Experts: Avoid Internet Explorer Until Security Flaw Fixed
Just saw this in the Chicago Tribune:
Read the entire article here:
SAN FRANCISCO (AP) -- Users of all current versions of Microsoft Corp.'s Internet Explorer browser might be vulnerable to having their computers hijacked because of a serious security hole in the software that had yet to be fixed Monday.
The flaw lets criminals commandeer victims' machines merely by tricking them into visiting Web sites tainted with malicious programming code. As many as 10,000 sites have been compromised since last week to exploit the browser flaw, according to antivirus software maker Trend Micro Inc.
The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market. However, the hole is such that it could be "adopted by more financially motivated criminals for more serious mayhem -- that's a big fear right now," Paul Ferguson, a Trend Micro security researcher, said Monday.
"Zero-day" vulnerabilities like this are security holes that haven't been repaired by the software makers. They're a gold mine for criminals because users have few ways to fight off attacks.
Advertisement
After years of being frustrated with IE and PCs in general, I made the switch to Mac last summer. That was following a one year experiment with Windows Vista. One year was all I could stand.
December 16, 2008 2:09 PM | Reply | Permalink
Linux. I'm using it now on my PC, it has cooler effects and functionality than Mac, and, it's free.
Macs are for the kinds of people who created this financial recession - people with thousands and thousands of dollars sitting around to waste on a computer because it has a pretty-looking case.
And yes, its operating system is based on UNIX, which is also the basis of the (free) Linux.
December 16, 2008 3:52 PM | Reply | Permalink
The Linux kernel was written entirely from scratch. It's not based on Unix.
"Macs are for the kinds of people who created this financial recession - people with thousands and thousands of dollars sitting around to waste on a computer because it has a pretty-looking case."
And Linux is for snotty Penguin OS fascists who think it's their business what kind of computer someone else chooses to purchase.
December 16, 2008 6:24 PM | Reply | Permalink
I split my hard drive on the Windows Vista PC with Ubuntu, (linux based OS). I still prefer the Mac OS. Agree with other comments, that Windows is the primary target of malware, so mac benefits by default.
Your supposition that "Macs are for the kinds of people who created this financial recession - people with thousands and thousands of dollars sitting around to waste on a computer because it has a pretty-looking case.", is absurd. Especially as most of the programs running the algorithms that powered the derivative market that augered us into this mess were PC compatible programs.
December 16, 2008 8:22 PM | Reply | Permalink
Hi Miguelito, I have xp/ubuntu/(w98 on a virtual machine) on my computer but haven't ever tried the ubuntu. Do you use their browser?
December 17, 2008 10:02 AM | Reply | Permalink
I didn't use it at all Lux. A friend set me up with the Ubuntu using Firefox. He also turned me on to this website which has a lot of useful info. I only used the Ubuntu w/Firefox for about 8 months but generally liked it, and preferred it to Vista/IE, (my advice regarding Vista: Don't bother, stick with your XP until you have to upgrade).
December 17, 2008 10:44 AM | Reply | Permalink
thanks for the link! Ditto: a tech friend uninstalled Vista for me (I had a new machine and hated that OS)and at my request put in XP/(they added Ubuntu as a good idea) and installed Win98 in a virtual machine that I could use to run some of my old math programs that haven't been ported to new platforms.
I haven't tried the browser yet, but maybe today...
December 17, 2008 11:21 AM | Reply | Permalink
I just bought a new machine from Dell and ordered it with XP Pro installed. It actually cost me fifty bucks extra to get XP instead of Vista. Vista has been such a disaster that Microsoft is rolling out its replacement early:
http://windowsteamblog.com/blogs/windows7/default.aspx
http://gizmodo.com/5069661/windows-7-walkthrough-boot-video-and-impressions
December 17, 2008 12:17 PM | Reply | Permalink
Another link work checking out:
http://www.microsoft.com/surface/index.html
Microsoft Surface. Looks pretty cool.
December 17, 2008 12:22 PM | Reply | Permalink
Thankee!
December 17, 2008 9:31 PM | Reply | Permalink
Using a Mac won't keep you safe from exploits based on DNS cache poisoning or clickjacking attacks. Don't be fooled--there are plenty of ways to attack a Mac.
December 16, 2008 6:18 PM | Reply | Permalink
Please, what do you advice for us Mac owners then? And could you explain the DNS Clickjack thing? And does Firefox with the no script protect from that?
December 16, 2008 6:41 PM | Reply | Permalink
Nothing protects you from the latest DNS cache poisoning bug. It's possibly the worst security flaw I've seen in years. You've just got to pray that your ISP and your bank and the other people you do business with are patched. There's nothing you can personally do to protect yourself.
Here's a scary article about the flaw with a few details:
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky?currentPage=all
There's no such thing as a completely secure computer. A year or two ago, for instance, someone figured out a way to do a hardware level attack on an Airport card that completely bypassed the OS. I can break into most wireless networks in five minutes or less with nothing more than a couple of laptops and a few freely available tools. There's always a way in if you're determined. Firefox is available for Mac, though, and it's well worth installing and using. Especially with NoScript added. You can even install a theme to make it look pretty much like Safari.
December 16, 2008 6:52 PM | Reply | Permalink
I've been using Firefox (with no script). I don't use wireless. Only direct connect to the DSL. (unplugged when I'm offline - through att) And I do no banking over the web.
Sounds like I'm doing all I can. Thanks, hreb.
(by the way with the "reb" I think of you as "the rabbi - I'm not Jewish, but that's comforting...)
December 16, 2008 6:58 PM | Reply | Permalink
You know how I came up with hrebendorf? I tried a whole bunch of others and they were all taken. So I figured if I came up with something hard to pronounce I might get it. :)
Firewall enabled? If so, you're doing all the right things.
December 16, 2008 7:11 PM | Reply | Permalink
Yup. I guess I'm doing all I can. Scary world out there.
But here we've got "the reb."
December 16, 2008 7:17 PM | Reply | Permalink
Great article! Thanks for the tip.
December 16, 2008 8:07 PM | Reply | Permalink
I use a wireless router on my DSL line for laptop access, and for loading up MP3 players. It does not broadcast itself, and only accepts connections from pre-entered MAC addresses. It is also placed in the center of my residence, and does not transmit out to the street. It would be extremely unlikely that anyone was able to hack into it. I am able to tap into an internet cafe wireless access from a 2nd story window that's about 2 blocks, and has a clean line of sight. I've only used it for tests, but figure it provides a decent anon feed if ever I decide one is needed.
December 16, 2008 9:23 PM | Reply | Permalink
Unfortunately, neither trick makes you safer. They only give you a false sense of security. From Steve Riley, senior security strategist at Microsoft:
http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx
WPA or WPA2 will stop all but the most determined hacker.
December 17, 2008 11:56 AM | Reply | Permalink
Of course I encrypt my router connections (WPA2). My router will only accept connections from devices whose MAC addresses have been white-listed, and it's stealthed, so it doesn't just refuse, it drops. It will not allow admin from any wireless connection, so only the desktop connects (my Linux sandbox server is blocked from WAN connections, although i could command line router admin from it). The router will not accept connections that call for unused ports. Lastly, and one that I believe aids my router security immensely, is the fact that it transmit so weakly, its signal only reaches outside in a few directions, and I check that about once a month.
I wasn't aware that not transmitting SSIDs was counter protocol. This both surprises and perturbs me. An access point intended only for short-range residential use has no need to be promiscuously broadcasting its SSID. I've never experienced any connection problem with my laptop running WinXP, but that may be because it's a Lenovo, and I use their own supplied wireless access program, not Windows'.
December 18, 2008 5:04 AM | Reply | Permalink
http://ettercap.sourceforge.net/
http://www.klcconsulting.net/smac/
December 17, 2008 12:35 PM | Reply | Permalink
Hey, hey, HEY! Cool it! Jesus! Both of you! Now! Just walk it off!
There! That's better. See?... it's always the way - somebody makes a crack about Netbook, and somebody comes back with smack about PNY OPTIMA 2GB (2x1GB) Dual Channel Kit DDR 400 MHz PC3200 Desktop DIMM Memory Modules MD2048KD1-400... And that's how it begins, man.
Can't we all just get the f*ck along?!
December 16, 2008 4:35 PM | Reply | Permalink
PNY OPTIMA 2GB (2x1GB) Dual Channel Kit DDR 400 MHz PC3200 Desktop DIMM Memory Modules MD2048KD1-400 are totally suck.
December 16, 2008 6:43 PM | Reply | Permalink
Yeah! Why can't we be friends?
December 17, 2008 1:42 AM | Reply | Permalink
For anyone who's interested: Firefox with the NoScript Add-on installed is pretty darn secure, and there are versions available for Windows, Mac and Linux.
IE is the least secure browser you can use these days--not because there's anything inherently wrong with it, but simply because it's the most popular browser around, which makes it the most popular target to attack.
December 16, 2008 6:28 PM | Reply | Permalink
Firefox w/NoScript and AdBlock Plus. (Sorry, Josh...)
December 16, 2008 6:37 PM | Reply | Permalink
AdBlock won't make you safer online, but it sure makes things more pleasant. Although I've noticed some sites wait for the ads to load before they load the content, so sometimes AdBlock actually slows things down.
I disable AdBlock on TPM, out of respect for Josh's need to become rich as fucking hell.
December 16, 2008 6:41 PM | Reply | Permalink
For those who continue to use Internet Explorer, there are a couple of easily implemented protections which can guard against many potential internet security breaches.
The first is to simply set your internet security settings to High. To do this:
1) Goto Control panel
2) Open Internet Options
3) Click "Security " tab at the top
4) click on "custom level"
5) where it says "reset custom settings": set it to high
This will result in many more warning messages, usually for active x controls. When in doubt, refuse to let them be installed.
The second thing is to download and install the freeware program: Spybot - Search and Control. It's free and my also be the best anti-spyware software available for Windows.
December 16, 2008 6:45 PM | Reply | Permalink
See this page for Microsoft's official workaround:
http://www.microsoft.com/technet/security/advisory/961051.mspx
Click "Suggested Actions", then "Workarounds". Then get ready to waste an hour of your time changing settings. It's not a simple fix. Your've got to change a few Registry settings, unregister oledb32.dll and disable XML Island functionality (thereby causing embedded XML in HTML to render incorrectly or not at all).
December 16, 2008 7:06 PM | Reply | Permalink
Yeah, I saw that. It is beyond the ability of the average computer user to implement the full workaround. It will even be worse for that fractional number of users who do go ahead and implement the workaround, only to discover that some necessary internet function they use regularly, still depends upon oledb32.dll. Do you think they will be able to reregister it? I expect MS to come out with one or more IE patches within the next week.
Spybot Search and Control now blocks and is able to remove well over 300,000 pieces of malware. The program uses an active blocker, and writes to the hosts file, presently sending over 10,000 known exploit sites to localhost. The program is awesome, and I've even donated money to the author twice.
December 16, 2008 8:42 PM | Reply | Permalink
"Do you think they will be able to reregister it?"
It's the same command, minus the /u switch. Not too tough. Glad the patch is out, though, and thanks for posting the info.
December 17, 2008 12:07 PM | Reply | Permalink
I have a Mac after microsoft drove me nuts! I must keep my sanity. Even if it's at the price of a Mac!
December 16, 2008 8:30 PM | Reply | Permalink
Microsoft says it will have an Internet Explorer patch available Wednesday, December 17, 2008, at 1:00 PM EST at their Microsoft Update site.
December 16, 2008 9:40 PM | Reply | Permalink