Thursday, December 11, 2008

Stop using Internet Explorer

Really. Right Now.
From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'
Easy alternatives to IE are here.

Like I said, get off IE and don't go back. This is only the latest example, and the browser is the vector for 90% of the malware. This is the single most important thing you can do to improve your online security.

By the way, the unpatched vulnerability in Microsoft's Wordpad (also being exploited) applies to all versions of Windows, which probably makes this the most widespread vulnerability of all time.


AnarchAngel said...

Not even close dude. The unpatched DNS vulnerability affected EVERY computer, not just every windows computer.

Borepatch said...

Chris, actually your way of counting is interesting. You're correct that every computer on the planet was effected by the DNS vulnerability. However, not very many had to be patched.

My Ubuntu Linux system, for example, is absolutely vulnerable. However, (a) I don't run the DNS service on it, and (b) none of the services are Internet-reachable, so it doesn't really need to be patched.

Ultimately, I will, since it's a latent risk. However, for most users, the IE bug is the most urgent.