Is It Time To Change Web Browsers?
Thursday, March 4, 2010 11:00
Just last month I wrote an article on “Choosing a Secure Web Browser” after a recent attack using vulnerabilities in the Internet Explorer 6 (IE) web browser. In that article, I stated that security researchers and some governments were recommending that people change to a different web browser or at least upgrade to IE8 (you can read the full article using the above link). Just this weekend, a couple of other security researchers announced another vulnerability involving IE web browsers including IE8. This vulnerability was confirmed on Monday by Microsoft. The question now is whether to wait for a patch from Microsoft or to change web browsers? Let’s look at the highlights of the vulnerability to determine the right answer for you and your business.
The Vulnerability
This most recent vulnerability involves a flaw in VbScript that can be used to install malware or other types of bad software onto your computer. This vulnerability affects Window 2000, Windows XP and Windows Server 2003, and all versions of Internet Explorer (IE). If you are running Windows Vista, Windows Server 2008, Windows Server 2008 with R2 and Windows 7, it appears at this time you are safe from this vulnerability.
The vulnerability requires that you must be using the IE web browser, one of the Windows operating systems noted in the above paragraph, and must be on the internet at a website that has malicious code (software program or script). The risk may seem low, but even trusted web sites have been and will continue to be broken into and have malicious code loaded onto the website. Any website could contain some malicious code without you knowing about it.
If you end up on an infected website while using IE and one of the vulnerable Windows operating systems, you will receive some form of pop-up or message telling you to press the F1 key. If you press the F1 key, the attacker can hijack your computer or upload some form of malware to your computer. Once the attacker has control of the computer, they can do anything that a regular user of the computer can do. This is another reason not to give regular users administrative rights to the computer. Basic user accounts should be used.
Solutions or Work Around
Until a patch comes out for this security vulnerability, there are a couple of things that you can do to protect your computer(s).
- Make all users aware of the security issue and instruct them not to press F1 when prompted.
- Change what web browser is being used.
- Disable Windows Help by typing a command that is in Microsoft’s Security Advisory at the command line. You must be logged in as administrator to use the noted command.
- Upgrade your operating system to one of the unaffected Windows operating systems. This is an extreme and costly measure but one that appears would work at this time.
Telling users not to press F1 when on the internet may not be the best solution since the notice to press F1 can continue to occur until the F1 key is pressed. This means the user will most likely be annoyed with the message until they press F1 to get rid of the message. If you choose not to change the web browser that is being used, I would recommend that the Help function be disabled until a patch for this security vulnerability is created and available from Microsoft.
Let me know what you decide to do to address this security issue. I would be interested in everyone’s response since it still appears so many users use the IE web browser.
Related posts: