Wednesday, May 12, 2004

IE Considered Dangerous

I'm not about to say that those who insist on using Internet Explorer deserve whatever comes their way, but I will say on the record that this story shows why one has to be a moron to go on doing so. It isn't merely a matter of patching the odd security hole, either: ActiveX, Microsoft's in-house replacement for Netscape's plugins, has a fundamentally broken security model. To make things worse, rather than simply creating a browser API and providing Internet Explorer as a default, replaceable implementation, Microsoft decided to build the damn thing into the operating system, making it impossible to completely nullify the risks that come with using Internet Explorer.

Browser hijackers are doing more than just changing homepages. They are also changing some peoples' lives for the worse.

Browser hijackers are malicious programs that change browser settings, usually altering designated default start and search pages. But some, such as CWS, also produce pop-up ads for pornography, add dozens of bookmarks -- some for extremely hard-core pornography websites -- to Internet Explorer's Favorites folder, and can redirect users to porn websites when they mistype URLs.

Traces of browsed sites can remain on computers, and it's difficult to tell from those traces whether a user willingly or mistakenly viewed a website. When those traces connect to borderline-criminal websites, people may have a hard time believing that their employee or significant other hasn't been spending an awful lot of time cruising adult sites.

In response to a recent Wired News story about the CWS browser hijacker, famed for peddling porn, several dozen readers sent e-mails in which they claimed to have lost or almost lost jobs, relationships and their good reputations when their computers were found to harbor traces of pornography that they insist were placed on their computers by a browser hijacker.

In one case a man claims that a browser hijacker sent him to jail after compromising images of children were found on his work computer by an employer, who then reported him to law enforcement authorities.

"The police raided my house on Sept. 17, 2002," said "Jack," who came to the United States from the former Soviet Union as a political refugee, and has requested that his name not be published. "Nobody gave me a chance to explain. I was told by judge and prosecutor that I will get years in prison if I go to trial. After negotiations through my lawyer I got 180 days in an adult correctional facility. I was imprisoned for 20 days and then released under the Electronic Home Monitoring scheme. I now have a felony sex-criminal record, and the court ordered me to register as a predatory sex offender for 10 years."

Jack originally believed that the images found on his computer were from a previous owner -- he'd bought the machine on an eBay auction. But he now thinks a browser hijacker may have been responsible.

"When I used search engines, sometimes I got a lot of porn pop-ups," Jack said. "Sometimes I was sent to illegal porn sites. When I tried to close one, another five would be opened without my will. They changed my start page, wrote a lot of illegal porn links in favorites. The only way to stop this was turn the (computer's) power off. But when I dialed up to my server again, I started with illegal site, then got the same pop-ups. There were illegal pictures in pop-ups."

[............]

Security experts who were asked to review Jack's claims said it is possible that a browser hijacker could have been the reason porn images were found on Jack's computer. But they also pointed out some discrepancies in the story.

Some of the images were found in unallocated file space, and would have to have been placed there deliberately since cached images from browsing sessions wouldn't have been stored in unallocated space.

[............]

Telling people that "the computer" is downloading pornography on its own often provokes smirks and disbelief.

"I have to say it's like insisting the dog ate your homework," said Jeff Bertram, a systems administrator in New York City. "Are you going to admit that you downloaded porn to your pissed-off spouse or employer? Or to a judge? Hell no, your honor, it wasn't me. The browser did it."

Jack said he would like to appeal his conviction, but knows it will be difficult to convince people that he didn't download the pornography found on his machine.

"The police found nothing in my house, you know, not even a Playboy magazine," he said. "Only in the computer. But most people do not understand that such a thing is possible, that the computer could have made this happen. Plus, with child pornography, people's reaction is only emotions and no thinking."

"I advise Internet users to be very, very careful," Jack added. "Committing a felony is very easy; it just takes one click."

Sure there's a chance that this "Jack" guy is lying, and he actually did visit those illegal links intentionally, but the scenario he outlines is hardly farfetched, and he did send in his testimony of his own volition and under the cover of anonymity, meaning that there isn't obviously anything for him to gain by lying.

The "discrepancy" pointed at by the so-called "experts" interviewed by Wired is actually nothing of the sort; if Internet Explorer couldn't have stored images in unallocated file space, neither could the average individual, as the sheer act of saving a file to one's hard drive prompts the operating system to allocate file space. I think what really happened here is that the images at issue were initially stored on Jack's drive - whether by Jack, the machine's previous owner, or by a hijacked Internet Explorer - and then an attempt was made to delete them. Unfortunately for "Jack", the way in which Window's FAT and NTFS filesystems deletes files is simply to remove the pointers to them, leaving the actual data still on the drive until the filespace is reallocated for some other purpose and overwritten. With all of this in mind, it ought to be clear enough that there is no way Wired's "experts" could possibly draw any worthwhile conclusions about Jack's culpability from this fact.

Getting back to the central issue, it cannot be repeated often enough that Microsoft's Internet Explorer is not just a horribly outdated, standards-ignoring piece of crap, but a serious financial and legal hazard to boot. Those of us who have the misfortune of having to run Windows can at least minimize the risks we take by getting ourselves a real browser, one that doesn't download ActiveX controls and doesn't require a 250 MB patch to prevent it spawning popups like so many toad's eggs. Installation of the excellent Spybot Search and Destroy is also a must for getting rid of spyware on those occasions when disaster strikes. It would also help matters tremendously if Windows 2000 and XP users could run their machines as members of the ordinary Users group, rather than being Administrators, but a lack of awareness of security is so ingrained in the mindset of the typical Windows developer (even within Microsoft!) that this last hope is a stillborn one.