Tuesday, January 19, 2010

Google Gmail Hack: a Followup

"After Google hack, Microsoft asks users to abandon IE6, XP"
One Microsoft Way (January 18, 2010)

"Microsoft is using a widely publicized flaw in Internet Explorer as a way to push users to upgrade both their browsers and operating systems.

"On its Security Research & Defense blog, Microsoft explains that while IE7 and IE8 on Windows Vista and Windows 7 both include the flawed code that was exploited in the recent Chinese attacks on Google, the publicly published exploit code only works against IE6 on Windows 2000 and Windows XP. So the company is urging users to think about upgrading their version of IE, or even their OS (which also results in a newer version of IE)...."
"Assessing risk of IE 0day vulnerability"
Security Research & Defense (January 15, 2010)

"Yesterday, the MSRC released Microsoft Security Advisory 979352 alerting customers to limited, sophisticated attacks targeting Internet Explorer 6 customers. Today, samples of that exploit were made publicly available.

"Before we get into the details I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6. As discussed in the security advisory, while newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult. We would like to share a little more information about both the vulnerability and the exploits we have seen to help you understand the risk to your organization...."

"...Ways to block Code Execution

"The vulnerability is present in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. All versions may crash after opening the attack code. However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution...."

The first item is to disable JavaScript, a fairly standard move.

Good Advice: But I'm Not Taking It - Quite

My computer, the one I do practically all my work on, is over five years old and uses Windows XP. I'd upgrade: but don't have the budget for it. Yet.

On the other hand, I've got pretty good security: malware scans on a programmed schedule, a protocol I follow when downloading files: and I don't use Internet Explorer unless I absolutely have to.

Some companies, for reasons or unreason unknown, won't do business online unless transactions are mediated through IE. I avoid dealing whenever possible, but sometimes - - -.

I use Firefox, the most recent upgrade (3 point something now). And have my security software watching Firefox.

I like to think that Microsoft is doing a better job these days, of making Internet Explorer a comparatively safe browser. But: trust IE, with its track record for security issues? I think not.

Related post:
A tip of the hat to Twitter_Tips, on Twitter, for the heads-up on the article.

No comments:

Unique, innovative candles

Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle online store

Pinterest: From the Man Behind the Lemming

Top 10 Most-Viewed Posts

Today's News! Some of it, anyway

Actually, some of yesterday's news may be here. Or maybe last week's.
The software and science stuff might still be interesting, though. Or not.
The Lemming thinks it's interesting: Your experience may vary.
("Following" list moved here, after Blogger changed formats)

Who Follows the Lemming?


Family Blogs - Blog Catalog Blog Directory