Thursday, July 06, 2006

AntiPhishing in Internet Explorer Beta 2 - Grrr!

A little while ago I installed a copy of Internet Explorer 7 Beta 2 and ever since I've been getting reports from SpySweeper that my computer has a possible rootkit.

It seems that Microsoft, in it's wisdom, has decided that us lesser mortals will be confused by the presence of a new folder in our temporary Internet files so decided to hide it. Not content with making it 'hidden' or a 'protected system' file, they created a new file type normally not visible to users in the same way as rootkits hide their files. SpySweeper, one of the programs I use to get rid of malware found it and told me the pathname. Knowing this I can enter it into a folder address bar and display the contents - it's:
C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files\AntiPhishing (Where [username] is what you log on as)

The hidden folder appears to contain a single file (yes - I suppose they could have more hidden files in there). Investigating this file, it appears to contain the URL to which IE7 refers web addresses to check if they are genuine. You can't navigate to this folder the 'normal' way and deleting it is not possible the normal way either.

Now I think a browser that checks to see if that 'Barclays bank' link is genuine is a great idea. But super hiding the AntiPhishing folder is an idea that sucks! I want - no demand - to be able to investigate EVERY file on my computer. Someone who 'hides' a file makes me very suspicious. What if someone makes use of that hidden folder to 'hide' their malware?

Wonder what else Microsoft has hidden?

As to the rest of IE7? Nice one MS. Apart from that hidden folder - I like it.

2 comments:

Anonymous said...

Hi I’m Raghava Kashyapa and I work for Microsoft as the Program Manager for the Phishing Filter technology that’s integrated into IE7. I’m happy to state that based on feedback received earlier this year, we have modified the attributes of the temp file to not be hidden anymore.

With regards to the temporary file, this by no means is a root-kit and in fact serves the important function of caching results of URL look-ups against the Microsoft Phishing Database. This is to minimize the number of checks that are made, which in turn reduces network usage and offers a better user experience.

I hope this helps set your concerns at ease and I would like to thank you for your feedback.

John Chapman said...

Great to hear that the final version won't have this hidden file.

I wasn't concerned that it was a rootkit - just that Spysweeper reported it as such. What was far more worrying is that software could be hidden in this folder and although it might be detected by anti-spyware programs such as Spysweeper, they couldn't be removed by it.