General Chat

Rollo I agree.
Enabling the XSS filter is just one (small) thing users can do. Sure there are numerous ways around it but better some protection than none at all.
Glad you have left the dark side and moved over to Linux.

Elizabeth - you are disabling cross site scripting by enabling the XSS filter - sorry if I confused you.

A follow up for Mr Errol - as I said disabling XSS will not defeat a determined attack.
Here is one example from a security site. The real thing is a little more devious.

Simply, the attacker needs to include a remote script, allowing ANY action to be performed in the security context of the vulnerable site. The easiest way is to perform a document.write, for example:

')"'>a link

The trouble with this approach is two fold. Firstly, the introduction of angle brackets hits the .NET ValidateRequest protective measures, and also modern browser XSS protection - which basically works by looking for "unsafe" client supplied input being reflected without encoding. So how can we bypass?

First step, encode - URL encode:

a link

This basic evasion won't work for two reasons; firstly the browser will decode the URL and detect user supplied input is being reflected in the responce. Secondly, the appliction will decode the parameter and detect that unsafe characters are being sent...back to the "A potentially dangerous..." error message. What the attacker needs to remember in this instances however is we have already proved that we can execute arbitrary code - as illustrated in the pop-up box in the first example. So let's apply a second round of encoding:

a link

Now in this example we have no unencoded angle brackets and we have no [single pass] URL encoded angle brackets. In other words we have just bypassed both .NET ValidateRequest and modern browser XSS protective measures. The beauty of this attack is there is no trivial solution to the problem, other than executing the JavaScript code to assess whether or not it's malicious in nature; not a trivial task, and dangerous in its own right.

So there you go...bypass both .NET and modern browser XSS protection with a simple double URL encode of the infection vector*. REMEMBER POINT TWO OF MICROSOFT'S ADVICE - ENCODE [OR STRIP] THE OUTPUT - do not rely on input validation alone!

:-D

Dear Mr Errol, here we are all Linux people except for charity work we do which tends to involve Windows.

The many weasel ways in which all sorts of malware and adware get into users machines are too numerous to list here and beyond the ken of most. Suffice it to say that the standard "security" options inc disabling XSS are not very challenging if you work on the dark side.

The ones that give me the crawlies the most are rootkits which go on to run a key logger. As it is next to impossible for ordinary people to detect these kits they shuld be very wary of using online banking. That is why some banks issue a device to generate a one time key which a logger cannot use.

Windows XP running IE (any version) is by far the most vulnerable ; the easiest and cheapest fix until Jan 31st 2013 is to upgrade to Win8 as Microsoft are doing ug licences online for about £ 35. After that the price goes up by £ 100. Also Win8 will run ok on oldish hardware that finds Win7 a bit of a stretch 'cos the code is more efficient as well as a tad more secure.

Any kind of support including security for XP will stop in about a year.

ES - you orignally said "enable" - so I checked and I already had the dot there (though it didn't mention XSS specifically" - I have XP) - now you say "disable"). Haven't had any virus trouble, did scan. Did I misunderstand?

Rollo are you employed by the company marketing Windows 8 by any chance? hehehe

Yes dual booting is very useful but sadly beyond the skills of many computer users - I use dual boot machines, mainly with Linux and in particular Ubuntu.

The point I was making about XSS was that at the very least you have it blocked.

I feel sorry for people with no technical ability trying to keep a Windows system clean. It is next to impossible.

For instance the popular Lavasoft AdAware program has been rre-written under new owners Solaria. The UK tech site "The Register" has this to say about Solaria:

"The new owners, Solaria who bought the company (Lavasoft) in January this year have also been linked to a number of misleading websites and were accused in 2007 of selling free versions of ad-aware through cyber-squatting sites. The founders of Solaria have also been linked to other companies selling porn online, re-skinned versions of P2P filesharing software and charging customers for software they didn't order."

It may not be a surprise then to discover that the free version of AdAware installs Blekko. Here is a useful commentary about Blekko:

http://www.2-spyware.com/remove-blekko-redirect.html

You couldn't make it up.

Believe me if you think that clicking a few options about cross site scripting will secure yr box then you are a super duper optimist. The trouble is that Windows (any version) is congenitally disastrous at security and only slightly better at being reliable. The latest versions do not have any better security at the kernel, just thicker armor which the black hats will soon find their way through.

You can see and read about the results every day - Stux net, bizarre displays at car parks and supermarkets, bot nets it goes on and on. Indeed it is so bad that the German govt is withdrawing altogether from using Windows and has advised its citizens to do the same. What more can I say?

For those who really must use Windows 'cos it is cuddly and familiar ( ? ) then at the very least ensure that if it is XP you have it fully patched - the best AV program is Microsoft;s freebie oddly enough - and run a firewall AND DON'T RUN IE ANY VERSION. No browser is secure in XP but IE is by far the worst. Now is the time to get yr cheap Win8 UG - offer expires 31st Jan 2013.

Alternatively switch to Linux if you are poor or Apple if you are not. Either way you can dual boot Windows in case of need.

Just to clarify, cross site scripting (XSS) is not in itself a virus (as stated on another thread) but can (maybe) be used to steal information which is why it is a good idea to block as discussed earlier.
This, in addition to decent security settings and software in general, is just a part of your armoury in combatting nasties.
Rollo is quite right about freeware (and shareware) too.
If you download something it is always wise to Google it first to see if there are any reported issues. Also, when downloading never click on Run. Instead, choose "Save as" and save the file in a suitable location. You can then right click and scan it with your anti-virus software before running it.

There are more ways around attempts to block cross site scripting then there are fleas on an old cat. Sure, use the browser settings to block it but it won't work for cunning coding. That is why a great many honest sites have ended up as unwitting targets for pay day loans sharks.

By far the most popular vector for getting this stuff into the machine are ads. So AdBlock will stop much of this nonsense. You can always enable ads on a site by site basis where you the ads may be useful to you. fwiw GRU does not do all that well from ads anyway which is why the subs are going up :-(

Another very common way all this crap gets into computers is freeware, some of it very popular. The "freeware " offers to install stuff such as search bars etc etc. People don't read the install and just click, click, click like mad.... Once installed these add ons act like a honeypot for more, often dubious ads, and create a huge security hole. The add ons can be a real pain to remove.

Sometimes they can be avoided by reading the install carefully and deselecting but often the "right" to install the junk is deep in the t&c. Nearly all this malware once installed uses cross site scripting but is usually slips under the radar. In the worst cases people end up with a root kit.

I often wonder if the people moaning long and hard at problems with connection to GRU ever consider what kind of grot they may have running on their machine.

From a security point of view Apple products are easily the best, any version of Internet Explorer the worse and especially IE6,7,8.

XP is really a shot fox. Until the end of this month you can still get a cheap ug licence for Win8. I have found it fairly easy to make it look and work pretty well the same as Win7 with the possible bonus that you can run an "app" when needed. The tile UI is ok on tablets but a total disaster on real computers. MOre to the point of this post Win8 security out of the box is fairly good.

Quote ErrolSheep

it is probably purely caused by click-through adverts

End Quote

I am 99% certain that it is caused by the adverts, and its not the first time the adverts on here have caused problems. The problem being the adverts are not being screened by the advert host, not GR. We have had to put up with viruses, malware etc coming in from the adverts from the sites which GR uses for supplying the adverts ever since day one as to say.

no please don't delete - valuable advice

I realise that Errol but as ad blockers were mentioned I thought I would add the information. I will delete if you wish.

it wasn't about blocking ads - more about blocking malicious code that could be used potentially in some cases to steal personal details etc

I don't get adverts on my main PCM, do on the IPad though

If you have an iPad or even iPhone there is an Adblock app

Supercrutch yes - thank you
That means your settings are correct
My original post was because I was concerned that the warning was popping up

If you have correct settings on IE your pop up will say

'Internet Explorer has modified the content to help prevent cross site scripting' not verbatim but you get the drift.

it is probably purely caused by click-through adverts and nothing to worry about (unless someone is foolhardy enough to click on them!)
I reckon it just highlights how careful we should be

Oh and thank you all very much - you are all so very helpful to a non techie

<3

As I have not seen this problem on any other sites I visit such as Rootschat or Facebook, could it be someone hacking through this site if so should it be reported to the GR team?