To avoid viruses, choose the browser road less travelled

by  Alan Zisman (c) 2004 First published in Business in Vancouver July 20-26, 2004; issue 769 High Tech Office column

The page-one headline of June 26's Vancouver Sun grabbed my attention: "Computer virus could steal your credit card number." As is often the case in the world of the high tech office, the real story was both more and less serious than the headline suggested.

This new style of infection worked on several levels. First, it infected Web servers running Microsoft's Internet Information Server (IIS). Visitors to a Web page running on an infected server received an unwanted bonus: a keystroke logger that recorded everything they typed (including credit card numbers, passwords and more) and sent the information on to a Russian computer.

First the good news: this infection (dubbed JS.Scob.Trojan) was not widespread.

It probably didn't infect your computer, and probably didn't steal your credit card number or other sensitive information. Several hundred IIS-powered Web servers were infected, reportedly including a number of popular (but mostly unnamed) websites. Most infected websites scurried to clean out the infection and the Russian Web server receiving the stolen information was quickly shut down, minimizing the loss of data.

The bad news: this sort of attack will probably become more common.

Unlike traditional viruses, JS.Scob.Trojan didn't require infected users to open an e-mail attachment. They simply had to visit the wrong website. And where last-generation's viruses might have damaged your computer, this one was trying to steal data so someone could empty your bank accounts.

The under-reported story: the last two paragraphs of the Vancouver Sun's story quotes "security experts" noting that "users can avoid the exploit by using alternative browsers such as Mozilla and Opera ... . The infection does not affect Macintosh versions of Internet Explorer." In other words, only Windows users running Microsoft's Internet Explorer Web browser could have their data stolen after visiting an infected website. Of course, that accounts for the vast majority of users.

The unnamed "security experts" were part of the U.S. government's Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.

There are two issues here. The bad guys go where they can get the biggest payoff and so target Windows, Outlook, and Internet Explorer users almost exclusively. But there is also evidence that alternatives to these Microsoft products are more secure by design.

Switching to a non-Microsoft operating system is a major step that many users hesitate to take. The Macintosh operating system (OS X) is secure, stable, attractive and easy to use. But it requires buying a new computer and getting new versions of applications. Linux will run on existing PC hardware, but can be complex to install and configure, and again requires acquiring and learning to work with a new set of applications.

But it's relatively easy to move from Internet Explorer to an alternative browser, while keeping Windows as your operating system. Many home and business users did this in the late 1990s, moving from the then widespread Netscape Navigator browser to Microsoft's then-new Internet Explorer.

Download a copy of an alternative browser and take it for a spin. Alternatives include Mozilla and Firefox (both free from www.mozilla.org) and Opera (free with ads, otherwise about $50 from www.opera.com). All include useful features missing from IE like control over pop-up windows and tabs to view multiple pages. And all are safe from nasty exploits like JS.Scob.Trojan.

I've set Mozilla as the default browser on my Windows system. Poet Robert Frost famously wrote: "I took the road less traveled on, and that made all the difference."