CompuSkills Blog

There’s news of another security flaw found in Internet Explorer (IE). Microsoft are releasing a patch tomorrow. (17 December, 2008, if you are reading this in the future.)

Microsoft issued a Security Advisory that suggested that attacks had only been launched against IE7 on XP, Vista and Windows Server operating systems. However, all versions of IE from 5 onwards are considered potentially vulnerable.

According to Microsoft, the vulnerability results from an invalid pointer reference in IE’s data binding function.

“This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.”

A couple of points: The attack is more likely to be effective against users running as Administrator. The attack cannot be carried out through the use of email. Using protected modes (in IE 7 or 8 ) or enhanced modes (in Windows Server) offer some protection.

This vulnerability will possibly allow malicious attackers to access personal data on IE user’s PCs. Microsoft also suggest that SQL injection attacks may be used to insert the malicious code into websites so have pointed site owners towards a page detailing ways to protect sites from SQL injection attacks.

Just another reminder. As previously mentioned, the deadline to get your applications for grandfather rights to the CGEIT qualification to ISACA is closing fast. You have until 31 Dec 08, so if you are elligible, make sure your forms are on the way now.

For people with significant experience in the governance (management) of enterprise information technology systems, the chance to get an ISACA [wiki link] certification (without an exam) is running out.

A few months ago, ISACA extended the grandfathering deadline for the Certified in the Governance of Enterprise IT (CGEIT) qualification until 31 December 2008. This means you only have just over four weeks to get your paperwork signed off and sent in for accreditation.

You can read more on the ISACA site.

Clickjacking has been a hot topic for the past couple of months. This is an issue that might affect pretty well any browser platform except Lynx.

Wikipedia defines clickjacking as:

a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

Robert Hansen and Jeremiah Grossman have released a few items of information about what it is and how to prevent it but the presentation will be deferred until later this month when there should be a solution to the Adobe issue at least.

According to a story in the Register, among the most disturbing reported aspects of clickjacking is the capacity to turn the PC user’s microphone and webcam into snooping devices. This was supposedly achieved by a proof of concept game which used Flash (although it is claimed that javascript and DHTML could achieve the same results)

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.

If it’s any reassurance, the Register didn’t initially have much success at getting clickjacked in Firefox, although Internet Explorer worked immediately. Disabling your webcam when you aren’t actively using it is a very good start to prevention, although it won’t guarantee you will be protected against other intrusions.

Adobe have published instructions for a Flash Player workaround until they have dealt with the issue..

Welcome to the CompuSkills web design service blog.

Each week, this blog will address frequently asked questions we receive from our clients and generally interested people. We will also highlight any relevant news or changes in the world of webdesign, accessibility, legislation and technology.

If you have anything you would like to see here, or see answered, please let us know. If there is enough feedback we will increase the frequency of our FAQ updates.