- Its curved blue "e" sits on almost every computer
desktop in the world, but the global dominance of Microsoft's web browser
could soon be over following a stark security warning from a senior panel
of internet experts who say it opens the door to online criminals.
-
- They are urging all users of Internet Explorer (IE) to
stop using the browser because they say it is vulnerable to hackers and
credit card fraudsters.
-
- The alert, from the US Computer Emergency Response Team,
comes as a blow to the global giant Microsoft, which has fought successfully
to retain its dominance of the browser market - 95 per cent of internet
surfers currently use IE.
-
- The team, which advises the US government and is a senior
authority on Net weaknesses, said that flaws in the software expose users
to criminals who can spy on their activities, steal their personal details
or send junk e-mail from their computers without them knowing.
-
- It said internet users should consider dumping the Microsoft
software - which comes as standard installed on PCs - and switching to
another web browser, such as the free Mozilla or commercial Opera products.
-
- In its warning, under the technical title "Vulnerability
Note 713878", the agency notes that IE has "significant vulnerabilities
in technologies" but adds: "It is possible to reduce exposure
to these vulnerabilities by using a different web browser."
-
- The advice - which echoes rising concern in the internet
security community - follows a continuing tide of attacks taking advantage
of holes in IE.
-
- In the past seven days, security experts have discovered
criminals using two different "vulnerabilities" in IE to exploit
Windows PCs. The first, called "Download.JECT", silently redirected
the browser to a Russian website and made it download software that monitored
key strokes and would send out spam.
-
- Last week researchers at the Internet Storm Centre discovered
a malicious program that used a flaw in the software to install itself
on the user's PC when a particular pop-up ad appeared. It would then monitor
the user's typing when they visited any of 50 bank sites, including Barclays
Bank, Citibank and Deutsche Bank.
-
- Neil Barrett, security consultant of Information Risk
Management, which carries out internet security audits of companies and
software, said: "The number and seriousness of the vulnerabilities
is now getting past a joke.
-
- "Some of things that can be done to it are really
powerful from the hacker's point of view. There are presently more than
30 attacks that it's vulnerable to which haven't been fixed by Microsoft."
-
- Johannes Ulrich, chief technology officer for the Sans
Internet Security Centre in the US, said: "To keep on using IE is
like playing the lottery. You're hoping the sites you visit aren't compromised."
He said the most recent attacks were "a wake-up call for users to
switch to another browser".
-
- The problems with IE are symptomatic of Microsoft's difficulties
with security, experts said. The arrival of the internet has led hackers
to concentrate on the most widely used products searching for weaknesses,
and scores of flaws have surfaced in Windows, as well as Microsoft's IIS
web server software and its Outlook Express e-mail software. In January
2002 Bill Gates, founder of Microsoft, e-mailed all employees saying that
the company should alter the way it wrote software to incorporate greater
security against such threats.
-
- But the damage may already have been done. Steve Linford,
chief executive of the anti-spam organisation Spamhaus, said: "The
problem is that Microsoft assumes its users are stupid, and it comes with
everything wide open to attack.
-
- "Microsoft seems to think that if it has things
turned off, people will never discover how to turn them on."
-
- Spamhaus estimates that more than 70 per cent of the
8 billion spam e-mails sent every day come from home and business PCs that
have been subverted by programs downloaded over the Net.
-
- VULNERABILITIES IN EXPLORER
-
- * Pop-up ads can silently download software that will
use your computer to send out spam or install "Trojans" that
watch your typing.
-
- * E-mails by "phishers" can grab bank details
by using malicious internet addresses preceded by a real one. If you open
it with IE, you will only be shown the first part of the address, with
the rest hidden. Users may trust the address and give the criminals their
details.
-
- * Another "phishing" attack uses the "fake
address" method above and puts a pop-up window with an image of a
padlock on top of the window. This looks like a "secure" website.
IE has no built-in means to block pop-up windows.
-
- * Some pornography websites use IE to silently download
software that changes the computer's internet settings to dial a premium-rate
number.
-
- * One pop-up ad installs software that monitors whether
you visit any of 50 banking sites, including Barclays and Citibank. When
you do, it monitors your keystrokes and sends them to a website in San
Diego.
-
- © 2004 Independent Digital (UK) Ltd http://news.independent.co.uk/world/science_technology/story.jsp?story=537951
|