Microsoft’s browser dominance at risk as experts warn of security holes
5 July 2004 | Independent [London]
by Charles Arthur, Technology Editor
Its curved blue “e” sits on almost every computer desktop in the world, but the global dominance of Microsoft’s web browser could soon be over following a stark security warning from a senior panel of internet experts who say it opens the door to online criminals.
They are urging all users of Internet Explorer (IE) to stop using the browser because they say it is vulnerable to hackers and credit card fraudsters.
The alert, from the US Computer Emergency Response Team, comes as a blow to the global giant Microsoft, which has fought successfully to retain its dominance of the browser market – 95 per cent of internet surfers currently use IE.
The team, which advises the US government and is a senior authority on Net weaknesses, said that flaws in the software expose users to criminals who can spy on their activities, steal their personal details or send junk e-mail from their computers without them knowing.
It said internet users should consider dumping the Microsoft software – which comes as standard installed on PCs – and switching to another web browser, such as the free Mozilla or commercial Opera products.
In its warning, under the technical title “Vulnerability Note 713878”, the agency notes that IE has “significant vulnerabilities in technologies” but adds: “It is possible to reduce exposure to these vulnerabilities by using a different web browser.”
The advice – which echoes rising concern in the internet security community – follows a continuing tide of attacks taking advantage of holes in IE.
In the past seven days, security experts have discovered criminals using two different “vulnerabilities” in IE to exploit Windows PCs. The first, called “Download.JECT”, silently redirected the browser to a Russian website and made it download software that monitored key strokes and would send out spam.
Last week researchers at the Internet Storm Centre discovered a malicious program that used a flaw in the software to install itself on the user’s PC when a particular pop-up ad appeared. It would then monitor the user’s typing when they visited any of 50 bank sites, including Barclays Bank, Citibank and Deutsche Bank.
Neil Barrett, security consultant of Information Risk Management, which carries out internet security audits of companies and software, said: “The number and seriousness of the vulnerabilities is now getting past a joke.
“Some of things that can be done to it are really powerful from the hacker’s point of view. There are presently more than 30 attacks that it’s vulnerable to which haven’t been fixed by Microsoft.”
Johannes Ulrich, chief technology officer for the Sans Internet Security Centre in the US, said: “To keep on using IE is like playing the lottery. You’re hoping the sites you visit aren’t compromised.” He said the most recent attacks were “a wake-up call for users to switch to another browser”.
The problems with IE are symptomatic of Microsoft’s difficulties with security, experts said. The arrival of the internet has led hackers to concentrate on the most widely used products searching for weaknesses, and scores of flaws have surfaced in Windows, as well as Microsoft’s IIS web server software and its Outlook Express e-mail software. In January 2002 Bill Gates, founder of Microsoft, e-mailed all employees saying that the company should alter the way it wrote software to incorporate greater security against such threats.
But the damage may already have been done. Steve Linford, chief executive of the anti-spam organisation Spamhaus, said: “The problem is that Microsoft assumes its users are stupid, and it comes with everything wide open to attack.
“Microsoft seems to think that if it has things turned off, people will never discover how to turn them on.”
Spamhaus estimates that more than 70 per cent of the 8 billion spam e-mails sent every day come from home and business PCs that have been subverted by programs downloaded over the Net.
VULNERABILITIES IN EXPLORER
? Pop-up ads can silently download software that will use your computer to send out spam or install “Trojans” that watch your typing.
? E-mails by “phishers” can grab bank details by using malicious internet addresses preceded by a real one. If you open it with IE, you will only be shown the first part of the address, with the rest hidden. Users may trust the address and give the criminals their details.
? Another “phishing” attack uses the “fake address” method above and puts a pop-up window with an image of a padlock on top of the window. This looks like a “secure” website. IE has no built-in means to block pop-up windows.
? Some pornography websites use IE to silently download software that changes the computer’s internet settings to dial a premium-rate number.
? One pop-up ad installs software that monitors whether you visit any of 50 banking sites, including Barclays and Citibank. When you do, it monitors your keystrokes and sends them to a website in San Diego.
Thanks to Alexandra Dadlez for forwarding this article to thereitis.org. –BL