December 19, 2008

Apply a Critical Security Patch for IE 5, 6, 7 & 8 ASAP

As if "Clickjacking" wasn't bad enough, yet another critical security exploit was found in IE, and it affects virtually every version that people would have on their PCs (from the older v. 5.0 all the way through to IE's 8 beta). This flaw was recently publicly reported, and Microsoft just released the critical patch yesterday, Dec. 18th. Since it's very rare when Microsoft issues a security patch out of their normal cycle, you can tell this one is important. Without going into techie details, suffice it to say that thousands of web sites have already been compromised to deliver the exploit to your PC should you visit them using an unpatched version of IE. The exploit could allow criminals to take control of people's computers and steal their passwords. The problem was that hackers found this security hole before Microsoft, so MS had to play catch-up.

For personal PCs, download and install this patch from Microsoft. It should also be available in your Windows Update (remember to log in as an administrator first). If you're in an enterprise environment, check with your IT department as they are very likely already painfully aware of this and are probably working on it.

I read through the Microsoft-suggested workarounds in lieu of applying the patch, and none are pretty. For instance, setting your IE's security level to "High", while effective, disables ActiveX and scripting, and would disable a number of features on legitimate sites. Plus, you'll likely get nagged to death from prompt after endless prompt while surfing.

Of course, the best suggestion is to not use IE at all, and instead use an alternate browser such as Firefox, Opera, or Chrome. However, even if you don't use IE overtly, you could still be at risk. For example, some people use a Firefox plugin or extension to have an IE tab open within Firefox -- useful when a specific site just won't work properly in Firefox. Guess what? It's as if you're using IE to visit that site, and so you're vulnerable if the new IE patch isn't installed. Also, remember that IE's core components are used in a number of non-web browsing functions, so you may be vulnerable even if you're not using IE as your default browser.

Some experts suggest that eventually hackers will find a way to use this exploit in a slightly different manner than what the MS patch was designed to fix. But for now, I'd say your best bet is to apply this IE patch, and set and use Firefox or another non-IE browser as your default browser in Windows.

Topic(s):   Privacy & Security
Posted by Jeff Beard