Sunday, October 01, 2006

What a Conundrum!

When all seems to be heading back to "normal" (whatever that may be), ISC (Internet Storm Center) issues a "Yellow Alert" at least for the weekend -- WebViewFolderIcon setslice exploit spreading. The history and reason for yellow, according to SANS:
On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow in order to increase the awareness of the problem and call for action. We have decided to stay Yellow till Monday morning for most of our readers. Without further spectacular evolutions we will go back to to Green on Monday.

This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.

Reason for Yellow
The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.
As evidenced by Webhelper's CWS Diaries, CWS (CoolWebSearch) is more than difficult to remove. As Webhelper (Patrick Jordan) wrote on 27 September:
"I am now almost done with redoing my CWS List in the Excel spreadsheet format which will soon be available again. In light of the newest zero day exploit VML, I have found that the Esthost/Estdomains rotational IP used for infestations (, and the Russian CWS Vladzone ( Inter Technology) malware group from some of the crack and serial sites they have also began to use the VML exploit, the Vladzone group and all others I find that operate with exploits and the worst forms of malware will be added to a new group I have made called the BlackWebNetwork."
How do you avoid this exploit? As always, make sure your computer has all the latest Microsoft Updates (see Notes below). Keep your antivirus software updated and and use caution when browsing the Internet. Do not click on a link in an e-mail from an untrusted source.

That all sounds simple enough, so why a conundrum?

The advice to "use caution when browsing the internet" is, of course, always applicable. However, what about those people who have been relying on certification authority, TRUSTe? Earlier this week, well known and respected research analyst, Ben Edelman, published "
Certifications and Site Trustworthiness" in which he wrote:

"Of the sites certified by TRUSTe, 5.4% are untrustworthy according to SiteAdvisor's data, compared with just 2.5% untrustworthy sites in the rest of the ISP's list. So TRUSTe-certified sites are more than twice as likely to be untrustworthy. This result also holds in a regression framework controlling for site popularity (traffic rank) and even a basic notion of site type."
Wayne Porter, one of the co-founders of, interviewed Mr. Edelman. The complete interview can be found at "TRUSTe or not to TRUSTe...That is the Question - Porter on Edelman" and is highly recommended reading. Just to give you a flavor of what this is about, in response to Mr. Porter's question, "So why does anyone believe TRUSTe anyway? Shouldn't users learn that TRUSTe certification doesn't mean a site is really any safer?", Mr. Edelman responded:

"TRUSTe's early members and its most prominent members are distinguished, well-respected companies that, whatever their faults, most users tend to trust. Think eBay, Microsoft, Intuit. Users remember that they've seen the TRUSTe seal at those trustworthy sites. Then they're at risk of getting tricked when they see and recognize the seal on less reputable sites."
When asked about specific examples of surprising companies TRUSTe has certified by Mr. Porter, the following was the response:
"Hotbar and Direct Revenue, both of which make advertising software that track users' behavior and show annoying pop-up ads. Webhancer, which tracks users' behaviors in exceptional detail, yet widely installs without consent. Several toolbar distributors, like funwebproducts and smileycentral. These toolbars mislead users into running searches when they mean to conduct direct navigations, and these toolbars advertise through other vendors' spyware.

Gratis Internet, which the NYAG says sold 7.2 million users' names, email addresses, street addresses, and phone numbers, despite privacy policy promises to the contrary; yet a 2004 TRUSTe investigation specifically gave Gratis a clean bill of health."
Therein lies the conundrum. We advise people to "use caution when browsing the internet", yet the very instruments of ensuring our TRUSTe are not to be trusted. My advice? Before clicking on that link, ask yourself, "Is this a site my Mother would want me to visit?"

For Windows 9X, ME, 2000 (to SP3) see
For XP systems without any service pack updates, you are rapidly running out of time. See

For Information on Certificates see:
See the complete PDF of Adverse Selection in Online "Trust" Authorities for what Ben Edelman refers to as
"an empirical look at the best-known certification authority, TRUSTe. I cross-reference TRUSTe's ratings with the findings of SiteAdvisor -- where robots check web site downloads for spyware, and submit single-use addresses into email forms to check for spam, among other automated and manual tests."

RevNews Trackback

No comments: