Just for clarification, I was using a Safari browser from a pre-Intel Mac Powerbook running OS 10.4.11 My browser is the absolutely latest version of 4. I think, if you've read through all the quotes I've provided from Dark Reading and the professional security people, you will read them say that the page's hidden content loads whether you request anything or not. Just going to the page starts a routine that can include loading or "updating" software in your computer. After determining your OS (in my case Mac 10) it presumes the ubiquity of RealPlayer and loads a RealPlayer "update" by causing a permission path to occur whether you like it or not. Remember to (cautiously) visit the website for RemoteViewer.com if you have doubts about what its programmers claim it can do. They absolutely promise the operator of their software the ability to probe, enter, load and then remote-control from a distant console any hijacked ("slaved") computer with or without the computer-owner's permission, and with or without the presence of resistive firewalls. I would not recommend testing the validity of their claim by visiting the Chilean, Polish or Romanian server that they are feeding the remote operations from. I'm not a computer-security professional, so I can't answer your objections about what ought to be, or what ought not to be, possible. The professionals are saying that existing browsers are all vulnerable, that the click-jacking is platform-independent (works against ALL) and that only when the basic underpinning design of browsers is radically altered will attacks and servitude of this kind by thwarted. Not very uplifting news, I know. Meanwhile, since writing the list earlier, I've received yet another Facebook mimic from the same people encouraging me to visit (and to get my computer "loaded-into" and enslaved... again). This new server is in Cmolas, Poland and if you choose to test the integrity of your browser, the server is 89.171.46.6 I wouldn't try it if I were you. The actual "link" if you were to click on the button in the email, is to (in my case) AND DON'T TRY THIS AT HOME – http://www.facebook.com.pitjiilil.com.pl/usersdirectory/ LoginFacebook.php? ref=134531713131695466698480437872&email=michaelb at sover.net DON'T ANYONE CLICK ON THE ABOVE LIVE URL LINE, please. Although this email came, unsolicited, directly "to my door" I should point out that the included ".pitjiilil.com.pl" address is exactly the same domain set that was used for the direct click-jack attack on Facebook over last weekend, so I think this adds proof to the possibility that this is an all-out attempt to scoop up personal computers in advance of some near-future DDoS attack. I've received iterations of this trojan attempt on 30 October, 8 December and 30 December from servers (as I said) respectively in Romania, Chile and Poland. The "latest" Safari doesn't address the problem. The latest Firefox doesn't address the problem. The latest IE doesn't and can't address the problem, and the problem's been around more than seven weeks. The title of each of these emails is "Facebook Account Update" and in each instance the sender is "Facebook" Michael On 31 December 09, at 8:57 AM, R. David Murray wrote: > On Wed, 30 Dec 2009 21:40:19 -0500, Michael Billingsley > <michaelb at sover.net> wrote: >> The original posting - which under my signature tells Facebook's >> experience with "clickjacking" gives some of the details. It depends >> upon the browser, and according to security experts, all browser apps >> including Firefox are vulnerable if you land on the wrong page or >> click on the wrong (deceptive) button. Security people fault web >> browser developers for being entirely in a defensive/responsive mode >> instead of evolving a completely reworked approach to browser page >> viewing. > > Yes, I understood that. > >> On 30 December 09, at 4:07 PM, R. David Murray wrote: >>> How can just going to a web page install software on your machine? > > What I meant by this question is, even if the clickjack or web page > load > initiated a request to install software, (a) you should be prompted > for > confirmation before any install is done in a way that isn't > clickjackable, > (b) it should not be *possible* for any software other than firefox > add-ons to get installed without you entering the root or admin > password. > Even if a bug in firefox lets an add-on install without a confirmation > prompt, cleaning up your firefox addons registry would be much simpler > than cleaning up the results of an equivalent hack on a Windows box, > where the infestation could go beyond just firefox because many > Windows > users run as admin (because not doing so is so much of a pain; though > it is better these days than it used to be). > > Well, technically non-firefox-add-on software could get installed > in the > non-admin user account on either OS X or Windows (or linux, for that > matter) such that it would get run by that user, but again that's a > *lot* > easier to fix than an admin level infestation. (Well, it's still > painful on Windows, unfortunately.) > > So I'm wondering how you got infected, and if it represents a serious > vulnerability in OS X or Firefox or Safari. Thinking about what you > described, I'm guessing you were dealing with a firefox add-on? Or > the > Safari equivalent? Which makes me wonder if there is a bug in the way > the install-confirmation popup or the add-on update hooks are handled > that the malicious web site was able to exploit. > > Well, I guess the main lesson is to always make sure your web browser > is up to date with the latest security fixes, since it is the most > vulnerable part of any Internet connected workstation, and then > to always be cautious anyway when browsing the web. > > -- > R. David Murray www.bitdance.com > Business Process Automation - Network/Server Management - Routers/ > Firewalls -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20100101/68526551/attachment.html