SANS Ouch! Vol. 7 No. 11 – November 2010

                         November 2010
    SANS Institute Security Newsletter for Computer Users
Get security advice online at
Browser Safety
Patches and Updates Roundup
[Editor’s Note: (Wyman) The publication of the November OUCH! was
delayed. We apologize for any inconvenience this may have caused.]

What is a web browser?  Everybody uses a web browser to access the
Internet.  That fact alone makes the web browser a tempting target for
Bad Guys who want to take over your computer and use it for their own
nefarious purposes by installing malicious software, or “malware.”

Why is important for me to know about malware? In the past, a user had
to take some specific action, like opening an email attachment, for
their computer to become infected with malware. Lately, simply visiting
a website can cause your computer to become infected. This type of
“drive-by download” is accomplished using features built into web
browsers that allow them to run scripts. Scripts are really small
computer programs that normally do useful things, like display a video,
allow you to choose from a menu and maintain a shopping cart, among
others. Unfortunately, scripts can also be used to install malware on
your computer without your knowledge or consent.

What can I do to keep my browser safe? We have assembled a variety of
measures and tools that you, the computer user, can use to make your web
browsing experience safer by limiting the impact of scripts and helping
you to avoid potentially harmful websites.

How much will it cost?  All of the suggestions can be implemented at no

What’s the downside? We will look at how each recommendation can
negatively impact your browsing experience.

General Browser Security Tips
Keep your browser up-to-date.
The Bad Guys are constantly identifying
new vulnerabilities and weaknesses in browsers and browser makers are
constantly releasing updates to fix them. Running the latest version of
your browser ensures that you have the benefit of the latest security
technology. If you have concerns or questions about upgrading or run
into a compatibility problem, contact IT at the office or your computer
support provider.

Be careful about browser plug-ins. Plug-ins are browser extras–small,
downloadable programs that add functionality to your browser. When you
browse to a website, you may receive a message onscreen that in order
to work with the site, you have to download and install a browser
plug-in. “Just click here.” But think before you click. Remember that
any software you install will need to be updated, and may contain
security vulnerabilities. Do you know that this website and the plug-in
are trustworthy? If you don’t know or aren’t sure, don’t click. Do you
really need that plug-in? The fewer plug-ins you have installed, the
safer your browser will be.

Check that your browser and plug-ins are up-to-date. Qualys has
published a website that will do a quick check on your browser to help
you identify common security issues. Visit and install the plug-in (Yes, this
one’s safe!). Then click the “Scan Now” button. Note that Javascript is
also required. An onscreen report tells you whether or not your browser
and commonly installed plug-ins are up-to-date and provides you with a
convenient way to update any found to be out-of-date.

Consider using Web of Trust (WOT). The Web of Trust is a cooperative
venture that warns users of potentially dangerous websites. When you do
a Google search, a circular indicator will appear next to each search
result that has been rated by the service. Red indicates a site that is
probably dangerous, yellow a potentially dangerous site, and green a
site that is probably safe to use. Once you’ve logged in to a website,
the same indicator appears in the title bar of the browser. Keep in mind
that WOT ratings are based on votes cast by members of the Internet
community, and while not necessarily authoritative, can provide useful
information about websites to avoid.  More information:

Tips for Internet Explorer
Microsoft’s Internet Explorer (IE) is one of the most commonly used
browsers. Protect your computer by running the latest version whenever
possible. Right now that’s IE8. If upgrading to IE8 is not possible,
here are some tips for improving the security of IE7.

1. Prevent Data Execution (DEP):  Bad Guys exploit vulnerabilities in
IE to infiltrate your computer with malware masquerading as data.
Microsoft has published a “Fix It” site to turn on Data Execution
Prevention (DEP) for IE7 at
Click the button marked “Enable the application compatibility database.”
Note: The DEP fix is not needed for IE8 and later versions.
Ease of implementation: Moderate
Impact on browsing: Minimal

2. Turn on the Phishing Filter: Microsoft includes a Phishing Filter in
IE that detects when a website is not exactly what it appears to be. If
the site you are visiting is on the list of reported phishing websites,
IE will display a warning web page and a notification on the address
bar. From the warning web page, you can continue or close the page. If
the website contains characteristics common to a phishing site but isn’t
on the list, IE will notify you in the address bar that it might be a
phishing website.
You can turn on the Phishing Filter from the Tools menu in IE.
More Information:
Ease of implementation: Moderate
Impact on browsing: Minimal

3. Increase IE Security Settings: The Internet Options menu in IE
contains a Security tab that gives you a great deal of control over the
behavior of IE when you visit a website. The default setting of
“Medium-high” for the Internet Zone will prompt you before downloading
any content that IE assesses as unsafe. By changing this setting to
“High,” you can effectively block all scripts from running on any web
page you visit. While this is the safest possible setting, it can
severely impact the performance of a website. To allow scripts to run
on sites you trust, you can add them to the Trusted Sites Zone, one site
at a time or whole domains at once using a wildcard (*). For example,
entering http://* would allow you to browse the entire SANS
website without any prompts.
More Information:
Ease of implementation: Difficult
Impact on browsing: Severe

Tips for Firefox
The comments and suggestions below relate specifically to Firefox 3.6,
the current version. The security suggestions below take the form of
“Add-ons” that are downloaded and added to Firefox using the Tools menu.

1. NoScript:  This add-on blocks scripts from running in Firefox. When
you visit a website that wants to run scripts, NoScript will display a
warning at the bottom of the screen, and give you the opportunity to
allow scripts to run on a temporary or permanent basis. Not allowing the
scripts to run can severely impact the performance of many web pages.
After you have used NoScript for a while, it will learn about the web
pages you visit frequently and will not be as “pesky.”
More information:
Ease of implementation: Moderate
Impact on browsing: Moderate to severe

2. HTTPS Everywhere:  You are probably familiar with HTTPS from using
encrypted secure sites like those for online banking. Many websites
offer some limited support for encryption over HTTPS, but make it
difficult to use. HTTPS Everywhere attempts to make a secure connection
to many of the most popular sites on the Internet even if you don’t
specifically ask for it. If it fails to make a secure connection, it
defaults to an unencrypted HTTP connection and your browser continues
to function as if nothing had happened.
More information:
Ease of implementation: Moderate
Impact on browsing: Minimal

3. Adblock Plus: Adblock Plus is an extension for Firefox, Thunderbird,
and several other applications with the primary goal of removing
advertisements. It works by comparing ads that are about to be displayed
with a set of filters that describe undesirable advertising. When you
install Adblock Plus, it sets up a subscription to a basic set of
filters that will meet the needs of most users. Many additional sets of
filters are available for your use.
More information:
Ease of implementation: Moderate
Impact on browsing: Moderate

Patches and Updates Roundup

Operating Systems & Applications

Windows & PC Office: &

Mac Office:



iPhone, iPod & iPod touch:


Windows Adobe Reader:
OS X Adobe Reader:

Flash Player:






Windows iTunes:
OSX iTunes:

Security Suites







PC Tools:




Trend Micro:

Microsoft Security Essentials:

Copyright 2010, SANS Institute (
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzer,
Alicia Beard, Alan Paller
OUCH! Security Information Service:
Download the formatted version of the OUCH!:
Permission is hereby granted for any person to redistribute this in
whole or in part to any other persons as long as the distribution is not
being made as part of any commercial service or as part of a promotion
or marketing effort for any commercial service or product. We request
that redistributions include attribution for the source of the material.


Blog posted using Windows Live Writer

This entry was posted in Computer Security, Computers and Internet and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s