Internet Explorer users might be at risk

Factual Questions
1

If you’re using Internet Explorer, you might want to, at the very least, switch to a different browser – at least until we get an all clear.

Here’s the headline and lead paragraph from a Knight Ridder article that appeared in my local paper this morning:
**
Government suggests avoiding Microsoft Explorer

NEW YORK – The federal government’s cyberdefense experts, along with other computer gurus, are urging users to consider a switch away from Microsoft’s widely used Internet Explorer because of security problems.
**
Hackers, it seems, have found a way to install software hundreds of web sites that use Microsoft’s Web server programs, which then “downloads a spyware program to personal computers, including one that steals credit-card numbers and other forms of financial information.

Johannes Ulrich of the SANS’ Internet Storm Center says we should switch to an alternate browser. He adds, “With Internet Explorer, you’re playing Russian roulette and hoping the sites you visit aren’t compromised.”

The specific program is called JS.Scob Trojan, and most antivirus software has been updated to block it. But MS “has not, so far, been able to inoculate Internet Explorer against the broad technique.”

MS won’t comment except to urge users to install the latest security updates at http://windowsupdate.microsoft.com. I did that, and not one of the three critical updates MS suggested, said anything about IE.

According to the news article, Opera, Mozilla and Netscape browsers are not vulnerable to the threat. Same for computers running Linux and Mac OS-es.

An eerie part of this is when I went to use the Help and Support link in Windows XP, I got a message from my McAfee software that the program “has changed since you last used it. Do you want to block internet access?”

I had to update, so I opted (after agonizing for awhile) to give the program access.

Anyway. Would it make sense to simply delete IE until further notice? I can get along without it. Fact is, Netscape 7.1 is currently my default browser.

2

No, don’t delete IE. Certain Windows functions - like Windows Help - use IE. And certain applications - like Norton Anti-Virus - use IE to create program windows (in other words, when you play with the options in NAV 2002, you’re playing with a web page, not a standard C+ or VB window).

It’s best to leave in on your system, but use another browser if IE’s security settings are too complicated for you.

3

Thank you, Rex. I’ll follow your advice.

The article suggested other alternatives such as “disabling some special scripting capabilities of the browser or setting Internet Explorer’s settings to much higher levels.”

But I am not sufficient checked out to do that. So, I’ll just stay with Netscape 7.1,
although I learned in another post that you can read about changing security settings at the “Microsoft Knowledge Base (KB) Article Q174360” in case anyone else is interested.

This latest version has a neat anti-spam feature in which you teach it to recognize incoming spam as junk. Just a week or so into it, and when I call for new messages, they all come in but at least half then disappear to a Junk file.

Of course I check the Junk file regularly, and once found a good email in there. I told the program “Not Junk” and brought it back to my Inbox.

Good stuff.

4

Neat! I just switched to Mozilla’s Firefox yesterday by chance. I know I made a good decision, even if this turns out to be a hoax or false report.

I wasn’t going to post a love-fest here on FireFox, suffice it to say it’s the best browser ever. Great features (tabbed view allows several pages to be open at once), great security (blows away IE), no pop-ups (on sites), not ad supported (a la Opera), and the interface is a lot like IE (which is the biggest reason I never switched to any other alternatives before).

5

You will find the majority of posts requesting help with browser problems involve IE. With so many posts on this subject, there is a sticky thread here in GQ attempting to address most of these computer problems (general) and IE (specific). The sticky already mentions the IE vulnerabilities, including the US CERT recommendation to not use IE.

BTW, Slate the online magazine of MSN and owned by Microsoft, just came out with a recommendation to use Firefox over IE. Of course, it is the author’s sole opinion on the issue and may not reflect the business opinions of MSN and/or Microsoft. Still, it doesn’t look good when your own sponsored online magazine doesn’t recommend your own software.

6

Well shit, I just bought something over the internet with my credit card the other day.

So, what browser should I use. I’ve tried Firefox Opera and Netscape and aren’t too happy with any of them. Which one should I give a second look?

ALso, if anyone knows the answer to this, I’d be happy. I’ve beent trying (for seveal weeks{) to install the cumulative security update for IE (KB832894) and it downloads and shows that it’s been installed in my installation history, but keeps telling me I need to reinstall it. MSoft can’t be updating this one every day, can they?

7

I would give Firefox another try - they recently updated to a new version, .9.1. Also, make sure to give the extensions a try - click Tools > Extensions > Get New Extensions. They add a whole lot of powerful features to Firefox. For example, after browsing about a week with Adblock on, I now see almost no ads at all on the net. And browsing without mouse gestures seems funny now.

8

Preach it, brother! We switched to Mozilla (browser and email) this weekend, and I’ve been loving it.

9

I use Firefox for most things, but at this stage I don’t think I’ll ever entirely get rid of IE. Most of the problems I have aren’t so much Firefox’s fault as that of webmasters who code only for IE, but I encounter them frequently enough that I’m glad to have IE still there in the background in case I need it. For example, I cannot access my online banking with any browser other than IE, and I can’t access some of the additional tools on another forum I frequent (off the top of my head, the extra font colour selection thingy doesn’t show in FF, only IE).

In general (I’m not implying that this has happened in this thread) I find it mildly irritating that the “minority” platforms always seem to be touted as more secure as though there is something superior about their coding when most of the time, there simply aren’t as many people out to exploit security holes in them because they aren’t as widely used. I mean, I could spend my time trying to find and exploit a weak spot in the browser used by 20% of my site’s visitors, but wouldn’t I be better off going after the one used by the other 80%? It’s hardly fair to attack one program for it’s lack of secuity when the one simply doesn’t have it’s security put to the test as often. Yes, it may turn out to be more secure because it has superior coding but it’s hard to know for sure because there aren’t as many people out to break it.

10

Well, look at Linux. Back in the late 1990s - when .000004% of the computer world ran Linux - Linux was considered almost “bulletproof” and was touted as the most stable and secure OS ever. However, as more and more companies started using it - mostly to consolidate older Unix servers - the number of exploits skyrocketed. In fact, Linux has has more published exploits than Windows for the past two years (IIRC). So yes, if everyone dropped IE for Firefox tomorrow, the number of Firefox exploits would go through the roof in a very short time and Firefox would soon be just as “buggy” as IE. Having said that, if MS can do a total re-write of IIS for 2003 Server - and IIS 6.0 is a rock solid, stable and secure product compared to IIS 5.0 - they should at least do the same for IE.

11

Sort of. The statistics normally quoted for GNU/Linux systems include the exploits from all of the applications included with that particular distribution.

SuSe Linux 9.0 professional comes on 5 CDs or one DVD, and includes hundreds of large applications and thousands of smaller programs. For a fair comparison, you’d have to include the exploits in MS Office, MS Works, Adobe Photoshop, IIS, Exchange Server, Outlook, Internet Explorer, and a shit pot full of smaller stuff. It is not OK to compare the exploits listed for Mandrake 10 with the exploits listed for Windows XP service pack 1 because the exploits counted against the GNU/Linux system will include the exploits for all programs included in the distribution as opposed to the exploits for XP listing only those that are part of the basic OS.

Linux itself (which is just the Kernel) actually has far fewer serious problems than Windows, and they get fixed much faster.