Business Week Online – Internet Explorer Is Just Too Risky
In late June, network security experts saw one of their worst fears realized. Attackers exploited a pair of known but unpatched flaws in Microsoft’s Web server software and Internet Explorer browser to compromise seemingly safe Web sites. People who browsed there on Windows computers got infected with malicious code without downloading anything.
I’ve been growing increasingly concerned about IE’s endless security problems, and this episode has convinced me that the program is simply too dangerous for routine use.
In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen.
Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.
Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope that’s all there is to it and continue to use IE. But as for me, I’m done with it.
Use whatever browser you wish. You know my feelings on the subject by now.
Stop and think about what every security professional already knows. Once an unknown program is installed on a system, the only true way to be totally safe is to wipe the whole system and start over. It sounds extreme, but you don’t know what the program can do. There are ways to limit what a program can do, but on most home PCs these measures aren’t in place (because it also makes it harder to use legitimately). Perhaps it rewrote system files, so that now anything you type is sent to the author. Even if you don’t do any financial stuff online, it could log the account numbers you type into your spreadsheet or financial program. “But my firewall will stop it!” If it could get into your system files, I guarantee it could modify your firewall’s files as well. In general, your overlapping security systems (you do have at least one firewall and anti-virus, right?) should detect problems before they do damage, but it’s not always possible. If one of these malicious programs wanted to be really devestating, it could rewrite itself after doing its dirty deeds – when the final version was analyzed, it would appear to be harmless (or at least less harmful), hiding the true damage.
There is no question in my mind that the consumer has far more power than we poor schmucks fighting for Web standards. With coverage like this, we can help facilitate a more important revolution: Get people to use well-built software and let the losers dig their own graves.
Get people to use well-built software and let the losers dig their own graves. That about sums it up for me.