Tuesday, July 08, 2008


Internet Explorer

Don't use it unless you must

Via cnet, Ryan Naraine warns that exploit code has been published for a bug that can be used for a variety of malicious attacks against users running IE. He quotes this from the US-CERT advisory written by Will Dormann:
Microsoft Internet Explorer fails to properly restrict access to a document’s frames. This can allow an attacker to replace the contents of a web page’s frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document’s cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible.

…By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to access non-domain-specific elements from a web page that exists in a different domain. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page in a different domain.
Microsoft won't be producing a patch for this. Narine also warns us about another IE vulnerability here.

Anyone who uses IE to access the internet should consider using Firefox or Opera instead. They are both free and much less vulnerable to malicious attacks. This is why I like Firefox:
Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.

Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.
Firefox is customizable. There are many different ad-ons available, including some which improve browser security.

I am responsible for security on 6 different computers belonging to friends/family and I strongly discourage all of them from using IE unless its necessary. (Some websites only load in IE.) They all use Firefox and like it.


<< Home

This page is powered by Blogger. Isn't yours?