Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine

Via TechCrunch I found out about a new service called ‘Haute Secure’. The idea is this — install a nice browser plugin that watches for embedded content (e.g. bad ads?) and blocks them if they are found unsafe. In theory I think this is a great idea — consumers need some level of protection from the scams I’ve documented prior on this blog propagated by companies such as Errorsafe & Winfixer.

Sadly this service is seriously flawed right now. Check this out:

Feedburner — NOT SAFE

and

Errrosafe — SAFE

Yeah — so great in theory, but when you flag feedburner.com as unsafe and errorsafe.com as safe then there are some serious issues with the service. Some more examples:

Unsafe

  1. googlesyndication.com
  2. myspace.com
  3. photobucket.com
  4. yieldmanager.com
  5. cpxinteractive.com

Some Safe URLS:

  1. winfixer.com
  2. drivecleaner.com
  3. workhomecenter.com
  4. mysurvey4u.com

I firmly believe that url blacklists aren’t going to be able to provide much an answer. In certain cases such as errorsafe.com or mysurvey4u.com it makes total sense, but the challenge arises when legitimate domains are used to serve illegitimate content. For example, what if “akamai.com” was put as a banned url? Haute Secure has the right idea, but it needs some work. I hope they’re working on some more robust techniques. If I were them I would work on analyzing actionscript and javascript before allowing the browser to execute the code.

Related Posts:



  • http://hautesecure.com steve

    Mike,

    Thanks for the feedback. It appears our design goals for this version are not clear. This release is designed to prevent users from malware attacks delivered by drive-by exploits. As you probably know, there is virtually no protection today whatsoever against them. We created a solution to do this in two ways: the first is the Haute Secure client on your PC that stops malicious code from executing without a user’s permission. The second is the constantly updated malicious link database that stops the delivery of malicious code by blocking links known to be laced with malware. For example, if you were to browse to winfixer.com, and it tried to exploit your browser (or a 3rd party plugin) to install malware, this would be something Haute Secure catches and stops. If it asks the user for explicit permission to download winfixer and the user clicks “yes”, we do not currently protect from that.

    It holds then that the results we gave you are correct: those sites listed as dangerous have indeed been caught and verified as delivering (via drive by exploits) malicious code on unsuspecting users’ PCs. If you have had a chance to use the product, you’ll see that we do not block the popular sites that we found are distributing malware. Rather, we give you notice that we found malware on them and will stop drive-by exploits lurking on them as you browse the site.

    Protecting users who click “yes” and become infected is a separate problem space and we have plans to address it with the same approach in the future. In the near term, we will enable members in the community such as yourself to contribute links like winfixer.com to the block lists. That way we’re blocking the page from loading and keeping people away from the temptation of downloading malicious code.

    With respect to analyzing script, I agree that this is an approach to the problem. There are other products on the market that do this, but as a general rule, they require signatures of the exploit code to work. Haute Secure is behavior-based, and therefore requires no signatures and can detect infection attempts from exploitation of 0-day vulnerabilities.

    Please keep in mind that this is a beta release. Your continued constructive criticism will help us improve future releases of this product. Thanks again for the feedback.

    Steve

  • http://www.msmvps.com/spywaresucks Sandi Hardmeier

    Hi Mike,

    The service is in early beta at the moment – in fact, it wasn’t made available to the public until a few days ago – this is something that needs to be kept in mind when assessing the service as it stands today – I know that those behind Haute Secure want any and all feedback regarding their service, and I’ll be making a point of bringing your blog to their attention, but personally I prefer to emphasise that a service is in beta when writing about it so that the final product is not judged on writings about early builds :o )

    You and I have expressed similar concerns. I have been having an ongoing dialogue with those behind Haute re things such as the product’s chattiness and my concerns about the flagging of entire domains on the basis of past incidents – hopefully things will improve if more emphasis is placed on *content* warnings and they are made easier to distinguish from *domain* warnings.

    I worry that wholesale warnings triggered by domains will lead to Haute Secure eventually being ignored (something I have shared with the team).

    That being said, we are facing some real problems such as COLOs when they run old or badly configured servers which leads to hundreds, if not thousands, of sites being compromised and hostile code inserted for the express purpose of infecting visitors. Then there are the numerous dangerous domains that all point to the same IP address. In such situations I would be more than happy for an entire IP range to trigger a domain warning because it’s likely to be more effective than trying to block thousands of individual web sites at as COLO.

    The same can be said for services like myspace which can have hundreds if not thousands of pages that have been compromised. Sometimes it is easier to warn about the entire domain which has been the source of recurring problems than to try and track down and block thousands of individual URLS.

    The URLs you mention as being marked as ‘safe’ are a problem (as we both so well know) :o ) But, Haute is based around behavioural analysis – and its purpose is to try and warn us of sites that are trying to do something bad (as distinct to offering betrayware for download) so if the site is not being seen to actively try to install malware on a system without user interaction then they may fall outside the scope of the product as it stands today – and you and I both know how good those behind winfixer are at evading detection.

    You may find these articles interesting:

    http://community.hautesecure.com/forums/p/27/30.aspx#30

    http://community.hautesecure.com/blogs/company/archive/2007/07/12/the-details-on-beta-build-419-rtw-of-haute-secure.aspx

    http://community.hautesecure.com/forums/t/29.aspx

    As always, my best wishes,

    Sandi &c.

  • http://www.zip-repair.org/ corrupt zip repair

    Nice post, thanks. I really love it!

  • http://www.powerpoint-file-repair.com/ repair powerpoint files

    Great post Nice one thanks.

  • http://www.powerpoint-file-repair.com/ repair powerpoint files

    Great post Nice one thanks.