StopBadware’s manager, Maxim Weinstein, has a guest editorial today in ZDNet’s Zero Day security blog. The editorial urges more transparency in malware filtering by anti-virus companies, search engines, and web browsers.

• A low false-positive rate
• Clear, publicly-available criteria for determining which sites are listed
• Information about why a particular site is listed
• A transparent, responsive process for requesting removal of incorrect or outdated listings
• Support and education for owners of compromised sites

Helping to foster these kinds of fair and open systems for user protection is, of course, one of StopBadware’s missions. Have thoughts on ways to make malware filtering better? Share them in the comments to Maxim’s post.

Last month, Google found badware on www.webchat.pm.gov.uk. Yes, that would be an official web chat server provided by the UK Prime Minister’s office for use by government officials to hold chats with citizens. (Kudos to the Brits, by the way, for engaging in this way with their constituents.)

While I’m sure there are some conspiracy theorists who would disagree, I’m fairly certain that the UK government didn’t set out to infect its citizens. Rather, this was a classic case of a legitimate website being compromised via a SQL injection due to some old, insecure code in the server application. Iain Ballard, application support manager for Twofour Digital, the company that provides the web chat site for the PM’s office, explains:

This department has grown from one developer two years ago, to several teams totalling nearly 30 full-time development staff. Part of this growth has been due to the absorption of two other companies: Makeni and HMC.

As tends to be the way, the older software is implemented in a range of old technologies and not in best practice.

...

With over 100 old products to be managed and limited resources, turn around times can be long. Some of the products to be maintained are large and complex systems used by clients such as the BBC, UK Parliament recording, Europarl TV, several local government agencies, Volkswagen, Audi and a host of content and media suppliers.

To the credit of Mr. Ballard and his team, they not only removed the infection, but they fixed the vulnerability that allowed the SQL injection in the first place. (Specifically, a parameter was being passed directly from the web page into a SQL query with no validation, a big no-no in secure development.)

It’s easy to think that only small websites run by individuals are vulnerable, but as this example shows, even top sites managed by professionals need ongoing, careful attention paid to security.

Friday the 13th (of June) was an unlucky day for the folks at AVG, an anti-virus vendor known for its free Windows scanner. On that day, tech site The Register reported that a component of the paid version of AVG’s security suite was generating large amounts of “fake traffic” to websites in its effort to proactively protect users:

Early last month, webmasters here at The Reg noticed an unexpected spike in our site traffic. Suddenly, we had far more readers than ever before, and they were reading at a record clip. Visits actually doubled on certain landing pages, and more than a few ho-hum stories attracted an audience worthy of a Pulitzer Prize winner. Or so it seemed.

As it turns out, much of this traffic was driven by the new malware scanner from AVG Technologies.

Six months ago, AVG acquired Exploit Prevention Labs and its LinkScanner, a tool that automatically scans search engine results before you click on them. If you search Google, for instance, and ten results turn up, it visits all ten links to ensure they’re malware free.

After protests from webmasters, perhaps fanned in part by Nathan McFeters’s blog post last Friday, The Register reports that AVG is modifying its product to no longer pre-scan pages that a user hasn’t clicked on yet.

Note that Nathan went as far as to call AVG’s LinkScanner “badware” in Friday’s blog post on ZDNet. Here at StopBadware.org, we did not evaluate the product against our Badware Guidelines, nor do we intend to now that the product is being modified.

Brian Krebs at the Washington Post reports on a study that found that 40% of Google users do not have all the latest security updates for their web browser. This means they’re susceptible to a broader range of drive-by download and other web-based attacks.

Google users may not be globally representative of the Internet using population, as we know that 60% of users in China use a search engine other than Google. However, it certainly represents a large portion of the Internet-using public.

Another finding was that Firefox users are the most likely, and IE users the least likely, to have an updated browser:

The report concluded that Firefox users were more likely to be using the latest version because Mozilla’s patch process is the quickest and most painless (no arguments there). Firefox downloads updates automatically and prompts the user to install them immediately.

A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

...

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)....

If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.