Internet
Explorer a prime conduit for viruses and spam
by Alan Zisman (c) 2004 First published in
Business in Vancouver October
12-18, 2004; issue 781
High Tech Office
column
In the ongoing war against terrorism, it's been (as I write this) a
rough week. No, not in Iraq. I'm referring to that other ongoing war,
the one that online terrorists are waging against Microsoft Windows
users.
First, take viruses. (Please!) Security-company Symantec reported that
there were some 5,000 new viruses and worms released in the first half
of 2004, an astonishing 400 per cent increase over the same period in
2003. Adding to the unsettling trend, it appears that virus writers are
getting together with spammers, according to a report issued by
MessageLabs. Infected computers are being used as "zombie" servers to
help spread spam e-mail, and can be flooded with unsolicited ads.
Microsoft released a series of patches for a newly discovered
vulnerability in the way many computers display JPEGs, the graphics
format widely used by digital cameras and on the Internet. Within a
week, a sample program showed up on the Net, demonstrating to would-be
crackers how they could make use of this flaw to attack unpatched
computers.
Similar how-to code preceded the MSBlast and Sasser attacks by a matter
of days. While not an epidemic yet, attacks based on this vulnerability
have already shown up in pictures posted on "adult" online newsgroups
and in messages aimed at AOL Instant Messenger users, and may be headed
your way soon.
Unfortunately, this problem is more complex to fix than many Windows
vulnerabilities; a trip to Microsoft's Windows Update site isn't
enough. At Windows Update, users download a program that checks their
systems for at-risk versions of Microsoft products (typically Microsoft
Office); if those versions are found, users need to go to the company's
Office Update website (officeupdate.microsoft.com) to patch those
products.
Updating to Microsoft's massive Windows XP Service Pack 2 cures this
vulnerability, but reports also indicate that the cure causes problems
for about 10 per cent of the users who try to install it.
Non-Microsoft graphics-using software might also share this
vulnerability. The free GDI Scan tool (
isc.sans.org/gdiscan.php)
can help track down other at-risk products.
I can't let Microsoft off the hook yet. The version of Internet
Explorer included in its XP Service Pack 2 includes some useful
security improvements (see my column in
BIV
775;
August 31 - September 6). That version includes a pop-up
blocker
and makes it more difficult for dangerous and unwanted programs to run
without user knowledge and consent.
While making some security updates available, the company has announced
that these XP2-style improvements won't be forthcoming for the 200
million users running Internet Explorer with older versions of Windows
(over half of the world's Windows users). To get that more secure
version of Internet Explorer, Microsoft suggests users upgrade to
Windows XP, in the process often junking otherwise functional computers
that won't work well with that version of Windows.
Very poor policy, Microsoft. Each insecure computer on the Internet
puts every other computer at risk. Microsoft has claimed that Internet
Explorer is an integral part of its Windows operating system and has
announced that users should not expect any further stand-alone releases
of the Web browser. The company denies, however, using security issues
as a way to force upgrades to Windows XP.
A small window of good news, however. The number of people making an
end-run around Microsoft's Internet Explorer is increasing. This week,
the Mozilla Foundation's free Firefox browser released its preview 1.0
version, and had a million copies downloaded in four days (
www.mozilla.org).
Even before the
Firefox 1.0 release, use of non-Internet Explorer browsers has been
rising. Checking the statistics for my website, Zisman.ca, I found that
last October, some 90 per cent of visitors were using IE. This August,
that had dropped to 84 per cent. So far, in September, it has dropped
again to 80 per cent. A modest decrease, but in line with what's being
reported elsewhere. And it's the first time that there's been a
noticeable drop in Internet Explorer use.