Welcome to SPARC Forums. Please login or sign up.

Nov 24, 2024, 07:36:27 AM

Login with username, password and session length

OT - CRITICAL BROWSER FLAW - PLEASE READ

Started by SPARC Admin, Jul 05, 2004, 06:02:37 PM

Previous topic - Next topic

SPARC Admin

THIS IS NOT A JOKE.........Please pass this along to other folks. Again, this is NOT a joke.

Another, very serious hole in Internet Explorer has been found. ZDNet is reporting that "numerous" corporate web servers are infecting visitors' PCs.

"The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites."

ZDNet says users have 'few options' other than alternative browsers or platforms.

ALSO...There's apparently ANOTHER newly discovered exploit in IE that can compromise an IE user's machine through an image on a web page. So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected".  The only solution is to stop using IE and use another, less exploitable browser like Firefox, Mozilla, Opera, etc. An article on the graphics exploit is here:

 http://www.eweek.com/article2/0,1759,1617046,00.asp


A possible fix from Microsoft (yeah, right):

http://www.microsoft.com/security/incident/download_ject.mspx

I strongly suggest that people download and use the FireFox browser. It's free and doesn't have these security holes in them. Plus it has a built-in pop-up blocker, spam filter, and tabbed browsing (very nice).  

If you've read this far and decide to keep using Internet Explorer, don't complain when you get infected. You were warned.

You can download FireFox here for free: http://www.mozilla.org/products/firefox/


We strongly reccomend Spybot and AdAware. These two free apps will kill most spyware dead.

For Spybot:
http://www.safer-networking.org/index.php?page=mirrors - VERY high traffic here, so it may be slow right now.

For AdAware:
http://www.lavasoftusa.com/software/adaware/

If those sites aren't working, you can always try "spybot download" and "adaware download" in Google.

Then, on top of THOSE you need to run a virus scanner. Try AVG, it's free and works as well or better than McAffe:

http://www.grisoft.com/us/us_dwnl_free.php

Good Luck. If you're using Internet Explorer, you'll need it.
[URL=http://deltabravo.net]http://deltabravo.net[/URL]

darkspectre

Hate to sound like a know-it-all but I wanted to offer a couple of tips when using the Spybot and Adaware utilities, which are both great by the way.

1) Download and install them.

2) Close down all programs running in your Systray (These are all the little icons that hang out in the lower right of your task bar.)

3) One at a time, open Spybot or Adaware and select the option to have it go out to the Internet and search for updates.

4) Once that's done close everything and reboot your machine in Safe Mode. For those of you who don't know how to do this, for most operating systems you just keep hitting F1 during the boot process and it'll eventually take you to a screen that let's you select a number of different boot option. You want Safe Mode. The reason for this is that you want to avoid letting your machine launch anything in the startup, including connecting to the Internet while you're running these utilities.

5) Launch Spybot and have it scan your machine. Take a quick look at everything it finds and if there's nothing critical (normally not), have it blow them off your machine. Close it.

6) Launch Adaware and repeat step #5. Close it.

7) Reboot your machine and let it boot up normally.

8) You're good to go!

Good luck.

MYSONSDAD

Went thru and did it all...

nosonew

I downloaded Opera, just love it.  Much faster than IE...

Brent

You've probably heard about a particularly nasty Trojan horse attack recently which exploited several vulnerabilities in Microsoft Internet Explorer and Internet Information Services. While viruses and Trojans have been around for years, this particular attack was new because it used several vulnerabilities at once, and it didn't require the user download or install any programs or visit any malicious Web sites. It's time to say goodbye to Internet Explorer and its security flaws forever. Here's how to do it.


Before  you go removing your only Web browser, you need to have something to replace it with. There are two primary alternatives to Internet Explorer: Mozilla and Opera.

Mozilla is actually a suite of programs; it's a Web browser, email client, address book, and calendar all rolled into the same basic framework, but we're talking about the browser only now. Mozilla has two derivatives: Netscape, which is a proprietary version of the Mozilla suite, and Firefox, which is a stripped-down version of Mozilla. Those with slow machines may have a better experience with Firefox, since it is only the bare browser component of Mozilla with some modifications. If you're looking for the most IE-like Web browser (in terms of interface), Firefox is your best bet.

All Mozilla derivatives offer pop-up ad blocking, tabbed browsing (which allows you to have several Web pages open in one single window, as opposed to opening them all in separate instances of the program), and superior security and stability. Firefox and Mozilla are both free software, meaning you are not restricted in how you use, modify, or distribute them.

Opera is a proprietary Web browser with lots of excellent features. Like Mozilla, Opera has pop-up ad blocking and tabbed browsing capabilities, and it also has a built-in email client and address book. Despite having many of the same key features, Opera has a different look and feel from Mozilla and Mozilla-based Web browsers, and it's drastically different from Internet Explorer. Some may enjoy that, others will find it irritating. Opera also has built-in ads that display near the top of its browser window; if you want them to go away you have to pay almost $40.

All of these programs can automatically import your IE Favorites from the folder called Favorites in your user's Documents and Settings directory.

There is no harm in installing more than one of these programs. Try them all, if you like, before making a decision, and be sure to give yourself at least a week's time to adjust to each program's different features and interface.

No matter which you choose to install, the new program will at some point ask you if you'd like to make it your default browser. You should say yes, although if you're installing multiple browsers each one will want to check if it's the default every time you start it unless you tell it to stop asking. As long as IE is no longer the default and you have a different program to browse the Web, your mission has basically been accomplished. At this point you can safely remove IE from your computer -- mostly.



How to remove IE

Once you've decided to get rid of IE, you can use the following process, provided you have Internet Explorer version 6 or later installed. Ironically, the easiest way to remove Internet Explorer versions earlier than version 6.0 is to first upgrade to 6.0 -- a process best done through Windows Update. If you're using Windows 95 and want to remove IE, Microsoft has instructions here.

In Windows NT 4.0, 98, 98SE, ME, 2000, and Advanced Server Limited Edition, open up your Control Panel, which is found in the Start Menu under Settings. Then double-click on Add/Remove Programs; a new window will appear with this same title. Select Add/Remove Windows Components from the left-hand icon column and then uncheck the box next to Internet Explorer. Click Next and IE will disappear from your system; click Finish to complete the process. All IE icons will be removed from your quick launch, desktop, and Start menu.

Depending on which operating system you're using and how it has been updated and configured, the option for removing Internet Explorer may alternately be in the Add/Remove Installed Programs section instead of the Add/Remove Windows Components section, but the basic process remains the same.

In Windows XP the process is exactly the same, except you have some further options to limit Internet Explorer. In the same Add or Remove Programs window, Windows XP has an additional option for those with Administrator rights: Set Program Access and Defaults, which is the last icon down on the left-hand icon bar. Click on it and you'll see some different profiles to choose from. Click on Custom; this will list some program defaults and access controls that you can change manually. The first group in the list is for your Web browser. Uncheck the box labeled "Enable access to this program" next to Internet Explorer. You'll notice there is a button for the system default -- you'll want to click the dot next to your new browser to make it the default if it isn't already set.

Internet Explorer is, unfortunately, built into Windows in all versions after 98 and can't be fully removed. No matter what you do, IE will still be available in a limited capacity for the purpose of running Windows Update, which requires Internet Explorer to run. It will not be generally available to users, however, and since you set your default browser to whatever you installed earlier, IE will never open on its own when you click a link offline. This is the best you can do; Windows security is all about reducing risk, rather than eliminating it. If you start Windows Update, an IE window will open and you can use it for browsing sites other than Windows Update despite the fact that it's been "removed" and "disabled." This is one of the main problems with Windows -- there are always loopholes like this one that compromise your system's security. A more effective long-term answer to such security concerns might be to switch to GNU/Linux.


There's only so much you can do with HTML and cascading style sheets (CSS). You can do more with high-level Web languages like PHP, ASP, Perl, and Python, but you still need HTML to display Web programs. A more powerful solution is to create an HACK -- a separate program that is downloaded and run through your Web browser upon request. Sun Microsystems created the Java language for this purpose, and Microsoft responded by introducing the HACK control subsystem.

The difference is, Sun designed Java with security in mind, and Microsoft didn't. Microsoft's idea of HACK security is to require that publishers digitally sign their programs and to require that end-users assent to the installation of HACK HACKs. There is no way to know what an HACK HACK will do until you've run it, at which point it is too late to stop any damage it has done. Digital signatures do nothing to stop malicious code.

No matter how many security patches Microsoft releases, HACK can still destroy your system or steal your data. The only way to prevent it from potentially harming you is to disable HACK, thereby limiting IE's functionality.

The second disastrous extension that Microsoft added to IE is the Browser Helper Object, a file that loads with Internet Explorer and has unrestricted freedom to download, run, and install programs or HACKs without your permission or knowledge. The security risk here is obvious and self-explanatory; coincidentally this is one of the tools used in the above-mentioned recent Trojan horse attack.

BHO exploits cannot be detected or stopped by antivirus software. Some kinds of spyware detection programs can detect these kinds of attacks, and some can't. Rather than downloading and installing more software to fix problems in IE, it's best to just use a different browser.

As a program, IE simply was not designed to be secure. SecurityTracker.com keeps a list of IE's security alerts -- see for yourself how [a href=http://www.securitytracker.com/archives/target/49.html]serious the threats are to Internet Explorer[/a] and how often they occur. Compare that list with [a href=http://www.securitytracker.com/archives/target/1291.html]the list for Mozilla[/a]. Which one would you rather use?

Mozilla: 36 alerts/vulnerabilities
Explorer: 182 alerts/vulnerabilities


Jem Matzan is the author of three books, a freelance journalist and the editor-in-chief of The Jem Report.


From: http://software.newsforge.com/software/04/07/01/123233.shtml?tid=78&tid=82&tid=90


Hawkeye

I've virtually ditched MSIE  and am using Mozilla because my/our son loves the logo... LOL... Dinosaurs, gotta love 'em...  Must be another Cheney/Bushie distraction... they do that alot these days...

some rationale, eh? but it (browser) and it's little brother/sister Firebird works great too, even imports your bookmarks. How about that Opera?

sheeesh, I think our freedoms of speech are at stake here

DISCLAIMER: These are my opinions, not SPARC's, blah, blah, blah.


kiddosmom

I downloaded FireFox and am now using it. It says there are 195 extentions, do I need any of them?

Other then the Flash extention that it popped up saying I needed.

Brent

>It says there are 195 extentions, do I need any of them?

In general, no. You only need to install them if you want the browser to do something extra, for example, to open a PDF file you'd need the PDF extension.

Congratulations on switching to FireFox!

nosonew

Many of my friends and family ignored the warning, and are now paying the consequences...I heeded the warning, and have both Netscape and Opera. My computer is fine... THANK YOU THANK YOU....nosonew

SPARC Admin

>Many of my friends and family ignored the warning, and are
>now paying the consequences...

Yep, quite a few folks we know did nothing and are now paying the price.


>I heeded the warning, and have
>both Netscape and Opera. My computer is fine... THANK YOU
>THANK YOU....nosonew

You're welcome! :)

Seriously folks, if you're readng this and haven't switched to FireFox, Mozilla, or Opera yet, you're deliberately putting yourself at an almost 100% risk. Internet Explorer is simply unsafe at any speed. When your data disappears or your identity and credit card information are stolen, please remember- you were warned.

Get FireFox now: http://www.mozilla.org/products/firefox/
[URL=http://deltabravo.net]http://deltabravo.net[/URL]