Monday, June 18, 2007

Lessons for the iPhone from browsing with an old version of Internet Explorer

Have you ever refreshed an old machine with XP? It's a very tedious process. You do the install, then hours of repeated updates to get the machine to a semi-modern state.

In the midst of all this tedium you may need to fetch some code from the net.The reasonable way to do this is to download and install Firefox and use that. The suicidal approach is to skip both the five minute Firefox install AND the 12 hour Windows update process, and browse to a slightly shady web site to download something using an antique copy of Internet Explorer.

Jeff Atwood, who definitely knows better, decided on impulse to use an non-updated version of IE to fetch some code. Essentially, he figured the risk of infection was low enough for a non-critical system to justify saving five minutes. He was wrong, one of the sites he used turned out to be far sleazier than he'd imagined. His misadventures led to a good essay, so it wasn't a total loss. It's dramatic story of how quickly an old version of IE will be compromised when exposed to the wild*, but within it there's one sentence in particular I'll comment on (italics).

Coding Horror: How to Clean Up a Windows Spyware Infestation

... it's a wonder people don't just give up on computing altogether. Once the door is open, it seems the entire neighborhood of malware, spyware, and adware vendors take up residence in your machine. There should be a special circle of hell reserved for companies who make money doing this to people.

At first, I was mad at myself for letting this happen. I should know better, and I do know better. Then I channeled that anger into action: this is my machine, and I'll be damned if I will stand for any slimy, unwanted malware, adware, or spyware that takes up residence on it. I resolved to clean up my own machine and fix the mess I made. It's easier than you might think, and I'll show you exactly how I did it...

As Jeff probably knows, there's no "wonder" here because, in reality, people do "give up on computing altogether". They may still have a computer, but they don't use it very much because it's so unstable and unresponsive. Eventually it gathers dust.

The only reason my mother's computer still runs and works, despite having not been patched in the past six months ** is that she's running OS X and browsing with Safari. She's not a significant target and she mostly browses a few major news and weather sites. For most people in her situation, the computer just stops working and they don't go back.

Which may, despite all the conspiracy theories, be the real reason the iPhone is a closed system. In other words, Jobs was almost telling the truth (shocking, I know). Apple wants a closed iPhone not because a phone is a particularly bad thing to hack (though it may be), but because Apple is trying to produce a computing platform that will be relatively reliable for the average user.


* Web stories on old systems dying within minutes of net exposure are mostly baloney -- almost no-one every runs a PC with a direct IP connection. We all have NAT redirectors and de facto firewalls, even many users aren't aware they exist.

** I don't want her to deal with the patch process, and remote control and maintenance solutions for OS X have not been nearly good enough to be worth my using them. I've been betting we could get buy with my maintaining the system every 6 months or so, and that's been working well.

Update 6/25: Coding Horror (Jeff Atwood) wrote a f/u piece quoting a security expert, Adam McNeill, who analyzed how the attack occurred. Here's an excerpt:
...GameCopyWorld displays a "Find Your Love at Bride.Ru" advertisement. That advertisement "refers" to in order to display an advertisement for the DVD software produced by That advertisement "refers" to which in turn creates an [iframe] to in turn calls who attempts to deliver a series of exploits to a users system in hopes of installing a trojan dropper. The site attempts to exploit the following...
It's interesting to imagine the reaction of someone from 1994 reading that summary. The emergent sophistication of a modern security attack is fascinating and reminiscent of how prison exploits evolve. Atwood, who I think has been guilty of previously deprecating the importance of running as a non-administrator admits that a non-admin user would not have been vulnerable. He manages not to mention that OS X defaults users to non-admin status and it works very well (except for a few Adobe applications, which is a good reason not to buy them).

No comments: