Heightened Security on the Windows PlayOnline Viewer

[Mhurron]

Affected Real Player files are included with IE (hence the REAL PLAYER/IE) it's just a pain finding specific past alerts from MS. The ActiveX flaw was closed by MS at the same time and a patch would have shipped on the second Tuesday of November.

Also, a number of people said they didn't have Real Player, only to find they had forgotten that they had installed it long ago.

If memory serves, this is the IE patch
Microsoft Security Bulletin MS07-061 – Critical: Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)

[Phanex]

And yes that is a great analogy. You see someone was saying that the new feature is a waste of time and gives a false since of security. But it depends on how u look at it.

In your analogy the user was with some1 with syplis, well guess what, now the user has it too. So it doesn’t matter where he goes or what he does, the user’s pc is still compromised regardless if they know what sites were “fixed” or what not.

So SE knows it’s a keylogger, and since no one can figure out how to remove the code/program/etc, they are doing the most logical thing, allowing users to use an on screen keyboard, where a keylogger can’t get the password.

Now since they think they “know” how it all began with Real player, flash, w/ever, they figure the computer might be safe from “NEW” programs using the same method they used to infect with the “Old” Program.

Now as from them websites provided about known issues etc., there was always at least 2-4 weeks where the “ability to be compromised” is unknown. Just cause they find it after it’s been out in the public for a month, and took them a month to make patch, doesn’t mean the patch is going to fix what the computer might have infected with. The damage has been done. It takes time for them to know something’s wrong, then it’s going to take time for them to fix it. All that time, unless it’s emailed or televised, no one is going to know something’s wrong, until its way too late. So, is it still the User’s fault he was hacked? Even when ppl didn’t know, at the time even Real Player didn’t know, what the problem was?

Now the above statement is an analogy for the most part, but it can and will happen. How long with that version of Real Player out before ppl started to figure out something was wrong. Even SE didn’t believe the users when they started reporting something was wrong.
______________________________
Hmmm... let's just all agree it's Bill Gats's Fault and be done with it lol.

[Shadowneko]

hey Feba is the Troll and every message board has one. I find it best to ignore such people 80% of the time...

BTW: My sister's friend got hacked...and it was a shared account too! (and the RMTs deleted one of the characters!) I'm glad SE finally did something!

[Mhurron]

Originally Posted by Phanex

And yes that is a great analogy. You see someone was saying that the new feature is a waste of time and gives a false since of security. But it depends on how u look at it. In your analogy the user was with some1 with syplis, well guess what, now the user has it too. So it doesn’t matter where he goes or what he does, the user’s pc is still compromised regardless if they know what sites were “fixed” or what not. So SE knows it’s a keylogger, and since no one can figure out how to remove the code/program/etc, they are doing the most logical thing, allowing users to use an on screen keyboard, where a keylogger can’t get the password. Now since they think they “know” how it all began with Real player, flash, w/ever, they figure the computer might be safe from “NEW” programs using the same method they used to infect with the “Old” Program. Now as from them websites provided about known issues etc., there was always at least 2-4 weeks where the “ability to be compromised” is unknown. Just cause they find it after it’s been out in the public for a month, and took them a month to make patch, doesn’t mean the patch is going to fix what the computer might have infected with. The damage has been done. It takes time for them to know something’s wrong, then it’s going to take time for them to fix it. All that time, unless it’s emailed or televised, no one is going to know something’s wrong, until its way too late. So, is it still the User’s fault he was hacked? Even when ppl didn’t know, at the time even Real Player didn’t know, what the problem was? Now the above statement is an analogy for the most part, but it can and will happen. How long with that version of Real Player out before ppl started to figure out something was wrong. Even SE didn’t believe the users when they started reporting something was wrong. ______________________________ Hmmm... let's just all agree it's Bill Gats's Fault and be done with it lol.

My god you're retarded.

How to clean is well known, the keylogger is easily identified by the majority of AV software.

What the problem was was known very early
Real Player/IE exploit: Order of the Blue Gartr • View topic - FFXI: JavaScript exploit on the loose(Repairs inside)
Flash: Another #$%@% virus warning.

The exploited holes were fixed over a month in advance.

The problem is PEBKAC. You're the type of person that runs a car into the ground then complains that the manufacturer should have done something to prevent it after it turns out you never topped up fluids or changed the oil.

[Phanex]

He's tried several AV software, they can't find it, and again, SE told him the only way to clean the system is a format/reinstall the system. I'm just going on what I know what he's doing. /shrug. If that makes me a retard, i guess i am.

[Feba]

Originally Posted by Phanex

SE told him the only way to clean the system is a format/reinstall the system.

Which, like I said, is why SE would be better off beefing up their customer support team than doing things like this.

[Taskmage]

Originally Posted by Phanex

So SE knows it’s a keylogger, and since no one can figure out how to remove the code/program/etc, they are doing the most logical thing, allowing users to use an on screen keyboard, where a keylogger can’t get the password. Now since they think they “know” how it all began with Real player, flash, w/ever, they figure the computer might be safe from “NEW” programs using the same method they used to infect with the “Old” Program.

There's more than one way to skin a cat and there's more than one way to steal a password. The software keyboard eliminates one of two currently used vectors to get access to your account. But as long as users keep pretending they're helpless victims instead of stepping up and being responsible for their own security they're still wide open to future hacks.

Btw, am I to understand correctly that your friend is continuing to use a system he believes is infected with a keylogger because he thinks he can't get rid of it without reinstalling? That is profoundly lazy and irresponsible. Which would you rather do: spend an afternoon restoring your system from a wipe, or spend months on the phone with creditors trying to recover your life from an identity theft? But I guess if the latter happens he can just claim ignorance and helplessness.

Originally Posted by Phanex

Hmmm... let's just all agree it's Bill Gats's Fault and be done with it lol.

Dear god, are you even listening? Nobody is responsible for your personal safety but yourself. Blaming Bill Gates for an account theft is like blaming George Bush for getting mugged.

[Phanex]

Quote:

Originally Posted by Phanex Hmmm... let's just all agree it's Bill Gats's Fault and be done with it lol. Dear god, are you even listening? Nobody is responsible for your personal safety but yourself. Blaming Bill Gates for an account theft is like blaming George Bush for getting mugged.

Ok, this was just a joke that was what the "lol" was for, sorry i even said it. I forgot only a certain amount of peopel on this form can say something like that and people find it funny.

No he's not still using the system, he is using his 360 to play the game, yet he hasn't even got his old account back. And he lost his recovery CDs, his PC is old, he's just hasn't recived them yet from HP, they are on back order. But he's not worried about it anymore cause he likes the 360 better now.

All i was trying to say, is that there had to be a point in time where someone didn't know realplayer or whatever the program may be, was vulnerable untill it was too late. Untill it was already exploited and the programs where spread out. and to think someone wasn't compromised during that brief moment in time is just wrong.

In that link you gave us about the realplayer risk, they said they became "aware" of it on 10-18, and they released a patch on 10-23. Woot, that's real quick and real nice of them, but who's to say that the problem hasn't been out since 9-15? and then there were them 5 days of them working on the problem. Now if someone was infect those 5 days, then are they stupid cause they didn't know to download a patch that didnt' exsist until the 23rd?

This is my point, hackers are working 24/7 to exploit everything and the ppl who make the patches probley won't find it until "crap hits the fan" days later. That is my whole point. But no I must be wrong right? I'm sure someone will come up with some other excuse and what not. But that dosn't mean that there is always a certian amount of time that even windows update can not protect ur computer from what is out there UNTIL someone knows it's out there.

[WishMaster3K]

I don't know why people still use Realplayer.

When I Google Sound Effects to use for the music mixes for our performances, if the format is .rm, I just leave the website and keep looking.

There are way too many GOOD media formats out there for me to be bothered downloading Real Player when I can't even cut the sfx into Primiere or Movie Maker.

But I feel bad for everyone who got exploited. People who don't know how to use computers should just get Macs.

[Feba]

Originally Posted by WishMaster3K

People who don't know how to use computers shouldn't.

Fixed. Macs are not going to save a stupid user from themselves.

Are you going to get a keylogger? Almost certainly not. Are you going to still use insanely insecure practices, and suffer when someone takes advantage of it? Hell yes.

Originally Posted by Phanex

then are they stupid cause they didn't know to download a patch that didnt' exsist until the 23rd?

This is hardly ever the case. The majority of security exploits, especially ones used by groups that aren't really technically inclined like RMTs, are not Zero Day, and have been patched for awhile. Like Mhurron pointed out, we know when these attacks happened and when the patches were released. Your explanation is not valid.

RMT are not hackers. They are money grabbers. They look for what they can sell in online games for a quick buck. They go after low hanging fruit. In computer security terms, those fruits are people who don't take measures to protect themselves (and really, this is the case for almost all exploits in general).

[Phanex]

You see, that's all you had to do, was explain it to me. Although i'm sure Feba thinks i'm a tard, at least he didnt' say it outright.

[Taskmage]

Originally Posted by Phanex

Ok, this was just a joke that was what the "lol" was for, sorry i even said it. I forgot only a certain amount of peopel on this form can say something like that and people find it funny.

Usually when someone says they were just kidding, it's half true. It's a hyperbole; I get it. It's not funny to be because I believe the underlying attitude of projecting your own responsibility onto someone else is not a joke to you.

Originally Posted by Phanex

In that link you gave us about the realplayer risk, they said they became "aware" of it on 10-18, and they released a patch on 10-23. Woot, that's real quick and real nice of them, but who's to say that the problem hasn't been out since 9-15? and then there were them 5 days of them working on the problem. Now if someone was infect those 5 days, then are they stupid cause they didn't know to download a patch that didnt' exsist until the 23rd?

The somepage iframe didn't surface until 12-12. At that point the security issue had been patched for nearly two months.

Originally Posted by Phanex

This is my point, hackers are working 24/7 to exploit everything and the ppl who make the patches probley won't find it until "crap hits the fan" days later. That is my whole point. But no I must be wrong right? I'm sure someone will come up with some other excuse and what not. But that dosn't mean that there is always a certian amount of time that even windows update can not protect ur computer from what is out there UNTIL someone knows it's out there.

In most cases patches are released for major security issues long before we hear about major exploitation of them. Heck, security patch notes are probably how a lot of hackers discover new vectors of infection. That's why it's so important to stay up to date on that stuff. But in some cases you're right and there's a small window in which the exploit exists without a fix as I believe was the case with the recent flash player issue, which is why it's so important for end users to do their due diligence to minimize their risk of infection. Most of this stuff requires little technical know-how or investment/

• Don't visit frequently infected sites. Somepage and ffxi-atlas have been infected twice. Don't use them. The convenience isn't worth your account.
• Secure your browser. In short, don't use IE and make sure the browser you do use blocks the most common modes of infection. There's a great guide on this here: GUIDE: Protecting your web browser. - Windower
• Use the security tools SE gives you. Maiev advice: the Star★Onion | Login Verification (Account Security) Mhurron advice: Heightened Security on the Windows PlayOnline Viewer
• If you want to be absolutely sure, don't browse the internet on the same machine that contains your sensitive information, or run the browser in a sandbox. For the latter you'll need someone more savvy than me to explain.

Look dude, I'm sorry your friend got hacked. Really I am. I know three people whose accounts got hijacked in this last round. All good, intelligent people for whom I have much respect. But that doesn't change the fact that ultimately each of them was the only person responsible for making sure they weren't vicitimized and they did an inadequate job of that.

[Feba]

Originally Posted by Taskmage

Secure your browser.

I'm going to recommend that you do even better and follow Taskmage's fourth bit of advice for your browser. Yes, firefox with NoScript and ABP and such is great, but you can do even better.

The most secure option is to have your browser completely separate from any vital information on your PC. The easiest ways to do this, in order, are A: Second computer, B: live CD, C: Virtual Machine/Browser Applicance, D: Dual boot.

Technically, the last three (and some setups of A) CAN still get access to your main system, but it's much harder, and extremely unlikely.

A- This is the easiest, but also the most expensive. Just buy another computer and use that for web browsing, email, and other things that are very insecure. All the better if you put something like Ubuntu on it.

B- Find a LiveCD, and boot off it whenever you want to search the web. I recommend something like DamnSmallLinux, which is made for the task, and which can be easily customized (for example, to add your custom bookmarks); although it won't work very well in all computers. Ubuntu will be much more fool proof and easier to use, but it's LiveCDs are more inclined towards installation than daily use, so they're pretty slow.

C- Browser Appliance is a virtual machine built to run firefox. Won't need to worry about rebooting your computer, although it will of course be slower than a regular browser.

D- Basically like B, except you install it instead of using a CD. Quicker, and still very easy to set up, but not as foolproof as the other options.