Worst Browser Threats May Not Be Security Holes Malware Can Attack in Many Forms Brian Livingston
Experts in combating "spyware" and "adware" are now warning that the widely publicized security holes that plague Internet Explorer and other Web browsers may not be the most common ways unwanted software gets into computer users' PCs.
Eric Howes, a frequent contributor to SpywareWarrior.com and a consultant to antispyware companies, says the media focus on security holes is overshadowing a larger issue. It's true that hackers can take advantage of weaknesses in browsers to secretly install spyware programs on users' PCs, Howes agrees. But equally important is the fact that spyware programs are often installed because users are fooled into clicking "Yes" by dialog boxes that look like official Windows notices, he says.
Interestingly, Howes asserts that the latest version of Windows XP, which includes an upgrade called Service Pack 2 (SP2), makes Microsoft's Internet Explorer (IE) browser handle such threats better than Firefox, the fast-growing open-source software distributed by the Mozilla Foundation. Let's examine this claim.
How Spyware Tricks Users Into Installing It
The Firefox browser offers at least four ways to install new forms of software, Howes says. He feels two of these ways are fairly safe, while the other two are open to abuse by spyware authors.
• Setup programs.
These are the most traditional kind of software install. Using a browser, an executable file is downloaded, saved to disk, and then run once to install an
application. While any program poses potential risks, Howes says, traditional setup programs at least make themselves visible to the user, who much choose to run them.
• Browser plug-ins.
Plug-ins are programs, such as Macromedia Flash, that enable a browser to display special content, such as multimedia files. These are also fairly safe in
Firefox, Howes says, because users are presented with information about the plug-in before installing it, and can read any end-user license agreement (EULA) associated with it.
• Extensions.
Firefox extensions, small programs that may, for example, add a menu item to the browser, present a more serious problem, Howes maintains. Once a user clicks a yellow "information bar" at the top of the browser window that offers to install an extension, they see a dialog box that prompts them to allow the software to install. This dialog, Howes says, provides no information about the source of the software, nor does it provide any link to a EULA.
• Java applets.
The greatest risk, Howes warns, comes from the ability of Java applets to display dialog boxes that look exactly like ordinary Windows notices. Many users
are accustomed to clicking "Yes" when they see a dialog box informing them that, for example, an updated media player or "codec" is required to play some requested content. Since Firefox currently displays nothing but the name of a possibly obscure software company, all too often users click "Yes" without even reading the information.
To install as many software programs as possible, some adware companies even make up company names such as "Click Here To Continue." This name shows up prominently in Windows dialog boxes, making many users believe they have no choice but to click "Yes" to complete their task, according to an article by Ben Edelman, a spyware researcher who is currently studying at Harvard Law School.
