CNET.COM (http://news.cnet.com/8301-1009_3-10122203-83.html?part=rss&subj=news&tag=2547-1009_3-0-20)is reporting today an un-patched exploit in all versions of Internet Explorer allowing web sites to install malware on your system. Originally reported two days ago by SANS (http://isc.sans.org/diary.html?storyid=5458&rss). Microsft has released a Security Bulletin (http://www.microsoft.com/technet/security/advisory/961051.mspx).

"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog

And Sasser was 'limited' attacks when it first started...

Don't those guys ever learn anything?

More on the issue:
http://www.theinquirer.net/inquirer/news/011/1050011/microsoft-tells-users-how-to-prevent-ie-zero-day-attacks

Please advise - with the current IE problem, and only IE on my laptop to 'browse', is it safe to visit Firefox or Mozilla, and download their browser via my IE? If not, how can I add an alternative browser?

Also wondering, I'm a limited 'surfer' - I rarely visit more than a handful of sites (Yahoo, AOL, Google, for mail, and a few blog/forums/photo-video storage sites, like voy.com and youtube). What I read seemed to indicate that the IE flaw was being utilised via Chinese 'gaming' sites. How vunerable am I, to the IE flaw? Is there currently a means to determine if there has been any compromise of my laptop?

Thanks in advance for your replies.

I am sure Mozilla is safe. The problem is once the proof of concept is released, any site can be hacked. DON'T use IE. That's it, get Firefox, get it now....

If 'gaming' sites are being used, it won't be long before it bleeds to 'social networking' and other types of sites. That said, Yahoo, Google, AOL probably are 'safe'...it is in their interest to keep on top of things. Youtube...probably, but most all of its content relies on scripting of some sort in order to be visible...and that is the heart of most IE problems, scripting.

Yes it should be safe enough to visit Mozilla to grab FireFox...if you are concerned about doing so, you can always use another machine and download the install package and burn it to a CD, from another machine. Or pick up a computer magazine that has a disk of software...most of them include FireFox on the disk...look at the list of include software, to be sure.

Microsoft is announcing they are releasing their first attempt to patch this:
http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

Opera is another alternative browser that is safe, new version just released v9.63.

Depending on where one surfs it is probably a good idea to run Firefox with the no scripts extension for a much greater braces and belt approach.

Those at greatest risk from the small number of such malicious websites so far in existence will be those who respond to spam or get directed to sites they didn't consciously mean to go to. For those that deal in porn and warez be especially aware.

There are text based broswers such as Alynx but I'm not sure how one would access them without a terminal of some sort.

Full list of browsers (http://en.wikipedia.org/wiki/List_of_web_browsers). Well not full because it doesn't mention the OffByOne Browser (http://offbyone.com/offbyone/ob1_overview.htm) which I suspect is safe since is doesn't support javascript (or maybe any scripting) at all. Another approach for the paranoid is to surf from a Linux Live CD.

Another approach for the paranoid is to surf from a Linux Live CD.

Isn't 98Lite, XPLite etc supposed to enhance the safety (vulnerabilities+) as well as the speed of your system? Is it that management is not allowed to comment on such things also!?!? Hehe,, (Sucks to be you :D )

I use a-n-y-t-h-i-n-g BUT (IE) so, why even have it installed? I can't count the times I've gone to Windows Update in FF and discovered I couldn't get the updates needed done because I was in (using) an unaccepted browser to their criteria to even convey theirs!!!!...

Talk about bullets shooting at your own dancin' feet! :eek:

MS should loosen their grip and stinjiness and let a few techs download thru a browser of their choice ie, the (for) IT pros links at their site, should allow alternate browsers IMO!..

Complicates and lengthens my work day! KnowhattI mean Verne???!?! :confused:

so, why even have it installed?If that wasn't a rhetorical question then the answer is that it is part and parcel of the operating system; it is integral to it.

Microsoft did just release their first patch attempt to stop this IE zero day problem. (Requires a reboot)

I am sure Mozilla is safe. The problem is once the proof of concept is released, any site can be hacked. DON'T use IE. That's it, get Firefox, get it now....


'K, I'm getting the feeling this is somewhat 'tongue in cheek' ... I'm really not the paranoid type, and I don't think I'm at 'high risk', because my internet ventures are relatively limited. I don't have any axe to grind, with Microsoft, I don't care how much money Bill Gates makes, or burns building 'houses' that are basically monsterous. So, my real question is, since I do like some sites that I believe require things like 'java' (don't online games like 'mah jong', require java?), is it only paranoia that made me think I should stop using IE and upload a new browser, like Firefox?

Think I'll visit the MS patch site, and see if I can make any sense of it ...

Thanks for the advice and suggestions. For those of us who really use the 'net in a very limited way, any advice from those in the know is appreciated!;)

skwerlbaitbev,
The sites are specifically being hacked to exploit IE users at this time, which is why using alternative browsers is safer when these exploits occur. Estimates are two million PCs were infected by the latest exploit before MS released this emergency patch. Until the patch was released users were completely at risk if surfing with IE, that is called Zero Day (a live exploit exists with no user method to stop it).

Firefox and Opera are not susceptible to that IE exploit and Firefox w NoScripts Extension does not allow embedded code from the hacked sites to run without permission. This makes it much less likely to get infected by this whole type of attack. Both Firefox and Opera have automatic notification of new versions of the browsers that fix the vulnerabilities before they are exploited, and both are updated quickly. Both Firefox and Opera have had new versions launched in the past week to fix discovered vulnerabilities before they are exploited.

All browsers that allow graphics have vulnerabilities, the difference in risk is whether you are exposed to exploits and for how long.

Classicsoftware was not doing a Chicken Little impression, the exploit was raging and the need was real when he posted the thread with the warning.

Most of the exploits over the past months/years have targeted what are mainly, fundamental flaws, in IE's underpinnings...namely its scripting engines. With an unpatched/zero day exploit, ANY site becomes dangerous...even legitimate sites. Basically, any site that uses scripting and has ads (don't even have to be pop-ups or Flash ads) is a potential source of infection. Actually, any site that pulls any third party content...if the content doesn't originate from the same server as the site, it is a threat. And the threat of ads isn't limited to ads from 'dodgy' places. I have seen 'infected' ads running on 'mainstream' sites...even places like Yahoo (but most of Yahoo's ads, these days originate 'in house').

Safe browsing is an oxymoron. There is no such thing. Last year the Super Bowl web site was infected. Trust me, this is not tongue in cheek. It's your choice. Forewarned is forearmed.