Any software or site which can help you detect suspected fake Web sites ?

Amit
http://labnol.blogspot.com

Mozilla Firefox ;)

...or Mozilla (The Suite) with MultiZilla installed.

Mozilla 1.8ax is faster and more secure than Mozilla Firefox :-)

I can see it now... Secunia reporting themselves as a security threat against all products with Internet functionality.

Although their reporting of security issues is a noble effort, they are becoming more of a threat than a benefit considering how they continue to bypass the vendors in the whole communication loop. This nonsense of just posting public announcements without giving the vendors (Microsoft or otherwise) an opportunity to research and resolve the issues is absolutely ridiculous!

Incidentally, the point was made below and it's correct that the vulnerability here seems to be with a specific ActiveX control, not IE or Windows itself.

So the fact remains... Secunia should have taken that into consideration and submitted the issue to the ActiveX developer, in this case Microsoft's Office Development team.

Yeah, they are really getting on my nerves...

This is really not an IE vulnerability, except to the extent that the DHTML Editor Control "comes with" every copy of IE.

Secunia is being cynical when they say the "solution" is to disable ActiveX completely. You don't have to disable ActiveX. You can simply set the kill bit for the DHTML Editor control. If you're scared of editing the registry by hand, simply copy and paste the lines below into Notepad, save the file with an *.REG extension, and then double-click it to merge it into your registry.

---Begin copying with the following line---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2D360201-FFF5-11d1-8D03-00A0C959BC0A}]
"Compatibility Flags"=dword:00000400
---End copying with the line above---

There is no way that Secunia was smart enough to discover this vulnerability without being 100% aware of the kill bit option. It's pretty obvious that they are being misleading. I urge everyone to visit the Secunia site and notice the full listing of recent advisories. How come we're not seeing the press report all those non-MS vulnerabilities? Probably just because it's not scandalous news unless it's Microsoft. If Peter Jennings says Microsoft, your grandma knows who that is. If he says Debian or Gentoo, she doesn't know and doesn't really care to find out.

Spiked -
It is no secret, frankly, that ActiveX has issues. Sitting here defending them would be foolhardly, because even MS is aware that many of their security problems result from ActiveX.

A question for you - how many of MS's security issues in IE have not been related to something with ActiveX? Not many at all.

Secunia seems to be more interested in making a name for themselves as opposed to helping protect the community. Or at least the argument could be made based on their quick to release without testing on all OSs and don't inform Microsoft first policies.

You can also in IE6SP2 goto Tools->Manage Add-ons, and disable the DHTML plugin. Its actually a part of Office, and wasn't installed on my machine until trying the test. After that, you can just disable it if you didn't have it before.

Also, don't use the reg file, as the '\' have been removed from the key name.

Actually quite a few more than activex. I would say Microsoft's "Zones" security feature is their biggest headache. Spoofers just put their code in the trusted zone and they can run a lot more exploits.

To some degree, I have to admit that ActiveX is like a loaded gun. Handled with reasonable care, it can valuable and safe, but admittedly it is more dangerous than a rubber chicken. But let's look realistically at the majority of people who actually get compromised by ActiveX exploits in the wild. There are sites which actually say "click here and then click Yes/OK when you get a security warning, then you'll be able to download our [insert name of bait...MP3, warez, whatever]" and users will simply follow the instructions without pausing for a second to ponder whether the security warning exists for a reason. Time and time again, when I question a user whose computer is infested with spyware, trojans, viruses, etc. as to what happened, they eventually admit that, well, they might have downloaded [smiley face plug-in, talking gorilla, whatever] and clicked Yes to a security prompt along the way "...but the web site said it was safe!" Yup, the rogue web site itself said it was safe, so they believed it.

How really hard would it be to convince to simply prompt a Firefox user to go into their Advanced Javascript Options dialog and check all the checkboxes, thus allowing a site to overlay the real status bar and address bar? Social engineering is the absolute biggest vulnerability of all time. Where's Secunia's advisory for "Dumb People 1.0"?

In a world where vulnerabilities are being found repeatedly in things like Acrobat Reader, it's really hard to call ActiveX vulnerabilities substantially more dangerous than any other type. All it takes is one hole, and no matter what you run, your system has at least one hole that you don't know about yet. Just a matter of time and platform attractiveness. If you want to be safe, run a TI 99/4 (and keep it off the Internet).

The DHTML Edit Control has been around for over 8 years. I think this is probably it's 2nd vulnerability in that amount of time. Sure, I'd like it to be better, but there's lots of stuff out there which is much worse.

Microsoft 'zones' is not a vulnerability--mostly activeX vulnerabilities are exploited in order to fool the system into thinking the virus is being run from the "local" zone. ActiveX lets a virus in, and the virus messes up the zone problem. Yes, there have been some vulnerabilities directly related to security zones, but how was the malware/virus accessed in the first place? Yeah, you guessed it--either by a dumb user clicking "Always trust content from ScrewMyPC(r) Inc." on a rogue website or by using a completely seperate security hole.

You have no idea what you are talking about. I appreciate the reply, however.

Really? Have you an MCSE certification in Windows?

Must Call Somebody Else? Nope. I do have 10 years experience as a systems administrator for Windows Systems. I don't have time for silly MS certifications, too busy making money with OT for patching their servers and posting on betanews. ;)

Perhaps you should spend more time building stable servers and applying those patches faster and limit your posting time here...

This'll be my last reply--while I haven't been a system admin for over 10 years, I have had at least that in experience with windows, and I have setup a network with systems as old as Windows NT 4.0 Server and Win 3.11 WFW clients. No offense or anything--but it really hacks me off to have someone downplay the certificatios I spent nearly $2,000 taking (MCSE in NT 4.0, MCP in 6 Windows 2000 tests, in Windows XP pro, and Windows 2003 Server) and 3 years of hard work achieving. Yes, some MCSE's are nothing but show, and went to a "boot camp" to get certified and forget everything after they took the test, but not me; I know the stuff. I'm getting off subject--just don't downplay me or any other MCP's as idiots just because I have an MCSE.
Oh, and the 'ScrewMyPC' thing was a joke, in case you didn't know...

either that or go back to primary school! lol

My car better than yours!
My dads bigger than yours!
I've got a AMD6000000000000!

Get a life lads i've just spent 10 wasted mins looking at your petty notes, what a waste of time!
please post something interesting for us adults :0)

You guys...geez. MS certs do add credibility to an argument. However, 'even the Devil can quote Scripture for his purpose'. Is MS the root of all evil, no. Is Unix/Linux better than Windows? Depends on what you're using it for. Does a Mac have any purpose in true computing? Believe it or not, yes. These are all facts, however whether or not you believe an MSCE makes a person more or less believable or credible is merely an opinion and a cummulation of life experiences. As far as going back to 'school', anyone daring to make a comment about a person's capabilities without having a first-hand account of a person's capabilities is suffering from dillusion and will most likely be ignored by those of us considered "in the know."
**ASIDE FROM ALL OF THIS, JUST TO KEEP FROM BEING CONSIDERED A FLAMER**
The biggest vulnerability to ANY OS is the end user. If the end user doesn't have enough common sense to be cautious and do their homework, then they deserve what they get. This, unfortunately, can only be solved by telling the poor miserable soul to either get a clue/education/certification/experience, or pack the computer back up and return it/sell it.

Judging by Microsoft statement at the end there, it sounds like they're really really getting frustrated and annoyed about all these security problems, lol.

I agree :-)

Serves 'em right though. That's why I really hope more and more people will start using Firefox.

I know that the more people that use Firefox the more bad stuff that will be written for it but at least then people have a choice.

-Pipewrench

for the love of god though: a lot of sites don't display properly in firefox. you can pipe all the security advantages, pop-up blocking, and cleaner design you want but when the page looks like crap you've failed on the primary goal. don't quote me a bunch of w3 standards crap either. microsoft should be more heavily involved in writing those "standards" when they are the standard for "web browsers."

as much as i hate netscape at least they're going to stick in the ie rendering engine as an option. i'd love nothing more than to use firefox with the ie engine.

Who cares if the site looks like crap? Don't visit the site then. The author of the site will get a cluestick and modify their site to standards after they notice people leaving. If they don't modify it--- I could care less.

And I don't want to visit sites that don't comply with firefox. IT'S MY BROWSER, and I'm not going to change my browsing habits for some silly .asp "guru."

Yes. The web site owner would conclude that nobody uses Firefox (from server log) and act accordingly.

LMAO! Right you are... although I have yet to find many sites that flat out don't work in Firefox. Even Microsoft's sites work well with some minor cosmetic appearance matters (none of which significantly prevent functionality or navigation).

Since when is microsoft a 'standard' for the web?! Open your eyes and try to think once in a while.

No, make them aware of their problem, that would help you, and all other none MSIE users ;)

Why are people so upset that others still use Internet Explorer? I don't use IE in order to boycott FireFox, I use it because it's what I want to use. Encourage people to use FireFox--heck, even tell them not to use IE, but stop acting as if you want FireFox to gain support only so that the evil, sinister Microsoft Corp.'s browser will not continue to prey upon weak-minded users. Yes, many people use IE because it comes on their computer--if Mozila Corp. came up with their own operating system, wouldn't they include their own browser? Besides, even if Windows came with Firefox and not IE, I STILL choose Internet Explorer. Has nothing to do with hating firefox, I just prefer IE.

Umm...since I "opened my eyes" and saw that IE is still being used more than all other internet browsers combined...

Who says that Firefox is bullet-proof? Every single software has bugs, so Firefox won't be the exception. It is just matter of time to begin to see threats affecting it.

Ive only found a couple of things that flat out DO NOT work in IE.

Coppercom Controller for Maintaining your softswitch, and of course anything that requires ActiveX which is a given.

That just shows how many clueless people there are out there in this world.

The fact that lots of people use something doesn't make it an official standard.

I guess you still walk to school, or the office, because that was the main and primary 'standard' but maybe it is time for you to start biking or driving a car, because that is faster, more secure.

Mozilla is more W3C compliant than any other browser available today, so that makes it a real standard for people that use modern transportation these days :-)

Another slanderous rant about FireFox being the best ever/most secure/etc...blah blah blah. I scrapped FireFox in lieu of Opera since it is every bit as good as IE/FireFox combined...but you have to pay for Opera..or get a freebie version with ads (that you can hack). Oh wahhhhh... I use IE & Opera b/c I'm a web designer/programmer and IE does control over 96% of the market for browsers. Until anyone else crosses the 15% mark, I won't even worry about it. Opera works on every site, I haven't met one site with it that it didn't work on... It also has pop-up blocking/multiple windows without having a ton of things showing up in your task bar/etc... I swear, some of the people in here *sound* as if they are freshly graduated and have 0 true life experience.