Microsoft's Internet Explorer is broken, and criminal hackers (crackers) know it. Within the last few weeks, these evildoers have staged several well-orchestrated Internet Explorer attacks designed to steal your banking and credit card information. The result has been that you can't trust Internet Explorer -- how will you know if a secure site is truly safe? Here's a look at what's wrong with Internet Explorer and what you can do to keep your data under lock and key.
At issue are not one, but several flaws within Internet Explorer, some well known and some not so well known (so-called zero day attacks). All of the serious attacks also use tiny programs called keystroke-logging Trojan horses, which capture IDs, passwords and credit card information as you type them. And all of the attacks so far happen without users even suspecting there's anything wrong. Note: only Windows users are at risk -- Mac and Linux folks, you're safe for now.
Let the attacks begin!
Two weeks ago, elements of the Russian mafia coordinated a brilliant attack that turned the Internet into millions of points of digital infection. First, the Russians (or their hired crackers) managed to secure malicious code on vulnerable Microsoft IIS Web servers worldwide. Then, using flaws within Internet Explorer, malicious JavaScript automatically downloaded whenever a user visited an infected site (which included popular search and auction destinations). That JavaScript in turn downloaded a keystroke-logging Trojan horse from another server located in Russia. The attack ended once the Russian server was taken offline.
Last week, a second attack targeted accounts with major financial institutions, such as Citibank and Deutsche Bank. Spread by pop-up advertising, which in turn loaded malicious code, this attack uses a Browser Helper Object (BHO), a type of file that developers frequently use to monitor Internet Explorer sessions. In this case, whenever a user visits a banking site, just before the encrypted Secure Socket Layer (SSL) session starts between user and bank, the Trojan records all the POST and GET information before it is encrypted. The Trojan then starts its own encrypted session, sending your personal banking data to a remote server.
Buggy, buggy Internet Explorer
How could this happen? Blame monopolies. When Microsoft launched its browser war against Netscape a few years ago, we all lost. By encouraging Web site developers to 'optimise for Internet Explorer', Microsoft killed off the competition by offering Web surfers flashing images and pretty sounds. Internet Explorer now holds a commanding 95 percent of the Internet browser market. Because of that market dominance, however, Internet Explorer engineers have been lax about browser innovations and battening down its hatches.
In the wake of these serious security events, the software giant posted instructions to secure your Internet Explorer.
In a nutshell, the instructions say to increase the security settings within Internet Explorer, turn off JavaScript and ActiveX, and start reading email in plain text (because Outlook uses Internet Explorer to render HTML). In other words, we should turn off everything Web developers have been told to optimise for. No more flashing images, no more cute sounds, just bland old, flat Web pages. And if you do follow these instructions, many Web sites you use every day simply will not work properly. Thanks a lot, Microsoft.
Here's the best part: there's one flaw that Microsoft fixed six years ago in Internet Explorer 3.0 and 4.0 that has resurfaced in versions 5.01, 5.5 and 6.0. And there are a few new bugs within Internet Explorer that even the software giant in Redmond didn't know existed, despite its own efforts -- a.k.a. Microsoft's Trustworthy Computing campaign. To its credit, Microsoft has since posted a patch for one of the new Internet Explorer flaws, but it waited a week to do so, and this patch still doesn't resolve all the problems.
Bail out of Internet Explorer -- now
The crisis with Internet Explorer is so bad that the U.S. Computer Emergency Response Team (US-CERT) now recommends that you move away from Microsoft Internet Explorer. You have Netscape 7.1, Mozilla 1.7, and Opera 7.5 to choose from. However, there is much excitement surrounding Mozilla's new Firefox browser, currently in beta, if only because Firefox reunites several original Netscape developers. (See the following page for more information on alternatives to Internet Explorer.)
Short of bailing out of Internet Explorer, you can also stop remote-access Trojan horses with a good personal desktop firewall such as ZoneAlarm or those included within Norton Internet Security and McAfee Internet Security. Finally, several of the banking Trojans can be removed with apps such as Spybot Search and Destroy and Ad-aware, as well as your favourite antivirus program. If you aren't currently checking for spyware, you should be. And if you aren't running antivirus protection, well, now's a really good time, don't you think?
Talkback
I agree with CERT, IE is a hackers dream and a users nightmare in its current form, MS really need to take it in hand and give it a thorough overhall before it can be considered as a safe and realistic browsing solution in the current market.
One question: when Windows doesn't control 95% of the OS market, and Mac OS now has Safari as its default browser, *nix based OS's don't get IE, and many Windows users have already switched away from IE, how can IE account for 95% of the browser market?
--
Firefox (and I assume Mozilla) offers to import your existing Internet Explorer bookmarks when installed, so getting back up to speed isn't that difficult...
I have been using Firefox on Windows and Linux for about 2 years. The only thing I use IE for is to get the latest patches from the Microsoft Update web site.
I find Firefox is generally much faster than IE, and the options to turn off pop-up windows is a god-send. I also only accept cookies and images from the originating web site.
The latter means that often ads are not shown, just big white spaces on the page, but it decreases the loading time of the page... Occassionaly a page uses navigation images from a different domain and things get a little confusing, but temporarily switching the option back on again sorts it out.
The thing that I like most about Mozilla/Firefox is the tabbed pages, opening a link in a new tab is great. The tab loads in the background and I can just switch to it when I want. Unlike IE, this doesn't clutter up the desktop.
Also, as Firefox/Mozilla are cross platform, you don't have to learn a new browser on each new machine. The bookmarks are also stored as html and can easily be copied to new machines.
maybe this is a stupid question but if IE cannot be installed from windows does that mean that your win box is always going to be unsecure. Can the IE processes only be started from the client machine. Are the security flaws ever based on IE APIs (are there any?). As for servers, why does a dataserver have to have IE installed!
Yes! This news tell the exact truth exactly!! Time has come to move out from Microsoft!!
US CERT advise users to change their browser as one OPTION in a list of security measures. Not, as this rather hysterical article suggests, as advice to all internet users.
I'm getting tired of this "let's knock Microsoft and it's products because it's fashionable" attitude.
The reason hackers/crackers, or whatever you want to call them, exploit IE is because it's used by the overwhelming majority of internet users. Not because it's "full of holes". If we all changed over to Mozilla etc then they would find ways to exploit them.
I use IE. I've also used all the alternatives. I take security seriously and use the recommended measures, firewall, AV, patches/updates etc. I scan my systems regularly and, whether you want to believe me not, I can honestly say not one has EVER been infected or compromised, and no it isn't time consuming once it's set up.
It's time we all took an adult view of security and realise that it's not WHAT you use but HOW you use and maintain it that compromises your security.
The problem is not IE. The problem is laziness. You want perfect software that cannot be compromised and refuse to believe that there's no such thing.
It's the easy option to blame Microsoft when the blame rests firmly with every one of us.
Previous poster:
"The reason hackers/crackers, or whatever you want to call them, exploit IE is because it's used by the overwhelming majority of internet users. Not because it's "full of holes""
Erm.... yes it is. You have neglected to mention the tight integration of IE to Windows. For instance, does any other browser allow an HTML file write to the hard drive? Does Mozilla/Netscape/Opera etc.. support ActiveX, a very frequent point of attack for hackers?
I agree... if the alternative browsers were more popular then their security issues would be more in the spotlight. However, they are not integrated to the operating system, and hence their security problems will NEVER be as serious as IE's. And IE IS full of holes.
Gee...You make it sound like Mozilla 1.7 is less that it could be when in fact it is all that it should be and more..the GUI is just like the original Netscape, which was essentially perfect. Mozilla 1.7 is fast, definately faster than the current IE or Netscape, handles all more commonly used plug-ins, supports state-of-the-art encryption, and is a fine example of what good software should be. Please don't sell it short, specially compared to Internet Exploiter which is an an overweight nuissance.
"..Mozilla has a FRIENDLY ENOUGH interface for even the occasional Internet surfer."??
yes, IE has holes, but they all require either very obscure conditions to be effective (how many readers had their banking info stolen due to one of its flaws?), or truly newbie users. as the article mentions, you're really in trouble if you don't run antivirus/spyware programs/firewalls. or don't patch (which is almost automatic, and there r almost no new patches necessary anymore). EVERYONE should be doing this, and these solutions are available freely. THEN you can enjoy all the flashing animations n twirling icons you like (i don't) AND have security.
when everyone switches to mozilla, u can bet there'd b obscure "threat alerts" coming up all the time once again. and the comment abt shell integration is simply false. the latest mozilla security bug was due to shell integration which shouldn't hv occured in the first place. so there. (though of course, it was an obscure security threat too).
To be honest, the main problem lies in the domination of the market. Just use microsoft less if you can. Simple. Use google instead of msn, firefox/opera instead of IE, and so on. if poss, linux too. That'll show those monopolizing fraudsters known as 'Mircosoft Exectutives' what happens when public catches onto the idea.