The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft Corp.'s Internet Explorer.
The Microsoft browser, the government warned, cannot protect against vulnerabilities in its Internet Information Services (IIS) 5 server programs, which a team of hackers allegedly based in Russia has exploited with a Java script that is appended to Web sites.
The particular virus initiated this week inserts Java script into certain Web sites. When users visit those sites, it initiates pop-up ads on home and office computers, and allows keystroke analysis of user information. The target is believed to be credit card numbers. CERT estimated that as many as tens of thousands of Web sites may be affected.
CERT said vulnerabilities in IIS and IE could include MIME-type determination, the DHTML object model, the IE domain/zone security model and ActiveX scripts. Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines. The only defense may be completely disabling scripting and ActiveX controls.
Microsoft said earlier in the week it is working with law enforcement officials to identify the source of the latest Internet virus.
From Wired news: Downloads of Mozilla and Firefox — an advanced version of Mozilla — spiked the day CERT's warning was released, and demand has continued to grow. According to Chris Hofmann, engineering director at the Mozilla Foundation, formed last July to promote the development, distribution and adoption of Mozilla Web applications, downloads of the browsers hit an all-time high on Thursday, from the usual 100,000 or so downloads on a normal day to more than 200,000.
Hofmann said the Mozilla team wasn't surprised when CERT issued its warning. “Mozilla and Firefox downloads have increased steadily since last fall, with the Firefox user base doubling every few months, as more people seem to have reached their threshold level of frustration dealing with problems with IE and Windows, and have found the Mozilla software a good solution to solving those problems,” said Hofmann. “CERT's recommendation is just a reflection of the trend we have seen for quite some time.” Security experts said Mozilla's lack of ActiveX support makes the browser more secure than IE. ActiveX was intended to allow websites to add multimedia and interactive features, but has lately been used to slide spyware onto PCs without the user's knowledge or explicit consent.
Story links:
Wired: http://www.wired.com/news/infostructure/0,1377,64065,00.html
Yahoo: http://story.news.yahoo.com/news?tmpl=story&cid=74&e=3&u=/cmp/20040702/tc_cmp/22103407