2004-07-02

(malware) US CERT says time to dump IE

[Summary: until now, flaws in MS IE would affect you only if you visited malicious sites. Now, hackers can turn any site running MS IIS into a malicious one, so even a site you normally trust can hurt you; a backdoor program is installed on your machine that captures your passwords etc., and sends them back to the hacker]

Updated with various links and pointers to more info; see bottom of article. In particular, see http://slate.msn.com/id/2103152/ -- a site owned by Microsoft says "...but it was enough to make me ditch Explorer in favor of the much less vulnerable Firefox browser." :-)


People who know me well enough have heard me say this long ago, but it is somewhat unprecedented for US CERT (Computer Emergency Response Team, one of the main clearinghouses for security information of all kinds), to do so. http://www.kb.cert.org/vuls/id/713878 says:
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.
This is actually linked as "additional information" from CERT's "current activity" page for July 2nd, at http://www.us-cert.gov/current/archive/2004/07/02/archive.html , which says:
Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.
What is scary is the phrase "even those that may be trusted by the user". We've always known that visiting malicious sites can cause big problems, but if you generally stuck to the straight and narrow and did not access any pr0n sites or other shady stuff, you were safe. Not any more; a flaw in MS IIS (MS's apology for a web server!) apparently allows hackers to turn any website against its users, and visiting such a site installs a backdoor program that captures passwords and sends them to the hacker! This is bad.

Securityfocus has another, even more hard-hitting article that says it is Time to Dump Internet Explorer; this one is more fun to read :-)

The latest version of IE is 6, and it has certainly accumulated an impressive record of holes: 153 since 18 April 2001, according to the SecurityFocus Vulnerabilities Archive. There have been some real doozies in there. For instance, last August, Microsoft issued a patch that fixed a hole that the company described this way: "It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action." Oh, is that all? Well, that's super...

As I said, most of you have heard me say this long, long, ago. Even during the days I had Windows as my main desktop, I used firefox for all my browsing. [I used IE only for the corporate website, which has an invalid X509 certificate, and so Firefox -- quite correctly, I might add -- refuses to load it!]

I repeat: if you havent installed firefox yet, please download and install it ASAP. AND START USING IT! By all means let me know if you need help, but please stop using IE.

Friends don't let friends use IE...


Other link(s):
  • http://slate.msn.com/id/2103152/
    "...but it was enough to make me ditch Explorer in favor of the much less vulnerable Firefox browser."
    The best part of that quote is that it comes from a site that is owned by Microsoft! Great!!

  • http://www.washingtonpost.com/wp-dyn/articles/A6746-2004Jun25.html

  • http://news.com.com/2100-7349_3-5247187.html?tag=prntfr
    "There's a pretty wide variety," he said. "There are auction sites,
    price comparison sites and financial institutions."

    The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.
    "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

  • http://linuxtoday.com/infrastructure/2004062501826OPDTSW
    This is a piece of software--a closed source, and therefore supposedly (ha!) more secure piece of software, mind you--that is constantly having innumerable flaws exposed and taken advantage of. In the recent past, it was download this, and you're doomed. Open this, and you're in trouble.

    Now, it's: open any page on a Web site running a Microsoft Internet Information Server, and you potentially could be infected.

  • http://news.netcraft.com/archives/2004/07/05/browser_wars_to_recommence.html
    One is the extreme gravity of the latest phishing scams: victims of
    phishing attacks might conceivably lose their life savings. Some
    people now perceive Internet Explorer and Internet Banking as a
    potentially lethal cocktail that must not be mixed, with insiders in
    the banking industry urging their families to switch if not operating systems, then at least browsers, while conversely some internet banking customers have adapted to the threat by forgoing convenience and moving funds back into accounts which require traditional telephone and fax instructions.
  • http://www.eweek.com/article2/0,1759,1618052,00.asp
    Johannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote, "A large number of Web sites, some of them quite popular, were compromised earlier this week to distribute malicious code."
    [...]

    Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope that's all thereis to it and continue to use IE. But as for me, I'm done with it.

No comments: