It Gets Worse

By Steven Vaughan-Nichols  |  Posted 2004-06-28 Print this article Print

Many of the people talking about the exploit have discussed how your computers might be used by these back-door programs to launch a DDoS (distributed denial of service) attack. Yeah, thats bad news, but thats not the real problem. In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen.

Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.

Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope thats all there is to it and continue to use IE. But as for me, Im done with it.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. Yes, by Friday, most of the major anti-viral programs could stop this particular attack. But what about the next one?

According to the U.S. CERT (Computer Emergency Response Team), "Microsoft Internet Explorer does not adequately validate the security context of a frame that has been redirected by a Web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE."

There is, at this time, no shipping patch to stop this. Wonderful.

If you must run IE, and unfortunately, I do for at least one remote application I use every day, you can disable all active scripting and ActiveX on all IE zones. Between CERTs frequently asked questions about malicious Web scripts redirected by Web sites and Microsofts Knowledge Base article on how to strengthen the security settings for the Local Machine zone in Internet Explorer, you should be safe from most variations of this kind of attack.

Frankly, though, I think CERTs other suggestion is an even better one: Use a different Web browser.

Open-source browsers, such as Mozilla Firefox, are simply more secure than IE. Yes, I know all of the tired, old arguments about how if open-source programs were as popular as Microsofts products; theyd be just as vulnerable. You know what? I dont have time today to deal with the fundamentally inane idea that security by obscurity is somehow the best way to secure software.

Click here to read more about the standalone Firefox browser. The bottom line is that for all practical purposes for today, open-source browsers are inherently more secure than Internet Explorer, and I still have half a dozen more workstations to switch over to Firefox. Go ahead, stick with Internet Explorer for everyday use. Its your funeral. Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way.

Check out eWEEK.coms Linux & Open Source Center at for the latest open-source news, reviews and analysis.

Be sure to add our Linux news feed to your RSS newsreader or My Yahoo page

Steven J. Vaughan-Nichols is editor at large for Ziff Davis Enterprise. Prior to becoming a technology journalist, Vaughan-Nichols worked at NASA and the Department of Defense on numerous major technological projects. Since then, he's focused on covering the technology and business issues that make a real difference to the people in the industry.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel