numbers (if any)?
> > > >
> > > > * stepnwlf () magma ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
> > > > > This is spurious logic. You are suggesting that Mac is a more secure
> > > > > operating system, and I would suggest that it is probably far less
> > > > > secure, because it has not had to withstand years of unearthing
> > > > > vulnerabilities in the code.
> > > >
> > > > It has.  Darwin is based on years of development in BSD code.
> > > >
> > > >
> > > > -- Niels.
> > > >
> > > > --
> > > > Today's subliminal thought is: