Monday, July 6, 2009

Stop using Internet Explorer, right now

XP users, you're in the cross hairs:

Thousands of websites have been hit by fast-moving exploit code that installs a cocktail of nasty malware on visitors' computers by targeting a previously unknown vulnerability in some versions of Internet Explorer.

The compromised websites link to a series of servers that exploit a zero-day vulnerability in an IE component that processes media. The vulnerability affects those using the XP and 2003 versions of Windows, Microsoft warned in this advisory.

Zero-day means there's no fix.

This is only the latest example of why you shouldn't use Internet Explorer. If you haven't done so already, here's why you should switch to Firefox:

1. They are much, much faster getting fixes out - typically days, rather than weeks. Microsoft updates IE once a month, on Patch Tuesday. Firefox releases when they need to.

2. You get new fixes much faster with Firefox. IE fixes come out via Windows Update; do you know if yours is configured to run correctly? To run at all? Firefox, on the other hand, automatically checks for security fixes, and tells you when it's downloaded one.

3. ActiveX is an Abomination unto the Lord, at least from a security perspective. ActiveX lets your browser load executable code from someone who's not Microsoft. If there's a bug in this code, a fix doesn't come out on Patch Tuesday. Worse, if you've checked the box that says "Always trust content signed by FooCorp", Internet Explorer won't even tell you when it's loading potentially buggy code.

How cool is ActiveX? This cool:
What isn't in dispute is that IE 7 on Vista is not vulnerable, presumably because ActiveX objects are blocked by default, according to this blog entry from McAfee researchers Haowei Ren and Geok Meng Ong.
Sheesh. So you should go get Firefox right now, unless you don't care if you get pwned.

And don't forget the 2 Simple Rules for Safer Browsing.

5 comments:

Eagle said...

Heck, dump XP completely and go to Linux!

Or, if you absolutely, positively MUST have XP running, go get VirtualBox and build yourself an XP "guest". Make a backup of it. Then, use the "guest" for your browsing.

If your "guest" gets infected... delete it, restore the backup, and get back to work.

Shy Wolf said...

OK- I've downloaded Firefox...now start the problems, such as IE still runs the system and it is causing nothing but problems in the thre puters I have/use. How to get the Firefox as the main whatever-it-is-supposed-to-be? McAfee may say VISTA is not vulnerable, but I'd say it's sure vulnerable to something as is XP, since all three have the same problems. (Not that I should have bought Windows in the first place- since it seems to be a POS equipment. Why, og why, didn't I listen to people who work with them all day long?
Shy III

Borepatch said...

Shy, I'd recommend the following, now that you have Firefox installed:

1. Close all browsers - both IE and Firefox.

2. Start Firefox = when it installed, it probably left a shortcut on the desktop; for sure it will be in Start->Programs.

3. It will tell you that it's not the default browser, and ask you if it's OK if it makes itself the default. Say "Yes".

You should be all set then.

When a vendor is publicly disputing a vulnerability announcement with a security company (e.g. Microsoft vs. McAfee), the smart money bets on the security company being right.

Also, if you stay unhappy with Windows, you might check out Ubuntu Linux. You can download it onto a USB flash drive and test it live, without deleting your old Windows partition. Sort of a test drive before you buy a car.

the pistolero said...

I don't even remember the last time I used Internet Exploder.

Shy Wolf said...

Thank you, Borepatch- I'll do that. My son has been telling me how good Linux is, I may start listening to him. Again, thanks a million.
Shy III