|Microsoft admits critical security flaw - Security Experts worldwide: Stop using Internet Explorer|
|Published on 12/17/08 at 20:32:43 by On|
|Microsoft admits critical security flaw - Security Experts worldwide: Stop using Internet Explorer
Microsoft is finally admitting that all its Internet Explorer versions released up to date, including its IE8 Beta version are vulnerable to a severe, remote security issue. While there is not much mentioned about the issue itself (which is not patched yet!) , one can read in Microsoft site about the issue
in a lengthy security advisory memo in which Microsoft urges its users to change their “Internet zone security setting” to “high” and to run the browser in “Protected Mode.”
According to information obtained by the WebAPP security team, this issue is known since IE version 5 was released and was discovered after years of intensive security research work by security experts in China. The exploit allows a remote user to obtain admin privileges on any remote PC using Windows- 2000, XP and Vista by infiltrating via Internet Explorer browser version from 5 to 8 by either exploiting a link clicked by a visitor on a malicious site or pushing a remote link by exploiting a local CMS system XSS vulnerabilities which are often common for PHP based platforms such as Wordpress and Drupal. While Google has been offering some help in further researching on those CMS related vulnerabilities, there is still no solutions for remote XSS-browser specific attacks. Other attempts to filter or detect such attacks by major Antivirus or firewalls software's distributors have also shown so far to be fruitless.
It has been reported that over 10,000 sites [mostly] in China assist in facilitating these attacks while most of the machines that have been compromised so far were of gamers, but financial and public machines were highly targeted to.
Computerworld suggests a tech-heavy breakdown of the exploit and the best way savvy surfers can disable its ability to affect their machines. But easier solution may just be to drop IE. Internet security firm Trend Micro’s Rick Ferguson told the BBC that “if users can find an alternative browser, then that’s good mitigation against the threat.” Microsoft has come out against users switching to another browser, citing security flaws. “It would not be advisable to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities,” Windows head at Microsoft UK John Curran told the BBC.
The WebAPP security team would strongly suggest switching to Firefox, while using Internet Explorer in a virtually isolated working environment, turning on popup blockers (default with Google toolbar) as well as avoiding clicking unknown links in PHP based CMS portals.
1 comment, (10579 reads) All Articles by, On
| Comments on this article:|