Source: http://www.internetnews.com/security/artic...cle.php/3374931

QUOTE

June 29, 2004 US-CERT: Beware of IE By Ryan Naraine The U.S. government's Computer Emergency Readiness Team (US-CERT) is warning Web surfers to stop using Microsoft's Internet Explorer (IE) browser. On the heels of last week's sophisticated malware attack that targeted a known IE flaw, US-CERT updated an earlier advisory to recommend the use of alternative browsers because of "significant vulnerabilities" in technologies embedded in IE. "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME-type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites," US-CERT noted in a vulnerability note. The latest US-CERT position comes at a crucial time for Microsoft , which has invested heavily to add secure browsing technologies in the coming Windows XP Service Pack 2. The software giant has spent the last few months talking up the coming IE security improvements but the slow response to patching well-known -- and sometimes "critical" -- browser holes isn't sitting well with security experts. On discussion lists and message boards, security researchers have spent a lot of time beating the "Dump IE" drum, and the US-CERT notice is sure to lend credibility to the movement away from the world's most popular browser. US-CERT is a non-profit partnership between the Department of Homeland Security (DHS) and the public and private sectors. It was established in September 2003 to improve computer security preparedness and response to cyber attacks in the United States. It has been more than two weeks since Microsoft confirmed the existence on an "extremely critical" IE bug, which was being used to load adware/spyware and malware on PCs without user intervention but, even though the company hinted it would go outside its monthly security update cycle to issue a fix, the flaw remains unpatched. US-CERT researchers say the IE browser does not adequately validate the security context of a frame that has been redirected by a Web server. It opens the door for an attacker to exploit the flaw by executing script in different security domains. "By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE," according to the advisory. "Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability." To protect against the flaw, IE users are urged to disable Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker). Other temporary workarounds include the application of the Outlook e-mail security update; the use of plain-text e-mails and the use of anti-virus software. Surfers must also get into the habit of not clicking on unsolicited URLs from e-mail, instant messages, Web forums or internet relay chat (IRC) sessions.

There are so many vulnerabilities in IE that it's almost impossible not to be infected with malware, no matter how well protected you think you are. While we here at SAF, as well as almost all Windows help sites and specialist security sites, are trying our best to keep up with developments, the malware scumbags are way ahead of us. They find exploits that even Microsoft wasn't aware of. We have to face the fact that using IE is now not just unsecure, but dangerous.

I recommend all users to install an alternative browser. I like Mozilla Firefox 0.8 and have been using it for a while. It's fast, it's safe, it's popup-free and you can import IE bookmarks easily.

Every now and again though it is imperative to use IE to go to Windows Update and download all the critical OS and IE patches from Microsoft.

I've seen compromised systems give IE popups where IE is not even being used, both with my own eyes and on forums.

Even though the malware makers are exploiting loopholes that Microsoft isn't even aware of, you can at least patch yourself against the known loopholes and exploits, and stay safer against those ones.

It sometimes strikes me that once something has got more holes than Swiss cheese, it's time to get that drawing board out again

Hi folks,

Just to add to this, FireFox 0.9.1 is out. I've installed it and haven't had any ill effects from it. Seems to be a harmless upgrade, and one I would recommend.

Until MS gets it's act together, I think Ed's recommendation is one all should consider following.

Cheers

IMHO the cert statement has been greatly overexagerated. It was reported at one security site that cert had said not to use ie then another and then another.....

The following is the article in question
http://www.kb.cert.org/vuls/id/323070

The following is the exact CERT quote:

QUOTE

Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle MHTML protocol URLs.

http://news.google.ca/news?hl=en&edition=c...tnG=Search+News

LoL
That article confused the heck out of me, but what I got from it was....stop using IE. LOL

Mozzilla/firefox ?? LoL are they really different from IE, Im not into change lol . Are they easy to use?

Many years ago when I first got on the web I was advised by my ISP NOT to use IE because it was far less secure than Netscape. I've used Netscape ever since and with very few problems.

I recently decided to try Firefox 1.5 and have been so pleased with it that I stopped using Netscape.

Firefox 1.5 installs easily, is very easy to use, and there is now an updated v2.0 which I'll probably install later.

You should give it a try: http://www.mozilla.com/firefox/

Of course you can't remove IE from Windows but, given its long history of troubles, IMHO the wise thing to do is only to use it when absolutely necessary.

Would that also include IE 7.0 beta?
I have it and zip along clean and true... So far that is. I also have the newest F.F. but prefer IE 7.

Come on guys just a yes or a no will do! I have to much to do around the house and yard to read this right now. So if others who have the answer would share the info I would be most happy.
Just playing I will read the info myself later (much later) when time is on my side.

lol, while this is something of an old topic, the same question still remains today.

There was recently news of a big FireFox security bug, regarding java script. imho, neither is so much safer than the other one to make it the only reason for its choice. Both are insecure, perhaps one is more insecure than the other, but a large percentage of that is user error. a computer not even on the internet can be compromised by an insecure browser if the user is daft enough,

I personally have always prefered FF to IE, especially as MS are going for this no menu bar idea, which just makes using IE7 such a pain. and i think it looks bad.... and it doesnt work on linux anyway.... and i just dont like it.

All true, but I feel safer with IE 7.0 and the Windoze OS. Now that is backed up with 7 security apps and 2 BHO's...... lol Security on M$ OS....??????????
Now your OS is secure but you still need the weakest link. The browser.
And Mac users will wake up someday to the dread of malware, trojans, worms, root kit attacks. So if Linux was to develope it's own Browser I would change over. maybe. No I am in control on this machine for the moment... Thats why I will break down soon and get Go Back 4.0 from (ugh) Norton. That is the safest way a M$ man/woman can go.