Posts

Microsoft Warns of Internet Explorer Security Gap

,

Internet Explorer bugUntil Microsoft issues a security fix, I recommend discontinuing your use of Internet Explorer, regardless of version. 

A Security Advisory released by Microsoft on April 26, states that the company is “aware of limited, targeted attacks that attempt to exploit a vulnerability” in Internet Explorer versions 6 through 11.

According to the release, the vulnerability would allow an attacker to host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The company is working on a safety fix that it will provide in an upcoming software update.  Until then, Microsoft encourages customers to enable a firewall, apply all software updates and install anti-malware software. I encourage you to utilize Firefox, Chrome or another browser. 

What to do until Microsoft issues a fix

  1. As always, don’t click on links unless you know and trust the sender.
  2. Download the free security software called the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft
  3. Because the attack will not work without Adobe Flash, disabling the Flash plugin within IE will prevent the exploit from functioning
  4. According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default. This article show how to enable EPM in IE.
  5. Security experts say it may be easier to use another browser such as Google Inc’s Chrome, Mozilla’s Firefox or Opera Software ASA’s Opera.

Internet Explorer 9 Privacy Feature Limits Tracking

,

Microsoft has announced that the latest version of Internet Explorer will offer users a new anti-tracking privacy feature. This will help prevent marketing and advertising companies from watching where you surf and what you do online without your consent. Users will be able to set their preferences to prohibit companies from obtaining sensitive tracking information. This is a first step in the right direction – browsers should step up as the first line of defense against unwanted information collection.

This comes at a time where advertisers want to reintroduce the use of deep packet inspection in order to more closely watch and market to consumers online.  This method reads and analyzes raw packets of your personal data as they travel across the Internet – for obvious reasons deep packet inspection has been the subject of much controversy. Internet users are becoming more aware that what they do online is not private and are beginning to ask for tools to protect their browsers from spying.

Internet Explorer already offers InPrivate Filtering, a feature that works on blocking third-party scripting and tracking devices. This is only a temporary solution that is not very reliable because it often fails to block many tracking devices.

The new changes are no surprise, due to increased concerns on browser tracking. Both consumers and the government have been working to allow a more “opt-in and opt-out”  friendly version of internet browsing.  The FTC called for  a “do not track” button on browsers in order to block any kind of third-party usage tracking.

Tracking Protection Lists would potentially be a finer-grained equivalent, allowing users to opt out of some or all tracking systems depending on their preferences. Tracking Protection Lists will be an opt-in-feature and Internet Explorer 9 will not provide any lists themselves.  The lists will update weekly and most likely come from third parties and privacy advocacy groups.The lists will be useful to prevent the kind of spying that is getting many companies into trouble.

Support for Tracking Protection Lists will first arrive in a release candidate of Internet Explorer 9. Redmond did not give a date for this, but it is likely to be early next year.