Thursday, January 14, 2010

Another Reason Not To Use Internet Explorer

Not a big surprise, but a zero-day Internet Explorer vulnerability was leveraged in the attacks against Google and 30+ corporate networks.

There have been so many holes in IE that I don't understand how it didn't collapse under it's own weight years ago.

From an attackers perspective, it makes perfect sense - corporations make extensive use of Internet Explorer in their infrastructure due to standardization and interoperability strategies, so the attack surface is quite large. Compromise the browser, add in a little remote code execution, and you own the computer the browser is sitting on, which you can leverage to compromise other assets on the network.

Newer versions of IE are less susceptible to these kinds of malicious activity, although it's still a pretty large target. You'd be better off running Firefox with the NoScript extension installed.

If you have to stay on Internet Explorer, at least upgrade to the latest version. There's still a lot of IE6 out there, which makes no sense at all, and it's one of the more risky browser choices. Move to IE7 at a minimum, with IE8 being your best option.

And good Lord, make sure your antivirus is up to date and that you're running Microsoft Update every month - hopefully via Automatic Updates.

For your peripheral applications - many of which have seen attacks and updates of late (hello, Adobe Reader), it makes sense to install Secunia PSI for home machines to let you know when you have vulnerable or end-of-life software that's a problem.

Let's be careful out there.



No comments:

Post a Comment

Please tell me what you think.