Dump IE Says US-CERT

On the heels of last week’s sophisticated malware attack that targeted a known IE flaw, US-CERT updated an earlier advisory to recommend the use of alternative browsers because of “significant vulnerabilities” in technologies embedded in IE.

“There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME-type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites,” US-CERT stated in a vulnerability note.

US-CERT is a non-profit partnership between the Department of Homeland Security (DHS) and the public and private sectors. It was established in September 2003 to improve computer security preparedness and response to cyber attacks in the U.S.

It has been more than two weeks since Microsoft confirmed the existence on an “extremely critical” IE bug, which was being used to load adware/spyware and malware on PCs without user intervention. And, even though the company hinted it would go outside its monthly security update cycle to issue a fix, the flaw remains unpatched.

US-CERT researchers say the IE browser does not adequately validate the security context of a frame that has been redirected by a Web server. It opens the door for an attacker to exploit the flaw by executing script in different security domains.

To protect against the flaw, IE users are urged to disable Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker). Other temporary workarounds include the application of the Outlook e-mail security update; the use of plain-text e-mails and the use of anti-virus software.

Surfers must also get into the habit of not clicking on unsolicited URLs from e-mail, instant messages, Web forums or internet relay chat (IRC) sessions.

See the complete story on Internetnews.com.