Metropol

BBC News Online wrote: Web browser flaw prompts warning

Users are being told to avoid using IE until Microsoft patches a serious security hole in it.

The loophole is being exploited to open a backdoor on a PC that could let criminals take control of a machine.

The threat of infection is so high because the code created to exploit
the loophole has somehow been placed on many popular websites.

Experts say the list of compromised sites involves banks,
auction and price comparison firms and is growing fast.

Serious problem

The net watchdog, the US Computer Emergency Reponse Center, and the net security monitor,
the Internet Storm Center, have both issued warnings about the combined threat of
compromised websites and browser loophole.

Cert said: "Users should be aware that any website, even those that may be trusted by the
user, may be affected by this activity and thus contain potentially malicious code."

Ho-hum . . . yet another serious IE security bug that some complacent fools will ignore!

If you're using IE and have any common sense, you should not dismiss this problem . . .


More info . . .

BBC News Online - http://news.bbc.co.uk/1/hi/technology/3840101.stm

Microsoft - http://www.microsoft.com/security/incid ... _ject.mspx

DJGM wrote:

BBC News Online wrote: Web browser flaw prompts warning

Users are being told to avoid using IE until Microsoft patches a serious security hole in it.

The loophole is being exploited to open a backdoor on a PC that could let criminals take control of a machine.

The threat of infection is so high because the code created to exploit
the loophole has somehow been placed on many popular websites.

Experts say the list of compromised sites involves banks,
auction and price comparison firms and is growing fast.

It would have to be on the night I'm just after completing a transaction on eBay.

I did a bit of digging over this earlier on - apparently at the moment the site which hosts the Javascript the virus is trying to download is offline, which should mean it's impossible to get (?).

Has anybody's virus checker updated yet? I'm spending this week on a Mac, with Safari, so I think I should be OK *tries not to gloat*

Great!

I usually use Mozilla Firefox but for some reason I'm now on IE.

Better get off

Here we go again . . . yet another nasty IE problem has become evident.

While the rogue Russian server a the centre of last weeks problems has been shut down, some of the
affected sites (normally trustworthy ones) are still injecting malicious code onto user's PC's via IE.

And if that wasn't enough . . .

Malware attacks IE users via pop-ups

Another warning has been issued over data-stealing malware that exploits a vulnerability in IE.

Although the threat from last week's "download.ject" attack has subsided, malware authors
have not missed a beat in their efforts to use flaws in Internet Explorer as a gateway
to steal banking and credit card information.

The malware, which has been identified by the SANS Institute, is delivered to users' PCs
through pop-up windows that appear when users log on to financial portals.

It seems that the suspect pop-ups are delivered on certain websites that run ads from third-party
ad servers, which appear to have been hacked. When the pop-ups appear, vulnerable versions
of IE begin downloading a malicious file that records activity, such as passwords onto the
infected PC and sends that data to a server reportedly located in Estonia.

The full article can be found at TheRegister.co.uk . . .

Oh well, it seems like another damn good reason to use alternative browsers, especially ones
that have ad-blocking built in as standard without the need for any third party browser add-ons.

Oh well, it seems like another damn good reason to use alternative browsers, especially ones
that have ad-blocking built in as standard without the need for any third party browser add-ons.

Firstly, IE will soon have ad blocking built in.

Secondly, I find it rather unfair that IE is chastised yet again - apparently because it has gaping security holes which other browsers don't have.

It's not that other browsers don't have unseen security holes, it's just that the hackers target IE's security holes because IE is by far and away the most popular browser - it's a victim of it's own success. Why on earth would anyone bother to distribute a virus via users of Mozilla and inconvenience a small minority of the internet browsing population when they could channel their energies into compromising IE and thus potentially have access to so many more people.

It makes perfect sense to me to have a go at the most popular browser - because obviously that will yield the highest casualty rate. If Microsoft had lost the browser wars, no doubt Netscape Navigator would now be compromised to the hilt whist IE would seem to be comparitively quite secure.

And to be fair to Microsoft, they are on the ball with security holes - every time a serious breach in IE is found, Windows Update has a patch up within days. They certainly don't dawdle around in patching the holes in the their software.

cwathen wrote:It's not that other browsers don't have unseen security holes, it's just that the hackers target IE's security holes because IE is by far and away the most popular browser - it's a victim of it's own success. Why on earth would anyone bother to distribute a virus via users of Mozilla and inconvenience a small minority of the internet browsing population when they could channel their energies into compromising IE and thus potentially have access to so many more people.

It makes perfect sense to me to have a go at the most popular browser - because obviously that will yield the highest casualty rate. If Microsoft had lost the browser wars, no doubt Netscape Navigator would now be compromised to the hilt whist IE would seem to be comparitively quite secure.

Great argument. And also considering it doesn't look like Internet Explorer 7 is forthcoming any time soon, it may be long enough for IE6 to become fully sorted and fully secure. Then I reckon we'll see "Security Alert: Users advised to avoid Mozilla/Opera" messages at some point. I refuse to believe that Mozilla and Opera are as secure as some certain individuals make them out to be.

And to be fair to Microsoft, they are on the ball with security holes - every time a serious breach in IE is found, Windows Update has a patch up within days. They certainly don't dawdle around in patching the holes in the their software.

Indeed, Mozilla and Opera prefer to release an entirely new version instead of a patch which makes it more cumbersome to download, IMO. I'd much prefer a 200k downloadable patch as opposed to a 3Mb new installation which also throws in some other feature I'll never use.

MSN are now suggesting you dump IE
http://slate.msn.com/id/2103152


With regards to the "ad-blocking" comment. I think that might have been refering to one of the banner ad blocking extensions for Firefox rather than the popup blocker as this javascript thing was spread after advertising sites were hacked.

On the subject of IE, they've brought back the dev team and have a wiki for suggestions on "channel 9" (one reoccuring one being "dump trident, use Gecko under MPL and add on the funny little effects") so we might see some interesting developments soon. Once they finally finish SP2 that is.

Hymagumba wrote:MSN are now suggesting you dump IE
http://slate.msn.com/id/2103152

I think you'll find that that is an opinion piece and not an official MSN line.

One thing worth bearing in mind is that while it's true that creators of malicious code will mostly target
the most widely used browser, if Mozilla, Opera or any other non-IE browser were about as widely
used as IE is at the moment (about 85%) they would find that they're quite a lot harder to crack,
thanks to a number of reasons, particularly the technologies they don't support . . .

Internet Explorer is so tightly integrated into the inner workings of the Windows operating system, any
code that exploits IE could have seriously adverse effects on the rest of the system. Other browsers
that don't rely on IE technology do not integrate into the operating system, so any security problems
found in them cannot actually cause any damage to any part of the OS. And, unlike IE, if you no
longer want to use them, you can easily remove them. If you're a user of Windows, you get IE
whether you want it or not, and you cannot get rid of it without third party assistance.

Internet Explorer supports ActiveX, a proprietary MS technology that does have some legitimate
uses, but has unfortunately been hijacked by malicious code writers, and is now mostly used to
download and install unwanted extras, and often without the users prior knowledge or consent.
Other browsers do not support (or have very limited support for) ActiveX, therefore this risk
is minimized, if not eliminated. Limited ActiveX support can be added to non-IE browsers
such as Mozilla, but this is usually just to enable embedded Windows Media based
content to play on a webpage, within the browser window

Internet Explorer supports arbitary code execution. By default, no other browser does.

Internet Explorer supports Visual Basic Scripting. VBS is not a web scripting language, and
should not be used on any webpages, especially since a lot of viruses are written in VBS.

Any web developer that uses VBS on a webpage in place of a geniune web scripting language
such as the (industry standard) JavaScript, either needs a brain scan, or seriously needs to
re-examine why they have access to any form of online computer equipment!

To be honest, I don't want ANY browser to be as dominant as IE is at the moment. Personally, I'd
much prefer there to be a more level playing field between browsers, where IE has a share of
around 40-50%, and the remaining percentage is shared between all the other browsers

Neil Jones wrote: Mozilla and Opera prefer to release an entirely new version instead
of a patch which makes it more cumbersome to download . . .

And as more and more people are switching to broadband, that is fast becoming a non-issue.

Neil Jones wrote:I think you'll find that that is an opinion piece and not an official MSN line.

Doesn't stop it being a down right lie, on no that's Fox isn't it.


You may not be aware of this but as Firefox has been getting more popular there have been a few attempts at "XPI" based viruses (XPI is the technology used to install plugins and extensions). Now if I'm not mistaken even these required a use to click a link unlike the current problem with IE pre SP2.

I check up on this properly once MozillaZine's forum is up and running again as it's 500ing me at the moment.