When I click some of the “continue reading” links in today’s
newsletter McAfee SiteAdvisor warns me that:
mm.chitika.net/minimall?w=300 may cause a breach of browser
security. Why were you redirected to this page? When we tested, this
site attempted to make unauthorized changes to our test PC by
exploiting a browser security vulnerability. This is a serious security
threat which could lead to an infection of your PC.
What is going on with this?
AVAST POTENTIAL VIRUS ALERT was received when your newsletter was
coming into my mailbox. Here is what the alert said:
“Sender: “Leo Notenboom – Ask Leo!” <firstname.lastname@example.org>
Subject: Leo’s Answers #179 – May 19, 2009
Target of remote iframe:
(You can permit them using “Permitted URLs” button)
WHAT DOES THIS MEAN? Has someone put a virus in your stuff and you
don’t know it?
I got those two questions in response to a recent newsletter.
First, there is no malicious code involved at all. Period. I want to
be very clear on that. My site’s not been hacked and my newsletter’s as
safe as always. In fact, there’s actually nothing wrong.
But in making two changes this week, we expose one of the
frustrating side effects of some security software: the dreaded “false
Let me explain what I did, why some security software might be
alerting on it, why this can happen to any site or provider,
and finally … what you should do about it.
Let’s start with the first one:
mm.chitika.net/minimall?w=300 may cause a breach of browser security.
This week I began running a trial of a new advertising provider, Chitika. Chitika has been around for a long time, and I trust them completely. In researching this issue I heard from their Vice President who also assured me that there was simply no way that their ads would have or involve malware of any form.
And, as I said, I believe them.
They were the victims of what’s known as a “false positive” – a trustworthy site or service being erroneously flagged as suspicious by security software.
There are two typical reasons:
Errors in the database. It’s often unclear how services like SiteAdvisor make their determination, but it’s not unexpected that they might make mistakes. Typically, these errors get cleaned up fairly rapidly, but while they’re out there they’re … well, they’re out there – falsely flagging safe sites as suspicious.
Out of date databases. Much like anti-malware software, some of these services cache their databases on your machine. That means that even if the “master” database controlled by the service is up to date, the local copy on your machine may not be. How you ensure that it is (or even if one is used) depends entirely on the specific service you’re using.
Now, about that second one:
Target of remote iframe: … rcm.amazon.com
In this week’s newsletter I added a new feature, “What I’m Reading”, which includes a small box off to the right with an image of the book, and a link to Amazon. The problem is that the technique used to generate that box (in HTML terms, an “iframe”) is apparently considered a possible attack vector by avast!.
In my case, it’s not. Period.
But I suppose it’s a valid thing to warn about, though screaming “POTENTIAL VIRUS ALERT” seems a tad excessive. So while I might quibble with avast!’s approach, the logic they’re using is at least plausible.
What I’ve done.
I’ve temporarily removed Chitika from my site. I trust them, they’re a good advertising service, but my reputation is more important. It’s more important that you trust me, and sadly that means that even false positives can lead me to this action. It’s not fair to Chitika, but it’s the only real recourse I have at this point.
I’ll not be using an “iframe” in my next newsletter to show you what I’m reading. I can use other techniques that shouldn’t cause avast! any further fits.
What you should do.
I’m not a big fan of McAfee’s SiteAdvisor, for the very reasons you might expect. This isn’t the first time I’ve experienced false positives from people using the tool, and I do periodically hear from others experiencing similar.
There are other technologies out there, such as Web of Trust that perform similar services, though I do not have any data that says how good they are or aren’t. (Though lack of hearing about false positives is a good start.)
I tend to run without either, and typically suggest relying on common sense and healthy skepticism instead. However, I realize that common sense isn’t always common, and healthy skepticism is rare.
Much as it pains me the conclusion I’m forced to come to is simply this: pay attention to the tools anyway, even if they steer you away from safe sites. Yes, even if that means mine.
I’d rather have you be safe than sorry.
And if you run across a site that you’re shocked would be considered malicious (like, say, this one), then let the site owner know. (As many of you did, for which I thank you.)
The site owner can often take action, as I have, to mitigate the impact of false positives, and if needed contact the offending parties to hopefully resolve the issue.