Helping people with computers... one answer at a time.
A recent newsletter surfaced warnings from a couple of security services. As a result, we'll look at what false positives are, and what to do.
When I click some of the "continue reading" links in today's newsletter McAfee SiteAdvisor warns me that:
mm.chitika.net/minimall?w=300 may cause a breach of browser security. Why were you redirected to this page? When we tested, this site attempted to make unauthorized changes to our test PC by exploiting a browser security vulnerability. This is a serious security threat which could lead to an infection of your PC.
What is going on with this?
•
AVAST POTENTIAL VIRUS ALERT was received when your newsletter was coming into my mailbox. Here is what the alert said:
"Sender: "Leo Notenboom - Ask Leo!" <leo@ask-leo.com>
Recipient: *****
Subject: Leo's Answers #179 - May 19, 2009
***
Target of remote iframe:
(You can permit them using "Permitted URLs" button)
rcm.amazon.com
WHAT DOES THIS MEAN? Has someone put a virus in your stuff and you don't know it?
•
I got those two questions in response to a recent newsletter.
First, there is no malicious code involved at all. Period. I want to be very clear on that. My site's not been hacked and my newsletter's as safe as always. In fact, there's actually nothing wrong.
But in making two changes this week, we expose one of the frustrating side effects of some security software: the dreaded "false positive".
Let me explain what I did, why some security software might be alerting on it, why this can happen to any site or provider, and finally ... what you should do about it.
•
Let's start with the first one:
mm.chitika.net/minimall?w=300 may cause a breach of browser security.
This week I began running a trial of a new advertising provider, Chitika. Chitika has been around for a long time, and I trust them completely. In researching this issue I heard from their Vice President who also assured me that there was simply no way that their ads would have or involve malware of any form.
And, as I said, I believe them.
They were the victims of what's known as a "false positive" - a trustworthy site or service being erroneously flagged as suspicious by security software.
Why?
There are two typical reasons:
-
Errors in the database. It's often unclear how services like SiteAdvisor make their determination, but it's not unexpected that they might make mistakes. Typically, these errors get cleaned up fairly rapidly, but while they're out there they're ... well, they're out there - falsely flagging safe sites as suspicious.
-
Out of date databases. Much like anti-malware software, some of these services cache their databases on your machine. That means that even if the "master" database controlled by the service is up to date, the local copy on your machine may not be. How you ensure that it is (or even if one is used) depends entirely on the specific service you're using.
Now, about that second one:
Target of remote iframe: ... rcm.amazon.com
In this week's newsletter I added a new feature, "What I'm Reading", which includes a small box off to the right with an image of the book, and a link to Amazon. The problem is that the technique used to generate that box (in HTML terms, an "iframe") is apparently considered a possible attack vector by avast!.
In my case, it's not. Period.
But I suppose it's a valid thing to warn about, though screaming "POTENTIAL VIRUS ALERT" seems a tad excessive. So while I might quibble with avast!'s approach, the logic they're using is at least plausible.
What I've done.
-
I've temporarily removed Chitika from my site. I trust them, they're a good advertising service, but my reputation is more important. It's more important that you trust me, and sadly that means that even false positives can lead me to this action. It's not fair to Chitika, but it's the only real recourse I have at this point.
-
I'll not be using an "iframe" in my next newsletter to show you what I'm reading. I can use other techniques that shouldn't cause avast! any further fits.
What you should do.
I'm not a big fan of McAfee's SiteAdvisor, for the very reasons you might expect. This isn't the first time I've experienced false positives from people using the tool, and I do periodically hear from others experiencing similar.
There are other technologies out there, such as Web of Trust that perform similar services, though I do not have any data that says how good they are or aren't. (Though lack of hearing about false positives is a good start.)
I tend to run without either, and typically suggest relying on common sense and healthy skepticism instead. However, I realize that common sense isn't always common, and healthy skepticism is rare.
So.
Much as it pains me the conclusion I'm forced to come to is simply this: pay attention to the tools anyway, even if they steer you away from safe sites. Yes, even if that means mine.
I'd rather have you be safe than sorry.
And if you run across a site that you're shocked would be considered malicious (like, say, this one), then let the site owner know. (As many of you did, for which I thank you.)
The site owner can often take action, as I have, to mitigate the impact of false positives, and if needed contact the offending parties to hopefully resolve the issue.
Article C3737 - May 21, 2009
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
I used to have Nortons but it got to the point everything was considered a threat. I switched to Trend and it is somewhat better except they keep disabling 2 of my games I bought from a very reputable site EA. Seems like all of them are flawed.
Posted by: Margaret Louk at May 26, 2009 2:05 PMSince iFrames are a threat only to IE users just switch to a different browser. I use Opera and Avast and i never had a warning relating to Leo, of any kind.
Posted by: Gigi at May 27, 2009 12:33 AMChitica was flagged because they used to employ tracking cookies - don't konw if they still do it, i've blocked them in my url filter - but his is practically harmless.
I am using Mozilla Thunderbird, and for every newsletter email I have got a warning that it could be a possible fraud - up to this last newsletter where I got no warnings! Even If I trusted Leo the changes in the newsletter removed this irritating warning for me :-)
Posted by: Jostein at May 27, 2009 1:15 AMInteresting Reading with reference to Leo's site being flagged- False/Positive. If a service is employed and that service uses Tracking Cookies
Posted by: Dave at May 27, 2009 6:28 AMthen I would regard that as a serious breach to my privacy. Leo I must congratulate you for taking immediate and positive DECISION to withdraw
the use of IFrame.Incidentally,I use Avast on one of my PC and I have had no problems. Good to be security aware, but end user must also try and learn a little bit beyond the warnings.
Keep-up The Good Work, Leo.
I am trying to learn as much as I can
Posted by: billkennedy at May 27, 2009 12:13 PMso far no warnings