For Windows Users, ‘Browser Hijacking’ Is Only the Latest Threat

The ongoing Internet-security freakout for anybody using Windows keeps getting worse. Every other week yet another part of the online world gets a warning label slapped on it — downloads, e-mail attachments, instant-messaging file transfers and now Web pages themselves.

"Browser hijacking" is as bad as it gets: Like the Blaster worm, this form of trickery can take over your software silently and invisibly.

By Rob Pegoraro

Sunday, February 29, 2004; Page F07

http://www.washingtonpost.com/wp-dyn/articles/A14264-2004Feb28.html

Typically, users discover what has happened only after the actual hijacking: Their Internet Explorer home page and Web searches have been switched to strange sites, a flock of pop-up windows follows them around, their lists of favorite sites have become a catalogue of porn purveyors — and none of these changes can be undone without tedious debugging.

These attacks differ from "spyware" invasions, which can have similar effects, in that victims never took the conscious step of downloading a program and then running its installer.

In some cases, the only mistake a user made was to click an "OK" button to allow what they thought was a change in home-page settings or an addition of a Web toolbar — not knowing that the site would do much more than that.

This can be an understandable error when you look at the ways sites attempt to fool users; the sleaziest sites won’t include a "no thanks" button in their pop-up alerts and will prevent users from closing these windows. (If that happens to you, hit Ctrl-Alt-Del, select Internet Explorer from the list of active programs, and click the "End Task" button to bail out.)

Often, though, the problem can be attributed to going online with an out-of-date copy of Windows, allowing a hijacker’s site to exploit old vulnerabilities to worm its way into the PC.

(I’ve yet to see any reports of Mac or Linux browser hijacks.)

None of this has to happen. Beyond the usual precautions of running an up-to-date antivirus utility and firewall program and regularly downloading Microsoft’s critical updates (windowsupdate.microsoft.com), two of the biggest security flaws behind browser hijacking can be fixed with a pair of quick downloads.

A third can be remedied by installing a newer, better browser, and your risk drops to nearly nothing.

Step one is to stop sites from throwing pop-ups at you in the first place. Not only will this make the Web vastly more pleasant, it will eliminate the ability of a would-be hijacker to badger you until you accept a software download or home-page switch.

The easiest pop-up blocker to adopt is the free Google Toolbar (toolbar.google.com); you do, however, need to run Internet Explorer 5.5 or newer to get this feature. Or install any other browser — IE is the only one around these days that still lets in pop-ups. (I’ll get back to this in a moment.)

Step two is to update the Java software on your machine. Java lets you run entire programs in a browser window and, when done right, it’s not risky. Its developer, Sun Microsystems, designed it with tight limits on what a Web-based application can and can’t do. But these limits must be enforced by a "virtual machine" program that runs on your own computer, and the one Microsoft developed contained a couple of bugs that hijackers abuse.

If you’ve been keeping your computer’s software current with Windows Update, you should have a fixed version of this Microsoft virtual machine. But the better option is to download and install Sun’s own, free Java virtual machine (www.java.com), which is both safer and more up-to-date than Microsoft’s aging software.

Step three is to get away from something called ActiveX. Developed by Microsoft to compete with Java, it allows a similar sort of Web interactivity, but without any of Java’s fail-safe limits: An ActiveX program in a Web page can do anything that a regular Windows program could do on your hard drive.

This can have legitimate uses. For instance, Windows Update uses ActiveX to scan for out-of-date components in your copy of Windows, and an ActiveX installer makes it easier to add Sun’s Java software to Internet Explorer.

But ActiveX is exceedingly dangerous overall, since it relies on users to make the right call when they are presented with a "do you trust this publisher?" alert from Internet Explorer. Once they click "yes," the ActiveX program can do whatever it wants.

Updates to IE have limited ActiveX’s reach, and an upcoming "Service Pack 2" revision for Windows XP will add still more restrictions. But it’s wiser to use an ActiveX-free browser for everyday Web activity, reserving Internet Explorer for Windows Update and the occasional site that, because of its authors’ inattention, works only in IE.

For most people, the best IE replacement is a free copy of Mozilla (www.mozilla.org), the descendant of Netscape. If you don’t mind using a preview release, however, the faster, simpler and also free Mozilla Firefox will be a better fit (www.mozilla.org/projects/firefox/).

If your computer has already been infected, your antivirus program should clean it out. But you may need to resort to such specialized hijack-removal software as Hijack This! or CWShredder (both at http://www.spywareinfo.com/merijn/downloads.html).

Whatever software you take with you on your Internet travels, you also need to bring some common-sense skepticism. Pushy salesmanship by a strange site deserves the same reception that an aggressive telemarketer would get in the real world: "No."

Living with technology, or trying to? E-mail Rob Pegoraro at [email protected].

© 2004 The Washington Post Company