Internet Explorer besieged by hackers and critics
To top it off, more experts are suggesting that Windows users start using other Web browsers instead of Internet Explorer, which has more than a 90 percent market share.
Internet Explorer is the new turf in the escalating battle over online security, and Microsoft is scrambling to get more control. The company is working night and day on a comprehensive update that addresses some of the browser's security issues, but reports of new vulnerabilities arise every week.
The ultimate casualty may be the capricious adventure called the Web. In the past, security experts warned against opening e-mail messages from unknown senders. Now, they say, you shouldn't visit Web sites you aren't sure about.
For Microsoft, much of its current security efforts center on the long-awaited update to Windows XP, which will have major security upgrades. Microsoft just delayed the release of the update, called Windows XP Service Pack 2, for the second time, and it's scheduled to be released to manufacturers next month.
With SP2, as it is known, getting all the attention, Internet Explorer probably wasn't a high priority this year. Then an attack that exploited some of the program's flaws began circulating in June. Known as Download.Ject, or Scob, the malicious code targeted some high-traffic Web sites that were being run on Microsoft's software.
When an Internet Explorer user visited one of those Web sites, he or she inadvertently triggered the download of a hidden program known as a Trojan horse that could record the letters and numbers typed on the user's keyboard. It could also display boxes on the user's screen asking for credit-card numbers and ATM card codes, and send the information over the Internet.
What to do
Knock out Download.Ject. Microsoft has set up a special Web page just for the Download.Ject Trojan horse at www.microsoft.com/downloadject. There, Windows users can download and run Microsoft's Download.Ject detection and removal tool.
Get updated. Microsoft's Windows Update site, at windowsupdate.microsoft.com, scans your PC and finds the latest security updates for the system.
Set browser security to high. On Internet Explorer's Tools menu, click on Internet Options. Click the Security tab, and then click the Internet icon. Change the setting for the security level to "high." Be aware, though, that the high setting may cause some Web sites to work improperly. For more Microsoft suggestions, visit www.microsoft.com/security/incident/settings.mspx.
Have smart passwords. Don't use the same password over and over again on different Web sites. Develop a smart password policy, and use complex passwords that are hard for others to crack.
Visit trusted Web sites. If you get e-mail from a stranger encouraging you to visit some new Web site, think twice. Go to Web sites that you trust. Simply visiting an infected site could cause problems on your computer.
New mode of infection
Up to now, the major threats to computer users were viruses spreading over e-mail and worms that traveled over the Internet. They came to the user. But with Download.Ject, a user only had to visit an infected Web site to be attacked, and the damage would be done quietly and behind the scenes.
In the past, "you could rely on some level of user education," said David Endler, a researcher at TippingPoint, an Austin, Texas, security company. "But how do you tell someone not to log in and not to visit the sites they normally visit on a daily basis?"
On June 24, Microsoft said, authorities shut down a computer in Russia that was running the attack. Some experts who have viewed the code attribute the attack to a Russian group of hackers known as the HangUp Team.
Dismantling the Russian computer stopped the criminal element in the case, but didn't solve the Internet Explorer weaknesses that allowed the Trojan horse in. Download.Ject was sophisticated enough to take advantage of three flaws in Microsoft products. Microsoft was able to come up with fixes for two of them, but not the third one.
So on July 2, the company asked computer users to shut down a feature of Internet Explorer used for developing Web applications. Experts said that seemed to take care of the problem. But a few hours later, a Dutch researcher went online to announce another flaw using a similar method that could possibly enable future attacks.
Microsoft released a patch for that flaw last Tuesday. But the madness didn't end there. That same day, Danish security company Secunia announced four new "extremely critical" vulnerabilities in Internet Explorer.
No end in sight
There is no victory in Microsoft's security battle. There is no final round. There is only an endless stream of attacks hitting Microsoft products on all sides. Researchers and hackers are combing Internet Explorer and other products, searching through millions of lines of code for weaknesses that could be exploited.
Now that Download.Ject has paved the way, other attacks using similar methods could follow, experts say. Nothing major has surfaced yet, but the incident has given rise to a chorus of critics who say that Internet Explorer is too flawed of a program to handle modern-day crimes.
In reporting the most recent vulnerabilities, Secunia suggested that computer users either disable Active Scripting — something most home users know nothing about — or start using another product.
Similar advice has come from US-CERT (Computer Emergency Readiness Team), a partnership between the federal Department of Homeland Security and the public and private sectors designed to protect the nation's Internet systems.
Art Manion, an Internet security analyst with US-CERT, said the organization doesn't specifically recommend specific products, such as Web browsers. It has said, however, that a user can avoid the problems associated with Internet Explorer by using a different Web browser. But doing so can cause other issues, he said, because some Web sites require features in Internet Explorer.
There are flaws that exist only in Internet Explorer because of the way the browser was designed, Manion said.
For example, Internet Explorer groups Web sites into different security zones, each with its own policies, he said. It uses a complicated mechanism that checks whether sites can cross into different zones and what actions can be performed in those zones.
There have been a series of patches over the years as flaws are found in the zones, but the fix is in a different spot each time and the patches sometimes don't solve the problems, he said.
"It's at the point of which considering a different browser or a different product might be a valid option for you," Manion said.
Start from scratch?
Russ Cooper, a senior scientist at Herndon, Va.-based TruSecure, puts the issue more bluntly. He suggested that Microsoft fire its entire Internet Explorer team, bring in a new group of developers and build a new Web browser from scratch.
"They are fundamentally having the same problems over and over again," he said. "One has to ask the question: What is wrong with these people? They can't seem to get control of things."
But Cooper said he doesn't tell his corporate clients to begin using non-Microsoft products, because it costs more to hire experts in multiple areas. He said he would like to see Microsoft make its products more secure, even if it means disabling some features.
Gytis Barzdukas, a director of product management on Microsoft's security team, said that while Internet Explorer may have its vulnerabilities, other browsers are not free from problems either.
"It's important to note that as long as malicious users exist, there is always an opportunity for online threats," he said in an e-mailed response to questions about Internet Explorer.
Drew Copley, a senior research engineer at eEye Digital Security, based in Aliso Viejo, Calif., said he likes Mozilla, a competing Internet browser, but it doesn't have the features that Internet Explorer has.
"When I want to embed a Web browser in an application I have to use Internet Explorer," he said.
But Internet measurement companies say that Internet Explorer is starting to lose some users to Mozilla and other competing browsers. According to OneStat.com, based in Amsterdam, the global usage share of Internet Explorer has dropped from 94.8 percent in January to 93.9 percent at the end of May.
There were 54 reported vulnerabilities for Internet Explorer in 2003, and so far this year there are 43, according to Symantec's Security Response division.
More attackers are targeting the program, said Oliver Friedrichs, a senior manager at the Cupertino, Calif.-based Symantec. They're also attempting more sinister crimes.
"What we're seeing now is illicit activity, where there could be ties to organized crime or other groups, where they're trying to gain access to financial information," he said.
There are still a number of Internet Explorer vulnerabilities that Microsoft has not patched, Friedrichs said, and some others have not been patched very effectively. But the good news is that there aren't widespread exploits of those flaws, he added.
Microsoft is aware of the criticism of Internet Explorer and says it is working on a comprehensive update to the program. The release of Windows XP SP2 will have some Internet Explorer updates, but it's only for Windows XP machines.
No date for update
The separate Internet Explorer update will be for other operating systems that support the browser, said Stephen Toulouse, a security program manager at Microsoft. The company isn't saying when the update will be out or what it will do, but Toulouse said that employees are "working night and day" on it.
Cooper at TruSecure said he doesn't think there will be a massive Web browser attack anytime soon, and for users, there are still bigger Internet issues to deal with. The dominant threats still are harmful programs that come attached to e-mail messages.
"We're in a phase," Cooper said. "We need to remember that these phases come and go and have over the past."
Kim Peterson: 206-464-2360 or email@example.com
In accordance with Title 17 U.S.C. Section 107, any copyrighted work in this message is distributed under fair use without profit or payment for non-profit research and educational purposes only. [Ref. http://www.law.cornell.edu/uscode/17/107.shtml]