By Randall S. Newton
Editor-in-Chief
In a “Vulnerability Note” revised yesterday, The US Computer Emergency Readiness Team (US-CERT) is recommending that users of the World Wide Web consider discontinuing their use of Microsoft Internet Explorer (IE), the most commonly used Web browser.
The Note, entitled “Microsoft Internet Explorer does not property validate source of redirected frame,” recommends using a different web browser as one of six possible solutions to avoid being a victim of a recently discovered “exploit” that could be maliciously used to take control of remote computers running Internet Explorer.
“Microsoft Internet Explorer (IE) does not adequately validate the security content of a frame that has been redirected by a web server,” US-CERT says. “An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.”
The code required to execute such a remote hijacking of a computer running IE is publicly available, US-CERT reports, and there are reports of incidents involving this vulnerability. Any program that hosts the Web Browser ActiveX control or used the IE HTML rendering engine (MSHTML) may be affected by this vulnerability.
In addition to using an alternative browser, the other recommended solutions are:
- Disable Active scripting and ActiveX
- Apply the Outlook Email Security Update
- Read and send email in plain text format
- Maintain updated anti-virus software
- Do not follow unsolicited links
US-CERT is a partnership between the Department of Homeland Security and a variety of institutions in both the public and private sectors. Established to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. US-CERT offices are both in Washington, DC and in Pittsburgh, PA on the campus of Carnegie Mellon University.
There are several alternative Web browsers available for the Microsoft Windows operating system. The most popular are Netscape Navigator, Opera, and Mozilla.
The complete text of the Vulnerability Note (VU#713878) is at the US-CERT web site.