More news on the IE security flaw


« NoScript: A tool for securing your computer against web browser-based attacks | Main | More web browser security issues. Opera this time... »

12/16/2008



More news on the IE security flaw

Kevin R. Smith
Co-Editor


BBC News covers the IE security flaw and brings these details:

'"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said. (We just covered these Internet Explorer security issues.)

"What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. "It's just a question of modifying the payload the trojan installs."

Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."' (emphasis ours)

The article goes on to quote another security pro, PC Pro magazine's security editor, Darien Graham-Smith, who added,

"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."

For anyone reading this who isn't running:
   1.) antivirus software
   2.) a hardware firewall

This is your wake-up call.

Finding the right antivirus software for your money isn't hard to do. Some versions even include both, making them antivirus firewall software in one.

We know we beat the same drum day-after-day here, but we do so because it can't be said enough: run antivirus software, which can often stop attacks like these in their tracks.

We also saw this in a related Computerworld article on the IE flaw:

'Carsten Eiram, chief security specialist at Secunia, in a post to the security company's blog early Friday. "It turned out that a lot of available information and assumptions were wrong."

Among those, said Eiram, was the belief that the vulnerability existed only in IE7 and was related to XML processing -- as some, including Secunia, first thought.

Also incorrect, or at least partly so, is the idea that setting IE's Internet security zone to "High" and disabling scripting will keep one safe from attack, added Eiram. "Technically no ... it is still possible to trigger the vulnerability," he said. "However, it does make exploitation trickier as it protects against attacks using scripting."'

Interesting.

The long-story-short: This means even if you've cranked your settings up in IE, you're still at risk.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a0133f40d81f4970b0134876491ff970c

Listed below are links to weblogs that reference More news on the IE security flaw :

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.