| By Brian Livingston |
The foolish people who develop Web sites that only work in Internet Explorer, and users who still run IE instead of safer browsers, such as Firefox, repeatedly expose themselves to one hacker attack after another.
The latest example is an exploit that afflicts the social-networking sites MySpace and Facebook, in addition to the Yahoo Music Jukebox — but there’s an easy way to protect yourself.
ActiveX bugs expose users to silent infection
The SANS Internet Storm Center (ISC) published a report on Feb. 4 that six ActiveX controls used by several sites can be manipulated by hackers to silently infect PCs. These controls, including the Aurigma ImageUploader, are used by IE to upload photos to social-networking sites and perform other tasks. But the flawed controls can be turned against you if you happen to visit one of several hacked sites that are already taking advantage of the weakness, according to a Symantec alert.
US-CERT, an arm of the Dept. of Homeland Security, recommends that users of IE set the security level of that browser’s Internet zone to “high” to disable all ActiveX capabilities. Well-known Web sites that require ActiveX controls, such as Microsoft’s Windows Update site, can then be added one by one to the browser’s Trusted Sites zone, which permits ActiveX.
Most IE users, however, won’t be able to tolerate such a severe security setting. With IE’s Internet zone set to a “high” security level, the browser pops up an irritating series of dialog boxes — sometimes several per Web page — when visiting many sites that are harmless.
Antivirus vendors are already taking steps to block the new-found ActiveX attacks. But it’s safer for you to disable the affected controls entirely until patched versions are released.