ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

IE is broken: can you fix it?

Robert Vamosi CNET

Published: 07 Jul 2004

• 
• 
• 
• 
• 

Microsoft's Internet Explorer is broken, and criminal hackers (crackers) know it. Within the last few weeks, these evildoers have staged several well-orchestrated Internet Explorer attacks designed to steal your banking and credit card information. The result has been that you can't trust Internet Explorer -- how will you know if a secure site is truly safe? Here's a look at what's wrong with Internet Explorer and what you can do to keep your data under lock and key.

At issue are not one, but several flaws within Internet Explorer, some well known and some not so well known (so-called zero day attacks). All of the serious attacks also use tiny programs called keystroke-logging Trojan horses, which capture IDs, passwords and credit card information as you type them. And all of the attacks so far happen without users even suspecting there's anything wrong. Note: only Windows users are at risk -- Mac and Linux folks, you're safe for now.

Let the attacks begin!
Two weeks ago, elements of the Russian mafia coordinated a brilliant attack that turned the Internet into millions of points of digital infection. First, the Russians (or their hired crackers) managed to secure malicious code on vulnerable Microsoft IIS Web servers worldwide. Then, using flaws within Internet Explorer, malicious JavaScript automatically downloaded whenever a user visited an infected site (which included popular search and auction destinations). That JavaScript in turn downloaded a keystroke-logging Trojan horse from another server located in Russia. The attack ended once the Russian server was taken offline.

Last week, a second attack targeted accounts with major financial institutions, such as Citibank and Deutsche Bank. Spread by pop-up advertising, which in turn loaded malicious code, this attack uses a Browser Helper Object (BHO), a type of file that developers frequently use to monitor Internet Explorer sessions. In this case, whenever a user visits a banking site, just before the encrypted Secure Socket Layer (SSL) session starts between user and bank, the Trojan records all the POST and GET information before it is encrypted. The Trojan then starts its own encrypted session, sending your personal banking data to a remote server.

Buggy, buggy Internet Explorer
How could this happen? Blame monopolies. When Microsoft launched its browser war against Netscape a few years ago, we all lost. By encouraging Web site developers to 'optimise for Internet Explorer', Microsoft killed off the competition by offering Web surfers flashing images and pretty sounds. Internet Explorer now holds a commanding 95 percent of the Internet browser market. Because of that market dominance, however, Internet Explorer engineers have been lax about browser innovations and battening down its hatches.

In the wake of these serious security events, the software giant posted instructions to secure your Internet Explorer.

In a nutshell, the instructions say to increase the security settings within Internet Explorer, turn off JavaScript and ActiveX, and start reading email in plain text (because Outlook uses Internet Explorer to render HTML). In other words, we should turn off everything Web developers have been told to optimise for. No more flashing images, no more cute sounds, just bland old, flat Web pages. And if you do follow these instructions, many Web sites you use every day simply will not work properly. Thanks a lot, Microsoft.

Here's the best part: there's one flaw that Microsoft fixed six years ago in Internet Explorer 3.0 and 4.0 that has resurfaced in versions 5.01, 5.5 and 6.0. And there are a few new bugs within Internet Explorer that even the software giant in Redmond didn't know existed, despite its own efforts -- a.k.a. Microsoft's Trustworthy Computing campaign. To its credit, Microsoft has since posted a patch for one of the new Internet Explorer flaws, but it waited a week to do so, and this patch still doesn't resolve all the problems.

Bail out of Internet Explorer -- now
The crisis with Internet Explorer is so bad that the U.S. Computer Emergency Response Team (US-CERT) now recommends that you move away from Microsoft Internet Explorer. You have Netscape 7.1, Mozilla 1.7, and Opera 7.5 to choose from. However, there is much excitement surrounding Mozilla's new Firefox browser, currently in beta, if only because Firefox reunites several original Netscape developers. (See the following page for more information on alternatives to Internet Explorer.)

Short of bailing out of Internet Explorer, you can also stop remote-access Trojan horses with a good personal desktop firewall such as ZoneAlarm or those included within Norton Internet Security and McAfee Internet Security. Finally, several of the banking Trojans can be removed with apps such as Spybot Search and Destroy and Ad-aware, as well as your favourite antivirus program. If you aren't currently checking for spyware, you should be. And if you aren't running antivirus protection, well, now's a really good time, don't you think?

Related articles

• 
• 
• 
• 
•