Vista - IE Patch Beats Coal in Your Stocking

Ed Bott says :-

"The virus came unexpectedly. I thought my defenses were good enough, but clearly I was unprepared. This virus has proved to be unusually tenacious. I can't seem to clear it out. As soon as I see progress, the bug reemerges and attacks my system. If only Microsoft's Security Response Center could help me.

The point: Exploits happen. Merry Christmas and be glad it's not Happy New Year. Security exploits or attacks are now commonplace during the holidays. Somebody should be grateful that Microsoft got to this one early. If this is the only big security problem during the holidays, your IT organization got off easy.

Still, for many IT organizations and even consumers, today's out-of-band Internet Explorer patch is late enough to be trouble. Who wants to be distributing patches during the annual holiday party (assuming your company has one and it's no wake for those employees surviving layoffs)? For some consumers, that patch didn't come soon enough; they've been exploited already.

Because of my bodily virus, I sat out the real-time reporting and commentary around Microsoft Security Advisory 961051. In catching up, I'm surprised at the lashing Internet Explorer is taking here. Yesterday's Guardian story capped many calls for people to dump IE for another browser. Last week, Washington Post security blogger Brian Krebs advised "Windows users to consider browsing the Web with anything other than Internet Explorer."

Unfortunately, that would be my advice, too. Make a strategic retreat. I'm not suggesting that everybody dump Internet Explorer. Today, it's IE, but tomorrow the trouble could be with Firefox or Safari. No browser is truly safe.

When the hurricane or typhoon comes, you abandon your home for shelter. You flee for safety. You seek temporary shelter. That shelter is any browser but Internet Explorer. When the storm passes, most people will choose to return to their homes, i.e., IE (don't you just love the English language). Others will move away seeking safety elsewhere (other browsers).

There will be some feisty old coots who won't listen. They'll follow Microsoft's makeshift precautions and weather the storm. But that shouldn't be you. There is simply too much risk, and even Microsoft is candid about it. The risk will continue, until the patch is proven effective.

The problem is simple: This IE security hole is being rapidly exploited and from mainstream Websites. When people go to safe Internet neighborhoods and get robbed, the problem is a big one. Many of the sites fostering or propagating exploits to more mainstream operations have domains from China.

On Saturday, Microsoft warned in a blog post:

Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday.

Breadth doesn't mean depth. Just because there are more exploited sites, and they're more mainstream, doesn't mean that infections will increase. Unfortunately, they can in this case because of the ease of exploitation.

Here's the problem, straight from Microsoft's security advisory:

An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability.

Meaning: The site just needs to have a script capable of exploiting how Internet Explorer handles DHTML Data Bindings. All versions, including IE 8 Beta 2, are susceptible to exploit.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user," according to Microsoft's security advisory. The majority of users run Windows XP, which by default grants administrative privileges. Early exploits seek to steal passwords and other credentials.

Yes, this is a nasty bug. Microsoft expects to start releasing the patch around 1 p.m. ET today. But don't just patch. Switch to Firefox or another browser for a few days. You don't want this kind of security problem, where someone walks through your home's locked doors and steals some of your belongs without you knowing, during the holidays.

Other people have called for wholesale switching to anything other than IE and permanently. They're calls have had little impact. Early this morning, I looked over Net Applications' raw browser share numbers for December. There's no appreciable decline for IE. I'd be surprised if IE usage noticeably dropped because of this exploit.

Microsoft's response is reassuring. Take the patch be happy. If not for Microsoft's surprisingly quick action, your holiday stocking could have been full of coal."

IE Patch Beats Coal In Your Stocking - KezNews.com

Despite the fact that Firfox is not without it's own vulnerabilities, it is 100% safer than IE and the recommendation to switch to Firefox with No-Script remains the same.

Thanks Norm for reproducing this very informative article.

So far as I'm concerned, with all Internet Browser providers, 'security' and 'loyalty', do not sit side by side.

Generally speaking, most Users expect internet browser providers to incorporate some secure and safe browsing conditions and protection within their product. Of course the degree of security is dependant on the 'web-surfing and browsing' habits of each User.

When the systems security setup of an internet browser is compromised or breached in any way, it goes without saying that loyalty to that browser provider ceases. Confidence in the exploited product plunges, and Users look for better 'security' elsewhere.

The exploitation is almost viewed by the User as a sense of betrayal by the Browser provider, and dismay at the product and its failure against such exploitation. Inevitably, somewhere, some Users get hurt by the failure.

In those circumstances, only a fool would doggedly retain any sense of loyalty to a browser provider, with a failed systems security setup. There is nothing to gain, and all to lose in a - 'let's just sit and see what happens', attitude.

For me, IE has left the building.......Firefox 3 is now in residence.

Firefox tops list of 12 most vulnerable apps

your wasting your time , all browsers are unsafe by thier very design , there is no safe browser and never will be , hardware firewall configured properly and your laughing , never rely on a browser for security :P

This is not a question of reliance on a browser for security, but quite the contrary. It is the perception of many users that their internet browsers are secure in their systems, when in fact many are vulnerable to constant attack and exploitation.

A perfectly configured Firewall is no cause for chuckling either.....that too can be by-passed and breached.

There are always going to be exploits with IE because of who it belongs to, the baddies out there aren't going to stop trying to bring it down, because they think it's the thing to do, but at least when an exploit is found Microsoft are quick to bring out a fix for it, how quick are the others in plugging their browsers faults.

Hi Joan,

The reason it is safer to use Firefox is because Firefox is a lower profile target They have a smaller market share than Windows IE does. This may sound peculiar, but in the dangerous world that is the Internet, keeping a low profile can be an important aspect of staying secure. The reason for this that attackers, by and large, write their attack code to market share, for all the same reasons that legitimate software developers most often deliver their Windows products before their Mac or Linux ones.


IE has a rich set of security features that can be configured to suit your needs. Firefox, by comparison, is more simplistic in its security configuration choices. IE manages its security via “zones”—Internet, Local Intranet, Trusted sites, and Restricted sites. Within each zone, the user has a large set of configuration options where authorisations can be fine-tuned. For example, Internet sites can be set to default to disallowing browser scripting, ActiveX, Flash, and other dangerous content. That’s the good news. The bad news in all of these features is that

a) by default, far too much untrustworthy content is allowed (e.g., JavaScript) and that

b) the sheer vastness of the features will scare most users out of doing any substantive fine-tuning to protect themselves.

Firefox, on the other hand, is much simpler. JavaScript, for example, can be enabled or disabled (along with setting a half dozen or so JavaScript capabilities) for all or no sites.

The differences are what makes Firefox a safer, if not always as satisfying browsing experience than IE. It’s nice that dangerous features can be quickly turned on and off. But the lack of fine tuning can be off-putting to the knowledgeable user who can achieve the same results in IE with proper fine tuning.

Where Firefox starts to shine, at least for my needs, is the free plug-in, NoScript (available from noscript.net). NoScript provides a script whitelisting capability in the entire Mozilla family of browsers, including Firefox.With NoScript, I can allow individual sites that I have some level of faith in to run script content in my browser, while defaulting to disallowing scripts for all others. I find this approach to be very workable, as I only have to teach NoScript once per site I visit.

Some people find NoScript to be very annoying for the same reasons that I like it. It’s not perfect.

As open source software the entire Firefox source tree has been studied quite closely by a lot of people including phishers and other miscreants and still remains a safe option. This is because of the way IE and Firefox act to patch/repair vulnerabilities, the following two web pages should provide an answer to the question of how well and quickly each organisation reacts to potential threats and vulnerabilities.

Firefox

Mozilla Firefox 3.x - Advisories by Product - Secunia Advisories - Vulnerability Intelligence - Secunia.com

IE

Microsoft Internet Explorer 7.x - Advisories by Product - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Norm

Hi Archie, I note your inclusion of the list of unsafe programs. I believe this list is fundamentally flawed in that it identifies programs to be included on the list by the fact that they do not have a "patch" system, but rely on new versions to repair flaws. Given the number of critical patches issued by IE during the same period I don't believe the fact that a manual updated, compared to an automatic update is sufficient reason to justify a program as being "inherently insecure".

Take a look here :-

Mozilla Firefox 3.x - Advisories by Product - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Microsoft Internet Explorer 7.x - Advisories by Product - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Having said that I agree, all browsers are unsafe by design, like a car you need to learn how to "drive" safely.

The point about a hardware firewall is also valid, up to the point where you let your browser through it. The only perfectly safe system is a stand-alone with no external access. In this age it's not possible. We allow so many programs to go through our firewalls, both software and hardware, that reliance on a firewall for protection is like taking a shower in a raincoat. There's no point, it doesn't do it.

The only solution is to take sensible precautions that offer a reasonable measure of protection and allow you to do what you want to do, with minimised risk, and be prepared for the worst happening by backing up data etc. that you can't afford to lose.

sassofalco makes a good point when he says "It is the perception of many users that their internet browsers are secure in their systems, when in fact many are vulnerable to constant attack and exploitation." That IS the problem, not a browsers insecurity.
Norm