Saturday, December 03, 2005

Security Flaws In Internet Explorer Raising Alarms

This week, there has been a deluge of security warnings concerning the use of Microsoft's built-in web browser, Internet Explorer (IE). Not that this is anything new. Every week, there is at least one new vulnerability discovered. It has become so commonplace that I don't even write about them anymore. Its just a daily fact-of-life. But, enough new issues were raised this week that I thought I had better revisit the subject again.

One of the new flaws discovered involves the use of the Google Tool Bar with Internet Explorer. It seems there is a vulnerability that would allow a hacker to get inside someone's computer at will and steal all their information. According to security researchers, the fault is not with the Google software, but with IE. To exploit the flaw, an attacker has to lure a victim to a malicious Web page that contains the hidden attack code.

Other similar vulnerabilities were also discovered in the last few days that are in a Javascript component of IE used for loading Web pages onto a computer. Again, if a user visits an infected web site, the code is loaded into a users computer and they are wide open for some very malicious attacks.

Microsoft has not released a patch for the hole exploited by the code. People can attempt to work around the problem by either shutting off Javascript or using another type of browser, security companies advise. Sources say the MSRC (Microsoft Security Response Center) is aggressively aiming to release an emergency IE fix ahead of the scheduled December 13 Patch release.

The situation has become bad enough that one credit union has issued a security alert to its customers on their login page. L&N Federal Credit Union has placed the following on their home page:

"A new flaw was discovered in Microsoft's Internet Explorer browser, and this flaw can have serious ramifications for all Internet users who use this browser. The flaw allows the owner of a website to create a page that will download and run programs on the user's computer. The user does not have to do anything but visit the website and unknowingly view the malicious page.

This means the owner of the website could install malicious software that would take control of the user's computer and steal personal information that could lead to identity theft. Microsoft does not have a fix or patch to correct this flaw.

We recommend that all concerned individuals ensure that they have up-to-date anti-virus and anti-spyware installed on their computers for personal protection. Currently, the only work-around is to temporarily discontinue the use of Microsoft Internet Explorer and use another browser, such as Firefox (www.mozilla.com) until Microsoft can issue a patch." (Emphasis mine)

According to Sunbelt Software (makers of Counterspy), Microsoft admitted on their own web site that they have known about some of these issues since March, but have yet to fix them. According to Microsoft, "There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges."

Maybe it is time we all strongly consider moving to a non-Microsoft browser such as Opera or Firefox for our own protection. They apparently are not vulnerable to any of the issues listed here.

I have been using the new Firefox for the last few days and am getting used to it. It is a much better product than Version 1. But I also continue to use Opera and like it also. In case you are wondering about my favorite browser, Maxthon, that I have mentioned here in the past, its biggest problem is that is uses the IE engine for its operation, thus making it vulnerable to some of the issues listed here.


No comments: