321 - CERT-Recommends-Switching-Browser

This article at Wired News pointed me towards a page that fully describes the Download.Ject exploit discussed in the last two posts. The page in question is written by the usually conservative CERT organisation. In a change from their normal general “use a firewall, virus scanner and keep software patched” type advice, this vulnerability gives them cause for more alarm too prompting this recommendation:

Use a different web browser

Use a different web browser

<p>There are a number of significant vulnerabilities in technologies relating to the <abbr title='Microsoft Internet Explorer'>IE</abbr> domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require <abbr title='Microsoft Internet Explorer'>IE</abbr>-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove <abbr title='Microsoft Internet Explorer'>IE</abbr> from a Windows system, and other programs may invoke <abbr title='Microsoft Internet Explorer'>IE</abbr>, the WebBrowser ActiveX control, or the <abbr title='HyperText Markup Language'>HTML</abbr> rendering engine (MSHTML).<br />

CERT is a US government and public/private sector group that reports on security vulnerabilities; they don’t tend to make knee-jerk pronouncements, making this recommendation all the more compelling.

I’d recommend non-geeks read the Wired article ; geeks should check both =)