IT Security Police: 'Step Away From That IE'
Sep 19, 2012 3:24 PM PT
Internet Explorer is too dangerous to use, according to warnings from throngs of security experts, including Germany's Federal Office for Information Security.
The German government agency issued an alert that advises citizens to avoid using Internet Explorer and use an alternate browser until a patch can be found for a vulnerability discovered last week. The flaw allows hackers to execute code on infected computers.
"There really isn't any great defense against this," Johannes Ullrich, chief technology officer for the SANS Internet Storm Center told TechNewsWorld. "Right now, the best thing to do is not use Internet Explorer."
Microsoft is working feverishly to plug the flaw, a "Zero Day" vulnerability -- a defect unknown to a software maker until it's discovered by someone else, such as security researchers or hackers.
The vulnerability was discovered by Luxembourg security researcher Eric Romang on Sept. 14 while scrutinizing some servers used by a group of Chinese hackers called the Nitro Gang to exploit a Zero Day Java flaw last month.
On Monday, Microsoft alerted IE users of the risks facing them due to the defect. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer," it stated in a security advisory.
"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," it continued.
The advisory noted that the flaw affected IE versions 6 through 8 for Windows XP, seven through nine for Windows Vista, and eight and nine for Windows 7.
Microsoft made several recommendations for users to reduce the risks associated with the vulnerability until the company can push a patch out to address the problem. They included:
- Install the company's free Enhanced Mitigation Experience Toolkit (EMET), which implements additional security measures on Windows machines.
- Configure Internet and intranet security zone settings to "high" to block ActiveX and Active Scripting in those areas.
- Configure IE to display prompts before running Active Scripting or disable the feature entirely in the Internet and intranet security zones.
Microsoft's recommendations come with some warts, however. Researchers have already found a way to evade EMET, according to Kurt Baumgartner, a senior security researcher with Kaspersky Lab.
Even if EMET weren't vulnerable, it's a solution unlikely to appeal to most users. "It's not something the average user is going to use," Ullrich maintained. "It's something for more professional users. It's not a great workaround."
Professional users may also avoid the EMET solution because it can be time consuming to roll out to a large organization, according to Donald S. Retallack, research vice president for systems management & security for Directions on Microsoft.
"System administrators with large scale software management tools, like the System Center products, could push EMET out to an organization," he explained to TechNewsWorld. "But it gets pretty complicated when you have to install it on machines that aren't on your network -- roaming laptops and so forth."
Cranking up IE's security zone settings also has drawbacks, Baumgartner added. "That will mess up website rendering," he told TechNewsWorld, "and the same goes for enabling IE prompts for Active Scripting or disabling Active Scripting altogether."
"In my humble opinion, it seems like a smart idea to switch to another browser for now, like Google's Chrome, if you can," he recommended.
Directions on Microsoft's Retallack believes Microsoft will act quickly to plug the IE vulnerability. "They're taking this seriously," he said.
And they should because momentum is building in the Internet underground to rapidly exploit the vulnerability in malware, according to Kaspersky's Baumgartner. "The risk of mass exploitation accelerates rapidly not because the vulnerability is known but because exploit code targeting the vulnerability is being open source distributed," he explained.
With Microsoft trying to regain market share for its browser -- it's currently running a national television advertising campaign for IE -- will this current security setback hurt it in the browser wars?
Not very much, according to Vince Vizzaccaro, executive vice president for marketing and strategic alliances for Net Applications, a web analytics firm. Historical data shows widely publicized security incidents don't have long-term effects on market share.
"Many people are unaware of the security threats that come up with their browsers and thereby make no changes to their browsing behavior," he explained to TechNewsWorld.
"Of those people who are aware of the threats," he continued, "most are aware that browser security is taken seriously by all the major browser providers and that while there are breaches on occasion, these breaches tend to be dealt with quickly to minimize the impact on users."