Internet Explorer a prime conduit for viruses and spam

by  Alan Zisman (c) 2004 First published in Business in Vancouver October 12-18, 2004; issue 781

High Tech Office column


In the ongoing war against terrorism, it's been (as I write this) a rough week. No, not in Iraq. I'm referring to that other ongoing war, the one that online terrorists are waging against Microsoft Windows users.

First, take viruses. (Please!) Security-company Symantec reported that there were some 5,000 new viruses and worms released in the first half of 2004, an astonishing 400 per cent increase over the same period in 2003. Adding to the unsettling trend, it appears that virus writers are getting together with spammers, according to a report issued by MessageLabs. Infected computers are being used as "zombie" servers to help spread spam e-mail, and can be flooded with unsolicited ads.

Microsoft released a series of patches for a newly discovered vulnerability in the way many computers display JPEGs, the graphics format widely used by digital cameras and on the Internet. Within a week, a sample program showed up on the Net, demonstrating to would-be crackers how they could make use of this flaw to attack unpatched computers.

Similar how-to code preceded the MSBlast and Sasser attacks by a matter of days. While not an epidemic yet, attacks based on this vulnerability have already shown up in pictures posted on "adult" online newsgroups and in messages aimed at AOL Instant Messenger users, and may be headed your way soon.

Unfortunately, this problem is more complex to fix than many Windows vulnerabilities; a trip to Microsoft's Windows Update site isn't enough. At Windows Update, users download a program that checks their systems for at-risk versions of Microsoft products (typically Microsoft Office); if those versions are found, users need to go to the company's Office Update website (officeupdate.microsoft.com) to patch those products.

Updating to Microsoft's massive Windows XP Service Pack 2 cures this vulnerability, but reports also indicate that the cure causes problems for about 10 per cent of the users who try to install it.

Non-Microsoft graphics-using software might also share this vulnerability. The free GDI Scan tool (isc.sans.org/gdiscan.php) can help track down other at-risk products.

I can't let Microsoft off the hook yet. The version of Internet Explorer included in its XP Service Pack 2 includes some useful security improvements (see my column in BIV 775; August 31 - September 6). That version includes a pop-up blocker and makes it more difficult for dangerous and unwanted programs to run without user knowledge and consent.

While making some security updates available, the company has announced that these XP2-style improvements won't be forthcoming for the 200 million users running Internet Explorer with older versions of Windows (over half of the world's Windows users). To get that more secure version of Internet Explorer, Microsoft suggests users upgrade to Windows XP, in the process often junking otherwise functional computers that won't work well with that version of Windows.

Very poor policy, Microsoft. Each insecure computer on the Internet puts every other computer at risk. Microsoft has claimed that Internet Explorer is an integral part of its Windows operating system and has announced that users should not expect any further stand-alone releases of the Web browser. The company denies, however, using security issues as a way to force upgrades to Windows XP.

A small window of good news, however. The number of people making an end-run around Microsoft's Internet Explorer is increasing. This week, the Mozilla Foundation's free Firefox browser released its preview 1.0 version, and had a million copies downloaded in four days (www.mozilla.org). Even before the Firefox 1.0 release, use of non-Internet Explorer browsers has been rising. Checking the statistics for my website, Zisman.ca, I found that last October, some 90 per cent of visitors were using IE. This August, that had dropped to 84 per cent. So far, in September, it has dropped again to 80 per cent. A modest decrease, but in line with what's being reported elsewhere. And it's the first time that there's been a noticeable drop in Internet Explorer use.