- OK, I confess it: I've used Internet Explorer a lot.
After being a die-hard Netscape user, I finally got fed up with the sheer
bulk of that browser and started using Internet Explorer on my Windows
- As time went on and open-source Mozilla matured, I started
using Mozilla as my main Linux Web browser and as my secondary Windows
browser. This past Friday, though, I started installing Firefox, the browser-only
side of Mozilla, on every one of my production Windows machines.
- Why? Because Internet Explorer, like Outlook, has finally
become, to my mind, a permanent security hole that masquerades as a useful
- Strong words? Have you really thought about this latest
exploit? It could hit every Internet Explorer (IE) browser that merely
visited any page served by an infected Microsoft IIS (Internet Information
- No anti-virus program would stop it, no firewall would
slow it down and no shipping IE security patch would even notice it. Visit
the page, get the infection. It was that simple.
- Oh, but the few thousand people running Release Candidate
2 of Windows XP Service Pack 2 were not vulnerable to the client-side attack.
And if you were one of the very few people who had all of the current critical
patches installed and were running IE with its security settings at "high,"
you'd be OK. That leaves, oh, say, 95 percent of all IE users wide open
to this attack. I feel so much better now.
- And just how bad was this attack? Boys and girls, let
me tell you, this was the worst security violation I have ever seen. But
don't take my word for it.
- Johannes Ullrich, a handler at the Internet Storm Center
at The SANS Institute in Bethesda, Md., wrote, "A large number of
Web sites, some of them quite popular, were compromised earlier this week
to distribute malicious code.
to infected Web sites and altered the Web server configuration to append
the script to all files served by the Web server (IIS). The Storm Center
and others are still investigating the method used to compromise the servers.
Several server administrators reported that they were fully patched."
- What sites were spreading the infections? We still don't
know. Neither the security companies nor the businesses running the infected
sites are talking. Since they're not being any help, I can only suggest
that you update your anti-viral software and run it - now.
- The only other thing I can say is that sites running
IIS 5, which hadn't been patched up to April's MS04-011, were the ones
targeted by this exploit. But, I'm sorry to say, it's still not clear that
even sites that had been patched with MS04-011 were safe. There are reports
that even patched IIS servers were infected.
- What happened next was that after simply visiting what
would direct your browser to quietly download and install one of several
different programs from a Russian Web site. "These Trojan horse programs
include keystroke loggers, proxy servers and other back doors providing
full access to the infected system," Ullrich said.
- Many of the people talking about the exploit have discussed
how your computers might be used by these back-door programs to launch
a DDoS (distributed denial of service) attack. Yeah, that's bad news, but
that's not the real problem.
- In the few days that the sites provided the Trojan horses,
hundreds of thousands or millions of users could have had their credit-card,
stock-brokerage and bank-account numbers and passwords stolen.
- Let me repeat myself: Millions of you may have every
bit of your browser-driven online financial security information stolen.
- Maybe this was just another massive Internet security
prank. Maybe all that will happen is a DDoS attack. Well, you can hope
that's all there is to it and continue to use IE. But as for me, I'm done
- Yes, by Friday, most of the major anti-viral programs
could stop this particular attack. But what about the next one?
- According to the U.S. CERT (Computer Emergency Response
Team), "Microsoft Internet Explorer does not adequately validate the
security context of a frame that has been redirected by a Web server. An
attacker could exploit this vulnerability to evaluate script in different
security domains. By causing script to be evaluated in the Local Machine
Zone, the attacker could execute arbitrary code with the privileges of
the user running IE."
- There is, at this time, no shipping patch to stop this.
- If you must run IE, and unfortunately, I do for at least
one remote application I use every day, you can disable all active scripting
and ActiveX on all IE zones. Between CERT's frequently asked questions
about malicious Web scripts redirected by Web sites and Microsoft's Knowledge
Base article on how to strengthen the security settings for the Local Machine
zone in Internet Explorer, you should be safe from most variations of this
kind of attack.
- Frankly, though, I think CERT's other suggestion is an
even better one: Use a different Web browser.
- Open-source browsers, such as Mozilla Firefox, are simply
more secure than IE. Yes, I know all of the tired, old arguments about
how if open-source programs were as popular as Microsoft's products; they'd
be just as vulnerable. You know what? I don't have time today to deal with
the fundamentally inane idea that security by obscurity is somehow the
best way to secure software.
- The bottom line is that for all practical purposes for
today, open-source browsers are inherently more secure than Internet Explorer,
and I still have half a dozen more workstations to switch over to Firefox.
Go ahead, stick with Internet Explorer for everyday use. It's your funeral.
- - eWEEK.com Senior Editor Steven J. Vaughan-Nichols has
been using and writing about operating systems since the late '80s and
thinks he may just have learned something about them along the way.
- Copyright (c) 2004 Ziff Davis Media Inc. All Rights Reserved.