US Gov't Agency Issues Warning: "Dump IE"

[DaytonBuck]

une 29, 2004
US-CERT: Beware of IE
By Ryan Naraine
<!--content_start--> The U.S. government's Computer Emergency Readiness Team (US-CERT) is warning Web surfers to stop using Microsoft's Internet Explorer (IE) browser.

On the heels of last week's sophisticated malware attack that targeted a known IE flaw, US-CERT updated an earlier advisory to recommend the use of alternative browsers because of "significant vulnerabilities" in technologies embedded in IE.

"There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME-type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites," US-CERT noted in a vulnerability note.

The latest US-CERT position comes at a crucial time for Microsoft <quote nasdaq:msft="">, which has invested heavily to add secure browsing technologies in the coming Windows XP Service Pack 2. The software giant has spent the last few months talking up the coming IE security improvements but the slow response to patching well-known -- and sometimes "critical" -- browser holes isn't sitting well with security experts.</quote>

On discussion lists and message boards, security researchers have spent a lot of time beating the "Dump IE" drum, and the US-CERT notice is sure to lend credibility to the movement away from the world's most popular browser.

US-CERT is a non-profit partnership between the Department of Homeland Security (DHS) and the public and private sectors. It was established in September 2003 to improve computer security preparedness and response to cyber attacks in the United States.

It has been more than two weeks since Microsoft confirmed the existence on an "extremely critical" IE bug, which was being used to load adware/spyware and malware on PCs without user intervention but, even though the company hinted it would go outside its monthly security update cycle to issue a fix, the flaw remains unpatched.

US-CERT researchers say the IE browser does not adequately validate the security context of a frame that has been redirected by a Web server. It opens the door for an attacker to exploit the flaw by executing script in different security domains.

"By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE," according to the advisory.

"Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability."

To protect against the flaw, IE users are urged to disable Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker). Other temporary workarounds include the application of the Outlook e-mail security update; the use of plain-text e-mails and the use of anti-virus software.

Surfers must also get into the habit of not clicking on unsolicited URLs from e-mail, instant messages, Web forums or internet relay chat (IRC) sessions.


http://www.internetnews.com/security/article.php/3374931

[BuckeyeSoldier]

So did they happen to mention which program might be a suitable alternative? or should I take a friends advice and just dump windows altogether and go for linux?

[DEBuckeye]

For the IT-challenged among us, what (if anything) does this mean?

Anybody know?

[Oh8ch]

I am not a Microsoft fan and avoid their products when I can. However, in fariness the main reason MS products are so often compromised is that they are the bigger target. There have been few (if any) serious attacks against Linux, but why would a hacker target that environment when a successful attack would not even make the news? If there is a major shift to a different platform - as encouraged above - I predict the focus of attacks will likely follow. It can be argued that similar flaws exist in Linux but nobody has expended the effort to find them.

All that said, I use Netscape as my browser, but as their market share has fallen I have found more and more sites that do not work properly because they were written to take advantage of capabilitites in IE.

[BuckeyeInTheBoro]

Quote:

Originally Posted by Oh8ch

All that said, I use Netscape as my browser, but as their market share has fallen I have found more and more sites that do not work properly because they were written to take advantage of capabilitites in IE.

I finally gave up on that when I went to XP. I used Netscape since 1994. What was that browser popular before that? The name escapes me, but I used it when at tOSU around 92-94. Anyway, I was finally forced onto the MS bandwagon for exactly the reason you gave.

[gregorylee]

maybe you are thinking about "Opera", it still exists. I use it sometimes for troubleshooting. There are many derivitives of "Mozilla" as well, any of them a decent alternative.

Oh8ch is right about targetability, I also think it is sort of a "Robinhood" syndrome with the hackers.

There are some fixes out for the problems with IE, but they are not public yet. Basically if you are a "subscriber" then you have access (sound like someone we know??).

[DaytonBuck]

I have always pretty much used IE as my main explorer. I made the switch over to Mozilla FireFox listed in the computer thread by Clarity and haven't had any trouble using it.