It Gets Worse
Many of the people talking about the exploit have discussed how your computers might be used by these back-door programs to launch a DDoS (distributed denial of service) attack. Yeah, thats bad news, but thats not the real problem. In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen.Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope thats all there is to it and continue to use IE. But as for me, Im done with it. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Yes, by Friday, most of the major anti-viral programs could stop this particular attack. But what about the next one? According to the U.S. CERT (Computer Emergency Response Team), "Microsoft Internet Explorer does not adequately validate the security context of a frame that has been redirected by a Web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE." There is, at this time, no shipping patch to stop this. Wonderful. If you must run IE, and unfortunately, I do for at least one remote application I use every day, you can disable all active scripting and ActiveX on all IE zones. Between CERTs frequently asked questions about malicious Web scripts redirected by Web sites and Microsofts Knowledge Base article on how to strengthen the security settings for the Local Machine zone in Internet Explorer, you should be safe from most variations of this kind of attack. Frankly, though, I think CERTs other suggestion is an even better one: Use a different Web browser. Open-source browsers, such as Mozilla Firefox, are simply more secure than IE. Yes, I know all of the tired, old arguments about how if open-source programs were as popular as Microsofts products; theyd be just as vulnerable. You know what? I dont have time today to deal with the fundamentally inane idea that security by obscurity is somehow the best way to secure software. Click here to read more about the standalone Firefox browser. The bottom line is that for all practical purposes for today, open-source browsers are inherently more secure than Internet Explorer, and I still have half a dozen more workstations to switch over to Firefox. Go ahead, stick with Internet Explorer for everyday use. Its your funeral. eWEEK.com Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way. Check out eWEEK.coms Linux & Open Source Center at http://linux.eweek.com for the latest open-source news, reviews and analysis.
Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.