Fatma Bazargan’s blog

Last week at CanSecWest security conference in Vancouver, British Colombia, a “single-click-and-you’re-owned exploit,” was unveiled in the beta release of Microsoft’s browser, Internet Explorer 8 (IE8). Microsoft confirmed that the vulnerability exists in the official release of IE8. The exploit apparently defies Microsoft’s DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies.

On other hand, Mozilla announced that it will release next week Firefox 3.0.8 to close serious security vulnerability and this makes the second big exploit of Firefox in a week. The exploit code has been publicly posted and it provides an opening through which attackers can enter Firefox source code and modify it. If a Firefox user simply views a maliciously coded XML file on a website, in a style of attack known as a drive-by download.

By the way, the drive-by download affects Firefox running on all platforms, including Mac OS and Linux, according to Mozilla developer notes.

define: drive-by download (wikipedia)

Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the “supplier” may claim that the user “consented” to the download though s/he was completely unaware of having initiated a malicious software download.

The main issue is that end-users run their computers with administrative privileges, which enables an attacker to run code on a victim’s machine using the victim’s current privilege level (admin).

This type of attack can be prevented and mitigated if the end-user follows some of the below methods:

• Avoid logging to your machine with an account that has administrative privileges. Log in as a normal user (low-privilege) unless if something is really required then you can always switch to account with admin privileges.
• For those who are into virtual machines, always run your browser sessions in a contained virtual machine (Vmware, etc.), and in this way your browser session is completely segmented from your actual machine so even if the exploit is successful, you can always revert back to an earlier snapshot and as if you were never infected.
• Finally if you use Firefox then run it in Restricted Mode and use the NoScript add-on for Firefox. This prevents JavaScript from running until you allow it to.

Safe browsing,

Fatma Bazargan