319 - To-Hell-With-Bad-Browsers-(and-Their-Users)
This week there was a news story about IE and IIS, Microsoft’s web browser and web server respectively. It turns out there is an unpatched bug in both programs that, when exploited in concert, provide a rather nifty way for an attacker to retrieve pretty much anything from you computer without you knowing a thing.
What would happen is that the server would be exploited in such a way that IE would be tricked into installing a program from a different site entirely. Normally you would be shown a dialog box that warns you and allows you to prevent the installation. However, the attacker also takes advantage of an IE bug that allows them to bypass this security measure. This in effect allows them to install any software they wish onto your computer without you knowing or even visiting a site you wouldn’t normally visit.
One piece of software installed was a key-logger. This allows the attacker to see all keystrokes made on a computer, thus bypassing all security: if you type it in, it is captured. Passwords, credit card numbers, the lot. You type it, they have it.
And remember: you have no idea the key-logger is there. It could be weeks before you run a virus scan (which even then might not catch it). Think how much you could type in a few weeks… does it make you a little worried that this could happen so easily?
Welcome to the world of Internet Explorer, the world’s most exploited browser! You’ve got anti-virus software? Pah, IE bypasses that protection without breaking a sweat! Of course, the firewall, that must protect you, right? Oh, you clicked the “Let IE access the internet” button, bad luck my friend!
So, if you are infected by some nefarious piece of software and you use better browser now.
To be brutally honest: I don’t care about your security and computer if you use IE; you obviously don’t care yourself, why should I give a damn? I can’t see why anyone would want to risk their security just because they are too lazy to move to another browser.
It frustrates me that such severe security holes could ever be let out the door, let alone left unpatched even when the developer knows about them. You see, MS isn’t planning on patching this hole, just making it more difficult to exploit. More difficult?! How the hell is that supposed to help!
I’ve about had it with IE, and so should you.
( with apologies to ALA for the heading)