(malware) for those who ask "what's the big deal about IE being insecure"

http://isc.sans.org/diary.html?storyid=5530&rss (which links to http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123898 )

Quote: Turns out that this bug is now being exploited through Word documents. While this is basically a simple evolution of the exploit method, I imagine that this is only the first or second evolution. There are more to come I am sure.

<end quote>

Quote from the linked article: "Inside the document is an ActiveX control, and in that control is a line that makes it call out to the site that's hosting the malware," said David Marcus, director of security research and communications for McAfee Inc.'s Avert Labs. "This is a pretty insidious way to attack people, because it's invisible to the eye, the communication with the site."

Embedding malicious ActiveX controls in Word documents isn't new -- Marcus said he had seen it "a time or two" -- but using an ActiveX control to ping a hacker's server for attack code is "definitely an innovation," he added. "They're stepping it up."

<end quote>

I've been trying to tell my non-technical friends (and some technical ones who seem to be too lazy to wake up) about why IE flaws actually affect the rest of the system, because they're all using the same code base.

In genetics, this is called a "lack of [genetic] diversity", a sure fire way of killing off an entire population with one well-placed virus. The only difference is that with people, you can't "reformat and reinstall", so this "species" (Windows OS) survives far longer than the lack of diversity suggests it should.

People, listen to me: please do NOT use IE for casual web surfing. If some site does not work with Firefox, and you MUST go to that site, then open only that site in IE. No problem. But all casual surfing must be done using Firefox. And use the No Script extension if you can, to get even more protection: https://addons.mozilla.org/en-US/firefox/addon/722

No comments: