Category: Web

Update: Patch for part of the problem:
http://www.microsoft.com/downloads/details.aspx?FamilyId=4D056748-C538-46F6-B7C8-2FBFD0D237E3&displaylang=en

On line news sources have picked up ISC’s warning of a new threat to IE users which could allow hackers to steal on line banking passwords.  The code exploits a combination of a hole in unpatched IIS web servers to install malicious pop ups and a hole in IE to install a program via that pop up. The installed program watches for connections to a specific set of banking sites and logs the username and password (yet another reason everyone should get a pop up blocker, I’m so glad XP SP2 comes with pop up blocking as part of its greatly enhanced security).

Unfortunately the articles don’t do anything to help users understand what they should do to protect themselves from this attack or even if there is anything they can do. The reason for this lack of info is there is little users can do to defend against this exploit, even for advanced users. This is very scary to users of any level.

So… what should users do?  Here are my suggestions (yeah, these are my suggestions, my employer hasn’t approved them etc.)

Users of Windows XP can protect themselves by upgrading to Windows XP service pack 2, RC2 (RC2 means “release candidate 2”, i.e. it’s not the final version). Early adopters may rejoice and the braver among you may jump on board. I’ve been running SP2 for a while now and my personal opinion is: RC2 is great, but just in case you should back up your stuff and choose the install option which allows you to remove it if you have second thoughts later on. Unfortunately SP2 RC2 is a “preview” and isn’t supported by us yet. 🙁

Users should also review the ISC list of targeted bank URLs (scroll down through the report to find the list). If users have visited any of those sites recently they should seriously consider changing their banking password. By the law of averages users who get frequent pop up advertisements are the most at risk (regardless of the type of site you visit).

For users of earlier versions of Windows or people who aren’t willing to install the unsupported RC2 release there isn’t a fix yet, but there will be a fix in a couple weeks (no date has been announced yet). To help protect users until the patch has been fully tested Microsoft is working with law enforcement to shut down all the sites known to be hosting the exploit.

On a related note, if you don’t update your system regularly, you really should.  I’ve set Windows to automatically update my machines every night at 3am if needed.  Some worry automatic updates will cause problems but here’s my anecdotal data: I’ve been running automated updates on my very non-standard PC (a dual processor, 500 MHz Celeron with additional hardware that hasn’t been approved for Windows 2000 much less XP) for as long as it’s been available – I have never had a problem caused by the automatic updates.  Besides, the problems created by not updating far outweigh the possible problems you might encounter with the automatic updates.  Also, the automatic updates don’t include hardware drivers in the vast majority of cases (and it’s the hardware driver updates that cause many upgrade problems people encounter).

Some more details from ZDNet: http://zdnet.com.com/2100-1105_2-5251981.html?tag=nl