By Ed Oswald | Tuesday, December 16, 2008 at 8:24 am
Microsoft has admitted that a serious flaw exists in all supported versions of Internet Explorer from IE5 right through the current betas, which could allow hackers to peer into user’s computers. Worse yet it is said some 10,000 websites have already been compromised to take advantage of the flaw, heightening the danger.
Right now hackers only appear to be stealing online gaming information. This could change — SANS Internet Storm Center expects the hackers to begin modifying the code to steal other (more personal) information.
Redmond’s suggestions to protect users include enabling “data execution prevention” (Tools > Internet Options > Advanced), and setting security settings to “high.” This may be a problem for some, as that setting disables active scripting.
Security experts are recommending users go one step further: switch browsers. Neither Opera, Safari, nor Firefox are vulnerable to the issue.
Mozilla’s Asa Dotzler puts in it blunt terms (perhaps with some motive):
“Stop using IE now. You are in serious danger. Even if you don’t like the other browsers, you just cannot afford to be using IE right now with this massive vulnerability being exploited as we speak.”
My suggestion would be the same. Using Microsoft’s suggestions will cripple your online experience. So even if you are an IE fanboy, suck it up, download Firefox, and go back when Microsoft is ready. Don’t be stupid — it’s just a browser.
[…] An IE Security Flaw So Serious, Experts Suggest Switching|Technologizer Apparently its in all IE versions – even those as old as IE5, and even in the newest betas. __________________ "There’s nothing quite like a Holden" […]
[…] all: News Well, that was quick. The serious flaw in Internet Explorer that we posted about Tuesday has been fixed through an out of cycle security patch. Typically, Microsoft holds its “Patch […]
[…] way to tell where its going. Thus, you wont know if you’re being phished or worse yet hacked (IE exploit, anyone?) until it has already redirected. That’s a little […]
[…] no way to tell where its going. Thus, you wont know if you’re being phished or worse yet hacked (IE exploit, anyone?) until it has already redirected. That’s a little […]
December 16th, 2008 at 8:50 am
People still use IE? Huh…
December 16th, 2008 at 9:34 am
What happened to Harry?
I guess he doesn’t report negative Microsoft stories, just negative Google, Apple and Yahoo stuff (Microsofts’ most hated and marked for elimination).
December 16th, 2008 at 10:01 am
NoScript is a free plugin for Firefox that filters scripts, and to my knowledge is the only such solution. I would never surf the web and allow unrestricted website scripts to run through my browser.
Most web sites rely on Java, Flash, and Javascript to present their content. unfortunately, even “trusted” websites usually present cross-scripts (in the form of “ads”) from other sites which they neither monitor nor control.
It is these cross-scripts which is the major vulnerability for all browsers, and through which malicious code is introduced to computers.
NoScript filters all scripts by default and then presents a list of scripts to the user. The user chooses which ones to permit. Even keyboard redirecting scripts are caught (no browser in the world has this level of security).
I would never surf without NoScript (in Firefox).
December 16th, 2008 at 10:20 am
No script is awesome. Now that it has added the “tempororaily allow all scripts this page” it’s a lot easier to temporarily turn off too.
December 16th, 2008 at 10:22 am
With Vista’s protected mode, and Data Execution Protection turned on, will this still be a problem?
December 16th, 2008 at 10:40 am
Well if you read the Microsoft bulletin
“Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.”
Limits the impact doesn’t mean fixes the issue.
December 16th, 2008 at 1:33 pm
So, wait, there have been ‘experts” in the past decade or so who haven’t been screaming “avoid IE at all costs”? Who are these people, and why has anyone considered them credible?
Experts have long suggested staying away from IE.
December 16th, 2008 at 7:18 pm
I cant believe IE explorer allows web sites to copy DLL’s to the windows/system32 directory and update the registry to start up these hidden services. IT SHOULD NEVER ALLOW DLL’s to be copyed full stop.
After all these years it still allows it, too many features in IE.
Why cant it be rewritten and run in a sandbox with a micro kernal and mini registry so it it gets trashed just hit the flush button and a new one flushes out the old infected one.
Actually I surf the internet in a VMWARE virtual machine and if its hit i just delete the virtual machine and start a fresh one. It also gives me a chance to hit back at these Malware sites and report them. I monitor the system32 directory and track IP packets addresses to these sites and tell the authority’s. The malware DLLS plug in to the system DLLs slowing down windows while transmitting packets.
This is a unbelievable flaw, where talking about Malware, adware and the
VirtuMonde, Vundo.P, HBKernel32 ect..
my ditto comment
December 16th, 2008 at 10:27 pm
Or is it called Windows Explorer too? 🙂
Is that why IE so vulnerable?
December 17th, 2008 at 4:24 am
I already use Firefox because its so much better than ie in all ways and this security flaw is another proof that ie is old school and is useless.
December 18th, 2008 at 4:56 am
Great scare tactics. Great for my business… But would you mind adding a few details? What is the NAME of the “virus” (all major A/V’s name things – like mydoom.v) Also, other than “perform windows updates” – how do you DETECT if your computer is infected?
December 18th, 2008 at 8:39 am
Wow… My ENTIRE school uses IE… I better talk to the IT department