Wednesday, March 29, 2006

TOPIC: Why is anyone still using Internet Explorer?
Linux Watch article by -- Steven J. Vaughan-Nichols
Published: Mar. 27, 2006

OK, how many times must Internet Explorer be ripped open like a hot 16-year old in a summer slasher movie before people finally get it: IE is not safe. Period. End of Statement. I don't care if you only run it around the Web on Sundays and to the nicest sites. If you run IE, you're just asking to me slammed by worms, bots, adware, and every other kind of malware on the planet. No, it doesn't matter that you're using XP SP2 and you've downloaded all the patches. The only version that appears to be immune is IE7 beta-2. [And it has even been found to have security flaws]

Take the IE code execution hole discovered by Secunia Research a few days ago. Microsoft admits that it's there. That's big of them. Malicious hackers have already been using the hole via hijacked Web servers over the weekend to launch attacks.

While Microsoft insists that, "So far we're still seeing only limited attacks," eWEEK, one of Linux-Watch's sister publications, has seen seen a list of more than 20 unique domains and 100 unique URLs hosting exploits using the hole. These, in turn, are infecting systems with SDbot, a virulent family of backdoor programs that give hackers complete ownership of your computers. With SDbot, attackers can control your computer by sending commands via IRC (Internet Relay Chat) channels. In the past, it's been used to seed botnets and plant keystroke loggers for identity theft attacks.

Of course, there may be many other backdoor programs being planted by crackers. The hole can be used for many purposes. It's just that SDbot infections are the only ones we know about so far. This particular attack works by playing games with the "createTextRange()" call usually used with radio button controls in Active Scripting. If you turn off Active Scripting, you'll lock out attacks based on it. Of course, some sites that have been designed with IE in mind won't work right.

Still, which would you rather have? A safe system that won't work with some Websites, or a compromised system? I know which way I'd go. I use Firefox. It's open source, but what's much more important than that is that it's safer, much safer than Internet Explorer.
What I want to know is why any of you are still using Internet Explorer? I mean how many attacks does it take?

OK, so some of you are experts at securing IE and you wouldn't be caught dead with Active Scripting on in the first place. What about your fellow employees, though? Are they all so clever? What about your husband at home? Your kids? Your mom and dad? Is everyone you know and care about dedicated enough to read Secunia and SANS ISC (Internet Storm Center) every day? Clever enough to stay one step ahead of crackers who are now attacking holes on the very day that they're discovered?

I make my living from riding the bleeding edge of technology, and I don't think I can do it. The government sure the heck can't do it. And, I have my doubts about businesses as well. Let's not even talk about the state of insecurity of most home computers.

Here's the simple truth: Even if you don't believe in Linux, open-source, and all that jazz, no one who knows anything about computer security can believe that IE has been, is now, or is likely to be secure anytime soon. Firefox is simply the better choice.

Is Firefox perfect? Completely secure? Heck no! Death and taxes are the only things you can really be sure of. But, an unattended copy of Firefox is still a lot more secure than even a constantly watched and updated copy of IE. If you care about your security, about the security of any of your friends, family, or co-workers, it's time to switch to Firefox.

Oh, and that IE hole? As I write this, on the afternoon of the 27th of March, there is no patch for it. Microsoft assures us, though, that there will be one by April 11th at the latest.
Comforting, isn't it? -- Steven J. Vaughan-Nichols

{Emphasis, color, paragraph formatting and [] added by Charlie}

No comments: