Major flaw revealed in Internet Explorer; users urged to switch

[Americanhero1]

The major press outlets are abuzz this morning with news of a major new security flaw that affects all versions of Internet Explorer from IE5 to the latest beta of IE8. The attack has serious and far-reaching ramifications -- and they're not just theoretical attacks. In fact, the flaw is already in wide use as a tool to steal online game passwords, with some 10,000 websites infected with the code needed to take advantage of the hole in IE.

Virtually all security experts (as well as myself) are counseling users to switch to any other web browser -- none of the others are affected, including Firefox, Chrome, and Opera -- at least for the time being, though Microsoft has stubbornly said it "cannot recommend people switch due to this one flaw." Microsoft adds that it is working on a fix but has offered no ETA on when that might happen. Meanwhile it offers some suggestions for a temporary patch, including setting your Internet security zone settings to "high" and offering some complicated workarounds. (Some reports state, however, that the fixes do not actually work.)

Expedient patching or switching are essential. Security pros fear that the attack will soon spread beyond the theft of gaming passwords and into more criminal arenas, as the malicious code can be placed on any website and can be adapted to steal any password stored or entered using the browser. It's now down to the issue of time: Will Microsoft repair the problem and distribute a patch quickly enough to head off the tsunami of fraud that's about to hit or will it come too late to do any good?

Meanwhile, I'll reiterate my recommendation: Switch from Internet Explorer as soon as you can. You can always switch back once the threat is eliminated.
http://tech.yahoo.com/blogs/null/111811

[Lisa]

Oh forget about IE!

Mozilla Firefox is the way to go. 

[Abben]

Same here Lisa I have been using firefox for years. I didn't even like pocket ie on my ppc phone

[Lisa]

Also for those of you using Windows, there's another browser called Flock. 

[DownwithIslam]

Firefox is not good at all on a mac. Many sites dont appear properly and some media embedded in websites doesn't play right. Firefox is very good on windows though. I tried it on the mac and it was bad.

[DownwithIslam]

Safari is quite good, it came on my computer and works great. Camino is good too.

[q_q_]

<snip>In fact, the flaw is already in wide use as a tool to steal online game passwords, with some 10,000 websites infected with the code needed to take advantage of the hole in IE. <snip>
You can always switch back once the threat is eliminated.
http://tech.yahoo.com/blogs/null/111811

no doubt there are great benefits in switching browsers. But this article looks like dishonest garbage.

Internet explorer has been being exploited for years. There isn't really anything here that shows this particular exploit is any different to any others.

http://www.pcadvisor.co.uk/news/index.cfm?newsid=10218
July 2007 !!
"
A recent example: The June attacks launched from a collection of more than 10,000 legitimate websites, the bulk of them hosted on Italian servers. The servers were compromised using an unknown vulnerability, then loaded with Mpack, a multiple-exploit toolkit hackers deploy to hijack PCs visiting those sites.
"

So, malware infecting websites and making them malicious is apparently  nothing new..   

I think it's mainly maliciously designed websites that do malicious things though (i.e. intentional). Not "infected".  Hence the bulk of the problem is from websites that claim to, and sometimes do, provide serial numbers, or cracks.

[Mishmaat]

Whether this is true or not, the next release of Internet Explorer (Version 8.0) will be complete garbage.

[muman613]

<snip>In fact, the flaw is already in wide use as a tool to steal online game passwords, with some 10,000 websites infected with the code needed to take advantage of the hole in IE. <snip>
You can always switch back once the threat is eliminated.
http://tech.yahoo.com/blogs/null/111811

no doubt there are great benefits in switching browsers. But this article looks like dishonest garbage.

Internet explorer has been being exploited for years. There isn't really anything here that shows this particular exploit is any different to any others.

http://www.pcadvisor.co.uk/news/index.cfm?newsid=10218
July 2007 !!
"
A recent example: The June attacks launched from a collection of more than 10,000 legitimate websites, the bulk of them hosted on Italian servers. The servers were compromised using an unknown vulnerability, then loaded with Mpack, a multiple-exploit toolkit hackers deploy to hijack PCs visiting those sites.
"

So, malware infecting websites and making them malicious is apparently  nothing new..   

I think it's mainly maliciously designed websites that do malicious things though (i.e. intentional). Not "infected".  Hence the bulk of the problem is from websites that claim to, and sometimes do, provide serial numbers, or cracks.

No, there is a security hole in Internet Explorer and it is being exploited. One can debate whether or not it is worse than any other security hole in a Microsoft product but it apparently is being exploited more now that it is known. I would avoid using IE at all costs at this point. Firefox is free and it works.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123612&intsrc=hm_list

December 16, 2008  (Computerworld) Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week.

The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.

Microsoft will deliver the out-of-cycle patch Wednesday at 1 p.m. Eastern time via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).

The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system.

Even as it declared that it would release an emergency fix, Microsoft continued to downplay the threat. "At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said company spokesman Christopher Budd in an e-mail today.

Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.

Last weekend, Microsoft researchers said that they had seen a "huge increase" in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.

Also today, Microsoft confirmed that attacks could be launched through Outlook Express, a free e-mail client bundled with Windows XP. Because Outlook Express renders HTML-based messages using IE's engine, attackers could exploit the bug by getting users to open or view malicious messages.

This will be the second out-of-cycle patch from Microsoft in the last two months. In late October, it issued an emergency fix for a critical vulnerability in the Windows Server service; like IE's bug, that one had been actively exploited before Microsoft was able to come up with a patch.

According to today's advance notification, Microsoft will provide patches to users of Windows 2000, XP, Vista, Server 2003 and Server 2008 for IE5.01, IE6 and IE7. A separate patch will apparently be issued tomorrow for IE8 Beta 2, a preview version of Microsoft's next browser that is not officially on the support list.

[q_q_]

<snip>

No, there is a security hole in Internet Explorer and it is being exploited.

Obviously   "there is a security hole in Internet Explorer and it is being exploited. " 

Nobody is disputing that

One can debate whether or not it is worse than any other security hole in a Microsoft product but it apparently is being exploited more now that it is known.

yes muman, they do tend to get exploited more once they are known

[HiWarp]

And yet, even with all the security holes in IE in addition to this one, there are companies that produce web apps that REQUIRE you use to IE.  Go figure.

[q_q_]

And yet, even with all the security holes in IE in addition to this one, there are companies that produce web apps that REQUIRE you use to IE.  Go figure.

if that is the case, it's money..

there are different types of programming computer fanatics.. 
-one wants to do the latest and greatest coolest looking thing.

-one wants standards compatibility , an extreme being even if browsers don't support it!

-one wants browser compatibility,
-one wants functionality and no whistles and bells.
(those 2 tend to go together)

Industry just want to get things done quickly.. and the latest cool looking thing for their websites(that impresses idiot end users - consumer types).  compatibility isn't in their vocabulary. The business execs often only know and use IE..

[mord]

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210

[muman613]

<snip>

No, there is a security hole in Internet Explorer and it is being exploited.

Obviously   "there is a security hole in Internet Explorer and it is being exploited. " 

Nobody is disputing that

One can debate whether or not it is worse than any other security hole in a Microsoft product but it apparently is being exploited more now that it is known.

yes muman, they do tend to get exploited more once they are known

Did you not just say:

no doubt there are great benefits in switching browsers. But this article looks like dishonest garbage.

Is it 'garbage' or is there a security hole? Sometimes you are not clear in what you are saying. If you are saying that the warning about this IE flaw is 'dishonest garbage' then I gravely disagree with you. My post was to clarify that this security flaw is not 'dishonest garbage'.

[q_q_]

yes muman, there is a security flaw and nobody disputed that.

the article is still dishonest garbage.  I don't mean it's false, I just mean it's fit for the trash. I gave the reasons, so you didn't have to guess and get it wrong.

it wasn't clear to you because you were looking for things that weren't there, you were looking for me to say that there was no exploit.

I said
"Internet explorer has been being exploited for years. There isn't really anything here that shows this particular exploit is any different to any others."

I compared that article (which talks about things being "too late" , as if it could be the end of IE or the world if people use IE)  to one in 2007.

This is just some FUD article trying to convince people that because of -this- exploit, people have to switch NOW!  Like this exploit changes things, it's somehow unique. Of course it's a person that just wants people to leave IE anyway. It's not a bad idea to leave IE, but not out of great fear regarding -this- exploit. If he was honest he would have made whatever the argument is, without even making a big deal about this week or this month or this season's IE exploit.