Unsafe At Any Site

Time to drop Internet Explorer

Yesterday, my mother sent me an email asking my opinion about the latest virus circulating the net. The infection has taken the form of crackers breaking into hundreds (possibly thousands) of high-profile websites and modifying them to take advantage of weaknesses in Microsoft's Internet Explorer.

In an earlier email, I had described the issue as being a virus spread by corporate websites. I suggested that people are best to move to other (and generally more secure) web browsers like Mozilla, and it's smaller cousin Mozilla Firefox. My mother asked me whether that included Internet banking sites which she uses, and an MSN game site which appears to lock out non-Microsoft browsers.

My answer to her on count one was yes. Banking sites are at risk. The problem has been found on at at least some banking sites, and it's difficult to know for sure which sites are affected and which are not, until it's too late. If a site doesn't allow non-Microsoft browsers, then I actually feel that it is especially high-risk, because most such sites use Microsoft's IIS web server, which appears to be the primary path of infection.

I suggested that, for sites which don't allow non-Microsoft browsers, she should stop using them until they do, and attempt to contact them and tell them why. If a banking site does not allow diversity, then I suggested that she move to telephone banking -- and that, once again, she should inform them of why.

Her bridge game, however is another issue. MSN is owned by Microsoft, and my initial investigations, a couple of months ago, indicated that it was specifically coded to not respond to non-Microsoft browsers. I know that my mom especially enjoys the social aspects of her games there, so it'd doubtful that I could convince her to stop going there. The best I could do is to suggest that she make that the only site that she visits with Internet Explorer.

What most angers me about this issue is that the unpatched vulnerability at the heart of it has been known to Microsoft for 10 months, and they've declined to issue a patch for it. It would appear that other issues (probably marketing related) are more important to Microsoft than customer security. When this is combined with Microsoft's effective ownership and control of the desktop, the result is a serious security conundrum for most computer users.

That this sort of issue has arisen for Microsoft users isn't a big shock for many security analysts. The attitude on one site I follow appears to be more one of resignation and anger than surprise.

( Mozilla, and Mozilla Firefox are available at http://www.mozilla.org )
( Security list: http://www.securityfocus.com/columnists/249 )