Viewing This Site (or Any Site) on IE? Switch Browsers Now, Some Experts Say (update 2)

Posted 12/16/2008 at 4:09pm | by Mark Edward Soper

11

Comments

Print

Once again, Internet Explorer (aka "Internet Exploder") has been attacked through a "zero-day" remote code execution vulnerability. That might not seem like MaximumPC.com-worthy news, except for two factors: the flaw is affecting thousands of websites, and this time, it isn't just Firefox fans who are saying "time to switch browsers, already!" - security experts at Trend Micro, the Spamhaus Project, and the UK's PC Pro magazine are all recommending making a switch, according to the BBC. And here's why:

The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.

Switching Browsers? Choices Abound!

Attacks against IE7 have been verified, but all versions of IE (including IE 8 Beta 2) have the same underlying vulnerability; a vulnerability not present in IE's competitors (Firefox, Opera, Chrome, and Safari). Switching browsers makes sense for most web surfing, but, alas, some websites and (of course) Windows Update and Microsoft Update for Windows XP won't work with anything but IE.

Redmond Readies Security Update

Since the vulnerability was detected on December 10th, Microsoft code jockeys have been working hard to patch the flaw (Redmond doesn't want you to switch, naturally, and given the way that IE and Windows work together, a broken IE isn't good for anybody), and a patch will be available tomorrow (December 17th) for all versions of IE from 5.01 up, applying to all versions of Windows and Windows Server from Windows 2000 on up. It's rare for Microsoft to perform a security update between Patch Tuesdays, but when a "Critical" vulnerability (the most dangerous category of vulnerability) is discovered, there's no time to waste.

Workarounds to Use Now

(Updated 12-16-08 with a hat tip to Number Six) If you must use IE in the meantime, Microsoft recommends the following workarounds in its security bulletin (follow link for details):

• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
• Disable XML Island functionality
• Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL
• Disable Row Position functionality of OLEDB32.dll
• Use ACL to disable OLEDB32.DLL Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008
• Disable Data Binding support in Internet Explorer 8 Beta 2

Note that these workarounds have various effects on your ability to browse certain websites, and some are designed for certain Windows/IE combinations only.

you can use the following workarounds to protect yourself (see the BBC dot.life blog for more information):

• Users of IE7 or IE8 Beta 2 on Windows Vista can run IE in Protected Mode (this is not an option on the Windows XP version, unfortunately)
• All IE users should change their Internet zone security settings to High
• All Windows users should configure their systems for automatic updates
• All Windows users should update their anti-virus software

What are the long-term implications of this latest security flaw? A BBC technology blogger suggests "[t]his could be the moment when the minnows in the browser wars finally score a significant victory."  What do you think? Hit Comment and tell us.

Updated first paragraph with new link describing scope of the problem. Updated last paragraph with official workarounds from Microsoft.