By Chris Mosby
In some of the various online communities I take part in, you’ll see a pattern among staunch Microsoft supporters. They continue to categorize Mozilla’s Firefox browser as nothing more than a "hobbyist toy" and adamantly declare that it is just a "matter of time" before hackers start targeting Firefox users as much as users of Internet Explorer.
While this may be the case in the future, it certainly is not the case now. Firefox does have its share of vulnerabilities, but their number is nowhere near the number plaguing IE. And compare Mozilla’s response time when dealing with problems in Firefox, as opposed to Microsoft’s response time when dealing with issues in IE. The difference is days or weeks as opposed to months or years (if ever). The question you have to ask yourself is: Do you want a more secure browser now or later, when Microsoft gets around to it?
MS browser has 19 critical, unpatched holes
To illustrate this point, take a look at Secunia’s information pages on Internet Explorer and Mozilla Firefox. IE has 19 unpatched vulnerabilities, some of them rated “highly critical,” whereas Firefox currently has only five, the most severe of which is rated “moderately critical.”
The following two exploits that affect Internet Explorer 6 are a perfect example of this, as they both were initially reported in 2003, and have yet to be patched.
Visual Studio 6 plug-in allows IE 6 takeover
The Mciwndx.ocx ActiveX plug-in — which is part of Visual Studio 6 (Enterprise or Professional) — has a flawed property that can allow infected Web sites or HTML e-mails to install programs on your computer without your knowledge.
This might not seem like a problem if you don’t have Visual Studio 6. Unfortunately, since the plug-in is digitally signed by Microsoft, it can also be installed silently through IE by any Web site, if your settings are not configured properly.
What to do: The most obvious thing to do is delete this ActiveX plug-in if you find it on your computer. To keep the file from getting installed on your computer again through IE, you can follow the IE hardening guidelines detailed in the Nov. 18, 2004, issue of the Windows Secrets Newsletter.
For more information, check out the Secunia advisory on this issue.
IE flaw discloses software on your PC
There’s a flaw in Internet Explorer 6 that could allow an infected Web site or HTML e-mail to detect what components and versions are installed on a computer.
By itself, this flaw is not that dangerous. Used with other vulnerabilities and exploits, however, it can very well increase the success rate of a hacker attack. The exposure allows the hacker to know exactly what exploits can be used on an intended victim.
What to do: Once again, the IE hardening guidelines outlined in the Nov. 11, 2004, issue of the Windows Secrets Newsletter are an effective deterrent to this flaw. One of the steps will disable Active Scripting, which is required for this flaw to work.
For details, the Secunia advisory on this flaw provides specifics.
Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.