The U.S. government’s Computer Emergency Readiness Team (US-CERT) is
warning Web surfers to stop using Microsoft’s Internet Explorer (IE)
On the heels of last week’s sophisticated malware
attack that targeted a known IE flaw, US-CERT
updated an earlier advisory to recommend the use of alternative browsers
because of “significant vulnerabilities” in technologies embedded in IE.
“There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model, MIME-type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different Web browser, especially when browsing
untrusted sites,” US-CERT noted in a vulnerability note.
The latest US-CERT position comes at a crucial time for Microsoft
, which has invested heavily to add secure browsing technologies
in the coming Windows XP Service Pack 2. The software giant has spent the
last few months talking up the coming IE security improvements but the slow
response to patching well-known — and sometimes “critical” — browser holes
isn’t sitting well with security experts.
On discussion lists and message boards, security researchers have spent a
lot of time beating the “Dump IE” drum, and the US-CERT notice is sure to
lend credibility to the movement away from the world’s most popular
US-CERT is a non-profit partnership between the Department of Homeland
Security (DHS) and the public and private sectors. It was established in
September 2003 to improve computer security preparedness and response to
cyber attacks in the United States.
It has been more than two weeks since Microsoft confirmed
the existence on an “extremely critical” IE bug, which was being used to
load adware/spyware and malware on PCs without user intervention but, even
though the company hinted it would go outside its monthly security update
cycle to issue a fix, the flaw remains
US-CERT researchers say the IE browser does not adequately validate the
security context of a frame that has been redirected by a Web server. It
opens the door for an attacker to exploit the flaw by executing script in
different security domains.
“By causing script to be evaluated in the Local
Machine Zone, the attacker could execute arbitrary code with the privileges
of the user running IE,” according to the advisory.
“Functional exploit code is publicly available, and there are reports of
incidents involving this vulnerability.”
To protect against the flaw, IE users are urged to disable Active
scripting and ActiveX controls in the Internet Zone (or any zone used by an
attacker). Other temporary workarounds include the application of the
Outlook e-mail security update; the use of plain-text e-mails and the use of
Surfers must also get into the habit of not clicking on unsolicited URLs
from e-mail, instant messages, Web forums or internet relay chat (IRC)