Normally, I figure that people will hear about these sorts of things on other sites, but I figured that this was important enough to post it up here. According to ZDNet, malicious hackers have compromised several “major websites.” They didn’t deface these sites with the usual “1 0wNez joo, biatch!” (forgive my poor leet speak). Rather, they installed their own software to take advantage of Internet Explorer’s unpatched security holes to install software on visitor’s PCs. The owners of the sites are apparently unaware of the fact that they are infecting their visitors, and visitors are probably complacent that they only visit “reputable” sites and have nothing to fear from spyware.
If you’re reading this using Internet Explorer (on Windows, at least), please, go download the latest version of Mozilla (or their up-and-coming new browser, Firefox). It’s free, and it’s a much more useful browser than IE, nevermind the fact that it doesn’t have the known gaping security holes that IE does. It’s also a supported application under constant development, unlike Internet Explorer.
(Updated: It appears that the problem will only affect users of Internet Explorer 6, not earlier versions. According to Microsoft, if you have installed WIndows XP service Pack 2 Beta (which 99% of you haven’t, I’d guess) then you’re safe as well.)
Switching to Mozilla was the advice I gave my father last weekend, after I had to remove spyware from his PC. I thought I had covered just about everything… I had both a hardware firewall and a personal firewall installed on his PC, antivirus running, etc.
The vital thing here is: there is nothing you can do to prevent being infected, aside from using something other than Internet Explorer as your browser. You won’t get a little “do you want to install…” popup that you’d stupidly have to click “OK” on. Microsoft hasn’t fixed these bugs yet, so doing the whole “Windows Update” thing won;t help you. Virus scanners can’t detect the malicious downloaded software yet. Considering the reports I have read about spyware now downloading updates for itself constantly, I suspect virus scanners will never be able to keep up. Firewalls won’t keep the spyware out, since
the browser is the one downloading the software. It’s not forcing itself in from the outside.
As mentioned in the latest Joel on Software, Microsoft has totally abandoned Internet Explorer development (although apparently they are going to start developing it again). Depending on the state of your tin foil hat, this is either because the browser was going to be integrated into Microsoft’s much-hyped and much-delayed next generation of operating system, or because Microsoft’s desktop dominance is threatened by having a rich and powerful browser (as Joel states).
At this point, consider Internet Explorer to be an unsupported product. Considering it’s the gateway through which a lot of spyware and worse are downloaded, you owe it to yourself to download an alternative browser (or, heck, a whole alternative operating system, but I won’t try to convince people of the need to switch to Linux today…).
I’ll not go too deeply into an anti-Microsoft rant here, except to say that this is what happens when one company has so much control of the computer landscape. Its own priorities and survival outweigh yours, in its own mind. The result is that Microsoft will do whats best for it (protect its monopoly) rather than what’s best for you (develop software that’s bullet proof, or, at the very least, fix issues when they come up).