Web kiloseven.blogspot.com
www.arrl.org www.eham.net

2004-07-07

Homeland Security recommends Internet Explorer users consider other browsers

YAIESR (Yet Another Internet Explorer Security Risk):
OWIE (Outlook, Windows, and Internet Explorer)!

(updated 7-07, original post 6-30)

As per Robert Bruce Thompson, author of O'Reilly's extremely useful PC HARDWARE IN A NUTSHELL:
The SANS Internet Storm Center has announced yet another critical exploit against Internet Explorer, this one related to the Browser Helper Objects (BHO) commonly used by banks (Note: and other web sites) to extend the functionality of IE. This exploit subverts SSL and HTTPS security to give the malefactor access to passwords and other account information. For details, see:

SANS (SysAdmin, Audit, Network, Security) Institute report

Tech Republic report
This exploit is still more confirmation that the focus of these attacks has changed. Until recently, most viruses/worms/Trojans were mere vandalism perpetrated largely by teenage script kiddies looking for a cheap thrill. Most malware/spyware was, if sometimes skating gray areas of the law, at least intended for semi-legitimate purposes.

That has changed and is continuing to change. Several recent exploits have apparently originated with organized crime and the Russian Mafia. These folks are not playing games. Their intentions are clear. They want access to critical data such as username/password combinations that they can exploit to drain people's bank accounts and that will provide the raw material for identity theft. These folks are out to pillage your identity and your bank accounts, pure and simple.

The common thread through all of this is Outlook, Windows, and Internet Explorer (OWIE). If you continue to use these products, particularly IE, for personal work, you are risking having your bank accounts compromised and your identity stolen. As anyone who has been the victim of identity theft will tell you, recovering is a long, expensive process.

The risk is even worse in corporate environments. Imagine the result if a bank, law firm, or other business allows client/customer information to be compromised as a result of continuing to use software products with known severe security flaws. I expect the first law suit based on such a claim to occur in the near future, and I would expect it to be difficult to defend when competing software products without significant security flaws are so readily available. Even the Department of Homeland Security (through their CERT division) has suggested abandoning IE and using another browser.

"CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack."

Washington Post story
DHS CERT recommendation
Updated recommendation, via Internet News
At any rate, Internet Explorer, Outlook, and, to a lesser extent, Windows itself are security disasters just waiting to happen. I strongly encourage everyone to cease using IE as their default browser and replace it with an alternative. My own preference is Mozilla 1.7, but Mozilla Firefox or Opera. (Poster's note: The latter is not free) is also an excellent choice.

Please take this seriously. Ignoring this problem won't make it go away. Download Mozilla, Firefox, Opera, and start using it as your default browser. It's human nature to hate new things, but I promise you that if you use any of these browsers for a week, you'll come to prefer it to IE. Not only is IE riddled with unfixed and unfixable security holes, it hasn't been updated significantly for years. Any of these modern alternatives provides functions like tabbed browsing that you'll soon find yourself unable to do without. And you'll be a lot safer.


Update: Despite earlier patch announcements on 7-02, it seems Microsoft still doesn't het it when it comes to actually fixing IE, as there's still another problem yet unresolved.

0 Comments:

Post a Comment

<< Home