reddragdiva | For the love of God, just stop using Internet Explorer. RIGHT NOW.

Picture this: Hacker breaks into major corporate website, puts up a malicious bit of code. If you view the page in Internet Explorer, the code exploits a hole in IE and infects your computer. You didn't do anything except view a website. Your computer is now 0wned and being used by Russian spam gangs to advertise Viagra and mount DDOS attacks.

"The flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks." "The malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software."

More stories: First sighting; ZDNet article; CNN.

Browsers: Firefox (4.7 MB); Opera (3.4 MB); Mozilla Suite (12.0 MB, includes email and IRC).

Only use IE for your Windows Update. If your bank insists on IE, get on the phone and tell them why that just isn't bloody good enough any more. If your work insists on IE, forward IT and your boss those story links and demand Firefox to keep doing your job.

(For our geek readers: details of the attack.)

I couldn't have imagined saying these words on the Internet before this, but ... tell everyone you know.

Update: Download.ject article from Wikipedia. (Mostly written by me.)

Flat | Top-Level Comments Only

From:

flickgc.livejournal.com

I thought that IE was ok if ActiveX was disabled?

From:

reddragdiva

Nope. This one gets in by cracking an actual bug in IE - rather than using the built-in insecurity ;-)

I'm serious. Forward those news links to your boss and your IT and ask for Firefox to browse with at work.

From:

flickgc.livejournal.com

I gave up ths morning and illegally installed FireFox on my laptop.

Actually getting to anyone in IT who has a clue is impossible here, unfortunately: every phone number and email address redirects to the help desk, and they're, well, help desk. And I don't have a boss.

From:

zotz

MS claim that XP SP2 will fix this. It is, of course, due RSN.

On the other hand, Firewhatever 0.9 is available already.

From:

aquarionical.livejournal.com

SP2 does fix it, I'm using SP2 (Actually, XP is using SP2. I use FireFox) beta version. Not that I'm willing to be 0wned by skript kiddies to test this idea...

From:

twicezero.livejournal.com

wouldn't a bit of firewallness stop any attach in its tracks?

From:

wechsler.livejournal.com

Not a hope in hell.

From:

hirez.livejournal.com

You can vaguely see the management process...

Mgt: "We must firewall this attack!"
Tech: "But..."
Mgt: "No buts! Do it!"
Tech: Blocks port 80
Mgt: "My internet doesn't work anymore!"
Tech: "Indeed not. That's what you wanted."
etc...

From:

twicezero.livejournal.com

my firewall blocks applications i haven't nominated from accessing the internet. So does this exploit just run though IE, so my firewall wouldn't block it, or does it end up having a seporate app running in hte background, so my firewall would stop it. I may be dim, but i'm not completely stipid you know

From:

hirez.livejournal.com

For that case, with an application-aware firewall, it may do the trick. I'm not too sure.

I was envisaging the likely reaction of the pointy-haired corporate.

From:

steer.livejournal.com

Could work... I mean you'd need the "air firewall" approach where you take a stanley knife to the CAT V cable.

From:

echo-echo.livejournal.com

Please, at least use a ceramic blade you uncouth sloven.

From:

edwards.livejournal.com

Affect Macs, does it? Or Linux?

I'm guessing from the EXE file, that it doesn't. So whilst IE is the vulnerability, the real problem is the ability of Windows to start apps without user authorisation in the background and the sheer volume of installed systems.

Why aren't all PC users ditching Microsoft for Linux - right now?!

From:

reddragdiva

No and no and it's proving hard enough to get them onto Firefox ...

From:

death4breakfast.livejournal.com

Actually, there is one thing that does help a lot in getting IE users to switch to a different browser. An Internet Explorer skin for the browser you're trying to get them to switch to.

Lusers are sort of like horses: If it looks different, it's scary and if it's scary they don't want to go there. Short of throwing a blanket over their heads an IE skin is the best way to keep your average, everyday, mouth breathing luser from getting "spooked" by something new.

I've heard of people who've had great success in getting users to switch to Mozilla using an IE skin to keep their users from spooking.

Unfortunately, the only IE skin I know of only works on older versions of Mozilla. I haven't seen one for Firefox or the later versions of Mozilla, but then I haven't been looking.

From:

mjg59.livejournal.com

Linux won't be better unless we get rid of that pesky system() call.

From:

arkady.livejournal.com

They're not ditching Microsoft for Linux because right now Linux is too complicated for non-geeks to grasp. With Microsoft applications, just about anyone can get a computer straight out of a box and up and running. Windows is easy to use and you don't have to be some sort of computer whizzkid to operate it.

When Linux is as easy to install and run as Windows, people will ditch Microsoft. But right now I'm afraid it's still pretty much the preserve of the geeks and the more computer-literate of the world.

From:

edwards.livejournal.com

That's what MacOS is for. Unix, but non-geeks can use it, and many of the media-oriented tasks consumers want are easier than on the Windows apps I've seen to accomplish the same - and free with the computer.

From:

arkady.livejournal.com

Not everyone has a Mac though; and Macs tend to be more pricey than the equivalent PC. For instance, I'm writing this on an IBM ThinkPad which was far cheaper than an equivalent iBook for example - but means I have to put up with WinXP.

If I could afford a Mac I'd use that in preference, but some of us just can't afford it. Maybe when Apple start to lower their prices, more people will be tempted to give up the evils of Microsoft.

From:

edwards.livejournal.com

Cheaper than an equivalent iBook? It must have been very cheap. iBooks are amongst the cheapest branded laptops you can get!

One of the problems afflicting the Mac is that the machines that are coming out of professional service are still not very good. Pre Quicksilver G4s are still painfully slow and expensive.

New, though... I think they're very competitive, actually.

From:

andricongirl.livejournal.com

nah, I found iBooks are still twice the price of what you can get in an equivilent pc laptop..

From:

aegidian

Equivalent not meaning in this case equivalently security flawed?

You get what you pay for man!

From:

skx.livejournal.com

That would be a good argument if Mac's had never had security problems, but that isn't the case.

It was only recently that the whole Help URL thing allowed Mac users to have their boxes owned by surfing the web.

I like Macs, but I wouldn't buy one until they were cheaper, and I'd still want to run Debian on them.

From:

aegidian

Ah yes, one potential critical threat, not exploited, fixed now compared against how many active windows boxes pumping out spam and DDOS attacks? Of course, OpenBSD is better (although SSL has had it's occasional exploites), and no OS is perfect, but just saying that system A and system B have both had security holes does not make them equivalent. Especially if system A is a security hole ridden piece of crap like almost anything written by Microsoft.

You can of course choose to buy something cheaper than a Mac -and run a more secure *free* operating system on it. Or you can choose to pay the extra for a decent firewall and anti-malware software on top of the cost of a Windows PC and have relatively secure machine. Or you can pay the extra for a Mac and use a really quite secure machine straight out of the styrofoam. Nobody's denying you the choice, thank goodness.

From:

emarkienna.livejournal.com

I'm running a free firewall, anti-malware software, alternative browser and email so I don't see that you have to pay extra.. That many clueless people opt for an insecure Windows setup doesn't mean that it can't be made more secure, and doing so is no more difficult or expensive than alternative platforms, I would say.

From:

edwards.livejournal.com

They're good value. I don't get people who whine about the price of Macs. eMacs are the same speed as iMacs (actually, they have twice the level 2 cache), and are £549 inc. VAT or £699 with double HD and Superdrive. G5s are only £1849 for the dual 2.0GHz G5, a thoroughly capable machine, again inc. VAT.

iBooks start at £649, IIRC. And regardless of MHz etc, the only areas you suffer are gaming - which you get a double hit, less fancy graphics hardware and less games overall - and bragging rights in pure numbers. I don't believe the 3 x Intel bullshit, but they definitely aren't a 1:1 comparison. OS X is vastly better than Windows.

Wasn't the URL thing a proof of concept, anyway? There are exploits for every OS from Window to SMSQ/E, but some OSen make it easier to fall foul of them than others.

I made a point of saying Linux. You get your 'secure' OS and you get your cheap hardware. If you want it easy, you have to pay - frankly most Linux distros seem pretty straightforward and my experiences have been sullied by my weird-ass Dell - my Playstation 2 Linux install was as easy as reformatting and reinstalling a Mac.

From:

death4breakfast.livejournal.com

'Cause Win98SE works just fine with Mozilla as a browser and after taking a few basic security precautions. Whereas switching over to Linux would be a big, complicated pain in the ass that would take a lot of time and effort that I don't have.

Don't get me wrong, one of these days I'll probably make the switch myself, considering how obnoxious Microsoft is getting about DRM and anti-piracy crap, but I see no compelling reason to switch now and plenty "it'd be a pain in the ass" reasons not to do so.

Unlike some people, switching over to a new OS is *not* something that I'd consider doing for fun. :)

From:

edwards.livejournal.com

I switched (back) to Mac OS, despite freely admitting that Mac OS 8.1 and such both sucked /and/ blew, at the same time, at least when they worked (which wasn't that often), because my Windows 2000 machine was flaking out, being hit by virii constantly despite much attempts at protection (often via IRC, seemingly, one particularly irritating wormthingy). I discovered MacOS X via my music, which I don't let PC systems near, and then decided that OS X was wonderful, new Macs were competitive (an iBook starts at £649 IIRC, and for that is a gazillion times better than the no-name Celeron POS you'll find for £599 as a PC typically), and iMovie et al are wonderful.

I switch to old OSen for fun. Then make them work together to get even older crap working - current project is getting Enterprise disks archived using an Archimedes, Mac and maybe the PC if the Mac barfs on the disk images.

From:

serpentstar.livejournal.com

I use firefox for practically everything... but I keep IE to use my bank's website, because they can't handle Mozilla yet. I just wrote them a very stern email.

From:

arkady.livejournal.com

Have you tried using Opera? It has this handy ability to masquerade as other browsers - including IE - without actually being them, and thus avoids being vulnerable to nasty traps like this one. It worked for me when Tescos were insisting on IE only; Tescos have since changed their site so I can use Firefox.

Alternatively switch to a bank like the Halifax who are Firefox-friendly! ;-)

From:

serpentstar.livejournal.com

Thanks -- I'll look into Opera again. I have tried it before but found it to be inferior to Firefox. Hadn't known about its IE-impersonating facility.

I'm not changing to the Halifax -- I'm with Smile 'cos they're run by the Co-op bank, and thus vaguely ethical.

From:

oscarhocklee.livejournal.com

Actually, there's an extension to Firefox that does the same thing - all it does is change the user agent string. This works where the site is usable on mozilla but they've assumed not and javascripted or something... But obviously not when the site depends on an ie (mis)feature - in which case opera may or may not be better for you.

From:

babysimon

I'm with smile too. Mozilla does work, with one inconvenience - you have to use keyboard navigation (ie tab) to move between fields on the login screen. After that it's fine.

I don't think UA spoofing would help there.

From:

babysimon

Oops, should have read the whole thread first...

From:

serpentstar.livejournal.com

Yeah, it tabs between every element on the page, though, not just between every field -- it's a complete PITA to use Smile with FireBird, though as I say that might have improved with FireFox.

Had a highly patronizing email from Smile tech support informing me that I should use "the tab key -- that's the one with the two arrows, just to the side of 'Q'". I pointed out the slowness of that 'cos of their weird web setup. They claim to be in the final stages of testing their new W3C compliant site, but couldn't give me a launch date -- again!

From:

kest

Yeah, it tabs between every element on the page, though, not just between every field

That's something you should be able to change in your preferences. (At least, you can in Moz)

From:

serpentstar.livejournal.com

Didn't know that -- ta. I hadn't noticed it anywhere but the Smile site, though, so I still have a feeling it's a problem with them rather than the browser.

From:

simonb.livejournal.com

I note from a later comment that you're using Smile... what problems are you having with using Smile with Firefox or mozilla ? I've been using Smile for well over 3 years now with the progression of Netscape 4.x, Mozilla 1.x, and now FireFox 0.8.

This is on a variety of systems including Windows 98, Solaris (both i386 and SPARC) and MacOS X.

From:

serpentstar.livejournal.com

Interesting. I could get Smile open with FireBird (not actually tried it with FireFox yet I have to admit), but it was very un-user-friendly. I don't know the technical name for the web design feature I'm referring to here, but basically the various boxes, radio buttons and forms were all really difficult to switch between, taking me maybe 10 times longer to do anything in FireBird than in I.E. I complained to Smile about it who said their site didn't support Mozilla and they didn't recommend using it with Mozilla. So I didn't.

From:

simonb.livejournal.com

If you're refering to the fact that the applet SMILE uses for the actual banking stuff itself doesn't let you click to put the input focus and you have to use the tab key to move the focus around to do so, its down to the JRE which is used. Basically SMILE's applet is specifically coded for the Windows IE JRE and nothing else... which yet again shows that the "Write once, run everywhere" of Java is a sham.

There is no fix for this other than SMILE actually fixing their applet; it didn't used to have this bug after all.

From:

new-brunette.livejournal.com

There is one specific thing you can't do in firefox - create a new money transfer. I fire up IE once a month to pay the child maintenance. 'spose I could set up a standing order...

From:

simonb.livejournal.com

Odd; I can easily create a new money transfer or use an existing money transfer using FireFox - I've just done both infact.

From:

lastaii.livejournal.com

Well, at least MS are admitting there's a problem now:

http://www.microsoft.com/security/incident/download_ject.mspx

To determine if the malicious code is on your computer, search for the following files:

* Kk32.dll
* Surf.dat

Deep joy...

From:

xoreth.livejournal.com

Similarly to another respondent, I use firebird for everything but banking, and the odd other site that blergs. Have gradually converted several other users in the office. It is now a call to action, however. Thanks for the heads up.

From:

manoman.livejournal.com

Posts like this always make me glad the I have been using Netscape and now Mozilla since I got my first computer in 1997.

Flat | Top-Level Comments Only

S	M	T	W	T	F	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Page Summary

Style Credit

Expand Cut Tags