Urgent warning

[ciphergoth]

Stop browsing the web NOW, or your computer will come under the control of the Bad Guys. Read this first.

Internet Explorer, the web browser that comes bundled with Windows and some Mac systems, has a serious security flaw. Just by viewing a web page you might compromise your machine. And thousands of web pages all over the Net contain the damaging code - because the machines hosting those pages have been compromised. This means that you will be attacked even if you stick to browsing sites that you trust.

There is no fix to Internet Explorer available, even though this flaw has been known about for some time. If you continue to use this browser, you are asking the bad guys to control your computer. They will use it for things like sending spam and compromising your bank details and personal information.

Currently the only fix is to install another browser. Even if Microsoft get around to fixing this problem, the history shows that there will be many others, and that your computer will be open to takeover by others for as long as you use Internet Explorer.

If your workplace forbid you from installing software on your machine, you have three choices:

1. Never browse the Web from your work computer - just don't start the browser at all, ever.
2. Disobey your work and install another browser.
3. Disobey your work and install a program for sending spam, involuntarily, courtesy of the Bad Guys.

Please don't choose option 3.

I recommend installing Mozilla Firefox right away. Others prefer other browsers - pretty much any alternative to Internet Explorer will be better.

More details in reddragdiva's journal. But maybe install a new browser first, and then go browsing later?

Comments

[ciphergoth.livejournal.com]

A quick PS to everyone who is already using a non-Microsoft browser or system - hooray to you for doing the right thing. You might even be the majority of my friends list. This post is worded to catch the attention of those who have not yet joined you, so please forgive me for not addressing you in the above.

[purplerabbits.livejournal.com]

I would rather have seen that in the main message tbh.

So is it only in XP that people would have a problem, or can it work in OSX or other Windows OSs? I've told my flatmates (me and Sandy were using Firefox anyway), but what about work?

[ciphergoth.livejournal.com]

It doesn't affect the MacOS version, according to this Wired article posted by wechsler/

[spacelem.livejournal.com]

I'm not in your friends list, but I have met you before. Yes, I've been running Mozilla for the last 3 years, and Firefox for the last 1½. Unfortunately I've been trying to get my dad to switch for the last 8 months, but he's just not interested. Sigh.

[sbisson.livejournal.com]

Actually there is a fix - you are not at risk of you are using the updated version of IE that comes with Windows XP Service Pack 2. Ther eis a download of Relase candidate 2 for this on the Microsoft technet web site.

[sbisson.livejournal.com]

Mind you, I've been using Firefox for a year or so now. It's just a better browser...

[wechsler.livejournal.com]

URL?

[sbisson.livejournal.com]

http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

[ex-meta.livejournal.com]

Umm, no. People who've tested it say the IE 6 in Service Pack 2 is affected.

In fact, I saw one posting describing a flaw which affected IE6 SP2 which didn't affect previous versions. Whether it's the same flaw actually being used, I don't know, but it's foolish to think that SP2 will save you.

(No, I didn't keep the URL. I don't run Windows, so it's not my problem.)

[babysimon]

Neat trick:

<!--[if IE]><h1>Big Warning</h1><![endif]-->

[kerrykat.livejournal.com]

Thanks for providing the information. It does really help techno-fuckwits like me :)

Firefox downloaded and me like! :)

thanks again
K xxxxxx

[ciphergoth.livejournal.com]

Rah! Welcome to the light side! Good, isn't it?

The Great Anti-virus Stop-Gap Solution (but it's better than nothing, right?)

[bondagewoodelf.livejournal.com]

I know it's a stop-gap. But fortunately there are several anti-virus companies that have already released an update to handle the thing that it on the loose on, alledgedly, all those web sites.

I just checked, and my own preference, Kaspersky AV has it in the 2004-06-25 update.

Of course this might only protect against this particular instance of the exploit and not against the vulnerability itself (or maybe it does? they might have added some generic fix for this particular one, although I doubt it since it's listed as 'Trojan.JS.Scob.a' which looks like a very specific detection.

Of course:

- I do most of my browsing with Opera anyway
- AV definitions at corporate sites are often horribly old

Other companies (Symantec, Computer Associates and F-Secure) appear to have AV definitions for this one already as well.

Re: The Great Anti-virus Stop-Gap Solution (but it's better than nothing, right?)

[skx.livejournal.com]

The problem with virus scanners for things like this is that it's a very reactive thing to do, not proactive.

Most of the recent I.E. flaws have been minor things in themselves, and only become dangerous when combined together. This means it's a safe bet something slightly different will arrise sone and you'll be just as vulnerable.

It's these flaws which allow the trojan to be installed.

Next time a similar flaw could install a different program and your scanner may not know about it.

Re: The Great Anti-virus Stop-Gap Solution (but it's better than nothing, right?)

[bondagewoodelf.livejournal.com]

Yeah, that's what I meant with that the scanner is too specific.

I hope there's a fix for IE6 soon. Some sites I visit regularly don't work properly with Opera *sigh*

Re: The Great Anti-virus Stop-Gap Solution (but it's better than nothing, right?)

[pavlos.livejournal.com]

The problem with virus scanners for things like this is that it's a very reactive thing to do, not proactive.

I agree using IE and a virus scanner is like not using condoms but religiously having STD tests - an approach only useful within closed environments.

[trishpiglet.livejournal.com]

Using Firefox.
I have MIE on my computer, though. BS says it's hard to delete, so I'll settle for removing from desktop.

[redcountess]

As reddragdiva said, if you're running Windows you need IE to run Windows Update for critical updates. The proper way to remove it from the desktop is by going to control panel-->internet options-->advanced options tab and unticking "show IE on desktop". And while you're in advanced options you should check it to prompt before running any scripts or Active X, and set privacy to high. Also change the home page to http://windowsupdate.microsoft.com in case it does get launched inadvertently.

[ciphergoth.livejournal.com]

Indeed, removing IE is next to impossible, and anyway as redcountess says you need it for Windows Update. Fortunately you're not made vulnerable just because it's sitting there on your hard drive - it's only when you use it to view a compromised website that the attack can be mounted.

Mico$oft IE

[missedephemera.livejournal.com]

[Error: Irreparable invalid markup ('<tis'>') in entry. Owner must fix manually. Raw contents below.]

<tis' paul speaking> Needless to say, Mona and I have never, EVER, been in the nasty habit of using IE as our default web browser. We us an independent third party browser and for no better reason than Mona is Norwegian, we use a paid up version of Opera (http://www.opera.com/). Again, needless to say, Opera (IOMHO)is vastly superior to IE in functionality (blah, blah, etc... OperaRocksOK!). The only problem, and it is a biggie, seems to be that there are some web sites that seem to be configured in such a way that ONLY IE will function correctly accessing them. We suspect this to be a deliberate ploy by Micro$oft to ensure IE usage. To its credit, Opera can try to disguise itself as IE to get past these IE-only-acess-sites, but not yet 100% sucessfully.

[ruis.livejournal.com]

If your workplace forbid you from installing software on your machine, you have three choices:

Or there is a forth more responsible choice which is you talk to your IT person/dept and ask them if your computer is at risk from this exploit or if you are safe e.g. by using a proxy server that has suitable anti-virus and content filtering installed. If you are at risk ask your boss what you should do.

[ciphergoth.livejournal.com]

I find it hard to believe that there's anywhere clueful enough to set up successful measures that protect from this exploit and all similar, but clueless enough to mandate the use of IE under Windows.

[ruis.livejournal.com]

Then you don't understand how big corporate companies work.

The directors and people who set the policy concerning what software is allowed go for MS because it is a stable company with lots of potential staff who know the product base, how many people do you know with qualifications / good commercial experience in Opera or Netscape? How easy is it to work out separate commercial licenses for a browser in comparision to just accepting the bundle from MS? How do you lock down mozilla/opera to a standard image?

The MS browser policy is a commercial one, this has absolutely no relevance to the amount of clue that the day to day technical staff have. All of the telecos I worked for mandated MS and had appropriate filtering at the border routers, well set up firewalls, proxy servers running the latest commercial AV software and normally the proxy had content filtering as well.

You do not want your average barely computer literate member of staff fucking their matching over cos someone on LJ said they should. If they are daft enough to follow your advice without talking to their line manager or IT dept first they deserve to get a formal verbal warning, in some companies they might get a written warning instead.

Are you really suggesting that taking that sort of stupid risk with their career is worth it for all of the people on your friends list?

[webcowgirl.livejournal.com]

I was actually fired for using a licensed copy of "forbidden" software (VB5) on my machine at work ... tho' it was loaded for work purposes. I'm sure ciphergoth's friends are mostly smart enough to know if they're working somewhere that will react like that, however, and not just go downloading stuff willy-nilly.

[ciphergoth.livejournal.com]

Fired? Jesus, what idiots! If their security or stability needs are so serious that installing unapproved software has to be an instant firing offence, what the hell are they doing running Windows at all?

Also, many such places are extremely strict about what you can use work machines for, so option 1 may be your only practical option in such a place anyway.

[ruis.livejournal.com]

Some companies have the view that if you break a rule that is listed in a handbook somewhere as being gross misconduct then it is in fact gross misconduct.

I still don't see what is wrong with the time honoured approach of telling your boss, in writing if necessary, doing as they say and then letting whatever happens be their fault.

When the day comes that all of the big applications that companies use come in non-windows forms and that non-windows support staff have the same availability and rates as windows ones then you will have a valid argument.

Until then I believe that you are still conflating commercial business requirements with technical skill.

[ciphergoth.livejournal.com]

I still don't see what is wrong with the time honoured approach of telling your boss, in writing if necessary, doing as they say and then letting whatever happens be their fault.

If what's happening is sending spam, or otherwise attacking other machines on the Net, does it matter who takes responsibility?

It seems counterintuitive to think that all the pieces can be good sense when the whole picture seems so wrong. But in the end you know I can't challenge you on this - you've been there, I haven't, end of story. I'll take care to avoid such environments in my future work career though - if that means never working for a company bigger than Harlequin, that's OK...

[lucybond.livejournal.com]

I've started using Mozilla Firefox, but it won't let me upload stuff to my personal webspace, while Internet Explorer does.

Any idea why that is? I am mostly using Mozilla Firefox now, so it won't be hard to avoid IE, apart from that one thing...

[ciphergoth.livejournal.com]

Just done a bit of investigating, but I don't have any good news to report. Anyone?

If you're using WebDAV, then it seems that Firefox just doesn't have WebDAV support. In fact it seems that there's a dearth of good, free WebDAV clients for Windows. The sites I could find googling for "webdav client windows" and suchlike all say things like "there don't seem to be any good webdav clients for Windows", sometimes followed by a recommendation for this $40 piece of software that maps your WebDAV folder to a drive letter.

I also found this, which is free and claims to do the job, but I don't know if it's any good...

Can anyone give Lucy better advice than this? Thanks!

[envoy.livejournal.com]

Firefox is lovely. I'm off to SanFran! Whooot!

[booklectica]

I downloaded Mozilla at work (which I'd been meaning to do again anyway) and left a note for my employer telling her to do it too, with a printout of the CNN article. We use Mozilla at home anyway. Is Firefox a better version of Mozilla or something different altogether?

[ciphergoth.livejournal.com]

Firefox is a better version of Mozilla. Like Mozilla, but smaller and faster and easier to use...

[thekumquat.livejournal.com]

Please see my recent post re Mozilla...

Work will jsut have to suffer, seeing as no-one can install software except the IT bods (and some of them are too ignorant). Fortunately the firewall/security IT bods out in a bunker somewhere are fairly competent - have had one virus in the last 2 years. Option 1 isn't an options as I need to browse for work.