[ISN] Microsoft's browser dominance at risk as experts warn of security holes

From: InfoSec News (isn@private)
Date: Tue Jul 06 2004 - 02:32:26 PDT


By Charles Arthur
Technology Editor
05 July 2004

Its curved blue "e" sits on almost every computer desktop in the
world, but the global dominance of Microsoft's web browser could soon
be over following a stark security warning from a senior panel of
internet experts who say it opens the door to online criminals.

They are urging all users of Internet Explorer (IE) to stop using the
browser because they say it is vulnerable to hackers and credit card

The alert, from the US Computer Emergency Response Team, comes as a
blow to the global giant Microsoft, which has fought successfully to
retain its dominance of the browser market - 95 per cent of internet
surfers currently use IE.

The team, which advises the US government and is a senior authority on
Net weaknesses, said that flaws in the software expose users to
criminals who can spy on their activities, steal their personal
details or send junk e-mail from their computers without them knowing.

It said internet users should consider dumping the Microsoft software
- which comes as standard installed on PCs - and switching to another
web browser, such as the free Mozilla or commercial Opera products.

In its warning, under the technical title "Vulnerability Note 713878",
the agency notes that IE has "significant vulnerabilities in
technologies" but adds: "It is possible to reduce exposure to these
vulnerabilities by using a different web browser."

The advice - which echoes rising concern in the internet security
community - follows a continuing tide of attacks taking advantage of
holes in IE.

In the past seven days, security experts have discovered criminals
using two different "vulnerabilities" in IE to exploit Windows PCs.  
The first, called "Download.JECT", silently redirected the browser to
a Russian website and made it download software that monitored key
strokes and would send out spam.

Last week researchers at the Internet Storm Centre discovered a
malicious program that used a flaw in the software to install itself
on the user's PC when a particular pop-up ad appeared. It would then
monitor the user's typing when they visited any of 50 bank sites,
including Barclays Bank, Citibank and Deutsche Bank.

Neil Barrett, security consultant of Information Risk Management,
which carries out internet security audits of companies and software,
said: "The number and seriousness of the vulnerabilities is now
getting past a joke.

"Some of things that can be done to it are really powerful from the
hacker's point of view. There are presently more than 30 attacks that
it's vulnerable to which haven't been fixed by Microsoft."

Johannes Ulrich, chief technology officer for the Sans Internet
Security Centre in the US, said: "To keep on using IE is like playing
the lottery. You're hoping the sites you visit aren't compromised." He
said the most recent attacks were "a wake-up call for users to switch
to another browser".

The problems with IE are symptomatic of Microsoft's difficulties with
security, experts said. The arrival of the internet has led hackers to
concentrate on the most widely used products searching for weaknesses,
and scores of flaws have surfaced in Windows, as well as Microsoft's
IIS web server software and its Outlook Express e-mail software. In
January 2002 Bill Gates, founder of Microsoft, e-mailed all employees
saying that the company should alter the way it wrote software to
incorporate greater security against such threats.

But the damage may already have been done. Steve Linford, chief
executive of the anti-spam organisation Spamhaus, said: "The problem
is that Microsoft assumes its users are stupid, and it comes with
everything wide open to attack.

"Microsoft seems to think that if it has things turned off, people
will never discover how to turn them on."

Spamhaus estimates that more than 70 per cent of the 8 billion spam
e-mails sent every day come from home and business PCs that have been
subverted by programs downloaded over the Net.


* Pop-up ads can silently download software that will use your 
  computer to send out spam or install "Trojans" that watch your 

* E-mails by "phishers" can grab bank details by using malicious 
  internet addresses preceded by a real one. If you open it with IE, 
  you will only be shown the first part of the address, with the rest 
  hidden. Users may trust the address and give the criminals their 

* Another "phishing" attack uses the "fake address" method above and 
  puts a pop-up window with an image of a padlock on top of the 
  window. This looks like a "secure" website. IE has no built-in means 
  to block pop-up windows.

* Some pornography websites use IE to silently download software that 
  changes the computer's internet settings to dial a premium-rate 

* One pop-up ad installs software that monitors whether you visit any 
  of 50 banking sites, including Barclays and Citibank. When you do, 
  it monitors your keystrokes and sends them to a website in San Diego. 

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Tue Jul 06 2004 - 06:17:54 PDT