Advertisment

IE bug: Top 3 tips for secure browsing

author-image
CIOL Bureau
Updated On
New Update

The United States Computer Emergency Readiness Team (US-CERT) has warned users to stop using Microsoft Internet Explorer after a bug which Microsoft had previously claimed to have fixed has resurfaced.

Advertisment

"Microsoft Internet Explorer (IE) does not adequately validate the security context of a frame that has been redirected by a web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE," it says.

So far hackers have used this flaw to launch pop-up windows from compromised advertising banners hosted on at least 50 financial institutions websites. By attacking the advertisers websites and causing them to launch these pop-ups, hackers have been able to install key logging programs on end users machines and capture vital key strokes used by end users to log into their financial services sites. These key strokes have then been sent back to the criminals involved in these attacks, to do what they wish with them.

Following a malware attack last week, which targeted a known flaw in IE, the US-CERT recommended using alternative browsers. Microsoft meanwhile is hurriedly trying to increase IE's security with the Windows XP Service Pack 2.

Advertisment

"It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites," US-CERT has advised.

This warning by the US government could not have come at a worst time for Microsoft chairman Bill Gates as he travels through China, Malaysia and Australia in a bid to consolidate the company's presence in these countries.

GARTNER SEES MORE ATTACKS

Advertisment

Advising users to protect their servers and computers right away, research firm Gartner has found out that so-called zero-day attacks - malicious-code attacks that exploit vulnerabilities for which patches are not available - represent fewer than 1 percent of all attacks. Yet, because fixes are not yet available, they can be among the most damaging of all attacks.

The firm has sent out a list of recommendations to avoid an attack:

1. Scan all your Web servers for malicious code that may have been installed to exploit the IE flaws, and review your defenses.

Advertisment

2. If the malicious code is found on any of your public-facing Web servers, warn your customers that their PCs may have been infected and provide guidance for cleanup.

3. Reset IE security settings to High until fixes are available. (Service Pack 2 for Windows XP - scheduled for release in the next few months - will correct several Internet Explorer flaws, but Microsoft has not yet indicated whether the new identified flaws will be among them.) Once patches have been made available and deployed, consider reducing the security settings to a less restricted custom or default level.

It has also stated that enterprises using the Mozilla (Netscape) and Opera browsers need not take these actions.

tech-news