Incomplete Advice From Uncle Sam
In a blog entry earlier today, I pointed out that the Department of Homeland Security -- in its partnership with the Carnegie Mellon University Computer Emergency Readiness Team, a DHS-run outfit now known as US-CERT -- is once again unwilling to give users the simplest bit of advice on how to protect themselves against the latest unpatched flaw in Microsoft's Internet Explorer Web browser.
My comments may make more sense with a bit of historical perspective:
Flash back to the June 2004, when a multi-pronged attack leveraged two separate flaws in Microsoft products to spread a dangerous backdoor Trojan horse program -- variously dubbed by anti-virus companies as "download.ject," or "js.scob." That attack took advantage of what at the time were recently-discovered security flaws in IE and in Microsoft's Internet Information Services (IIS) Web server software. Attackers managed to break into hundreds of Web sites using the Web server flaw and plant a virus that then installed a keylogger onto any machine that browsed the site with an unpatched version of IE. Anything that victims typed on certain e-commerce and online banking sites, including passwords and account numbers, was then sent to the virus authors.
When I arrived at work the next day I already had voicemails from people at Microsoft and from their public relations folks, as well as more than a few messages from people at US-CERT, asking us to print a correction clarifying that US-CERT was not specific in recommending other browsers. We ultimately agreed that what we printed could be construed as putting words in the mouths of US-CERT, and the newspaper ran a short clarification in the following day's paper.
The director of US-CERT, Jerry Dixon, was slated to be on a conference call this morning about this very subject, a call organized by US-CERT, the SANS Institute and others to discuss the Top 20 most dangerous computer security threats (Post reporter Jonathan Krim had a story about their findings in today's paper).
Dixon was not on the call, so I was unable to put my questions on this topic to him. When I called him directly, he referred me to the public relations folks at DHS, who have not returned my calls.
I guess if I have a point to make it's this: DHS says US-CERT is responsible for helping to protect the nation's information infrastructure from destruction or damage. A big part of that effort involves reaching out to and educating millions of home and business computer users. No doubt Microsoft is a big partner in that effort, but omitting the simplest and most elegant solutions when problems arise with a Microsoft product smacks of an organization going out of its way not to upset the nice people in Redmond.
Granted, most people probably go elsewhere for advice on computer security (Web site monitoring firm Netcraft's anti-phishing toolbar ranks US-CERT.gov as the 220,589th most popular site on the Web). But it seems to me that an organization like US-CERT would better serve taxpayers' interests if it provided a complete set of options users can follow to avoid online security threats. That might encourage Microsoft to more quickly release patches, and it would solidify US-CERT's reputation as a neutral honest broker.
Is Microsoft the bad guy here? I'd like to say no, given the company's many efforts over the past few years to improve security in its products. For what it's worth, I gave Microsoft a heads up about this blog post, and their response was that "all software contains vulnerabilities and as long as malicious hackers exist, there will always be an opportunity for online threats. But ultimately, customers will choose the browser that best meets their needs."
Back to the present security threat. Here's what you can do to protect yourself against the Microsoft IE flaw that US-CERT and other groups warned the public about this week:
My first recommendation is to use another browser -- at least for now. There's nothing wrong with having multiple browsers installed on your computer. Indeed, at home I use no fewer than four different browsers, and IE is indispensable for several trusted sites that don't load well enough in the other browsers (like the administration page for my wireless router, for example.)
For those users who positively must continue using IE for everyday Web browsing, disabling scripting in the browser should protect you from this flaw. Here's how you do that:
1) From IE's top menu, go to "Tools."
2) Choose "Internet Options."
3) Click on the tab marked "Security," then the button marked "Custom Level."
4) Change the buttons under the "Scripting" heading from "Enable" to "Prompt" or "Disable."
Be advised that this produces some interesting and often frustrating results: Use IE with scripting set to prompt and visit washingtonpost.com, for example, and you'll get no fewer than six pop-ups saying: "Scripts are usually safe. Do you want to allow scripts to run?"
The problem with prompting users to make this decision before the site has even loaded is that if the user has never even visited the site before, he or she has no basis for making that judgment call. If you disable scripting in IE altogether, much of the interactive content and tables on washingtonpost.com disappears completely.
Browse our site in Firefox with the "no script" extension enabled, and the browser silently blocks the scripts, giving the user a little prompt at the bottom that allows users to enable scripts after they have determined whether they want to trust the site or not. Plus, the noscript extension doesn't appear to block non-ad-related content on sites.
One thing I should note is that the exploit released to take advantage of the IE flaw may also partly affect Firefox users if they visit a Web site that has this malicious code on it. Johannes Ullrich, CTO of the SANS Internet Storm Center, said he tested the exploit and found that it caused Firefox to freeze up, but he was running Firefox on a Linux machine, not one running Windows. However, Firefox users who take advantage of the "noscript" extension should not have any problems with this exploit.
Posted by: antibozo | November 22, 2005 6:26 PM | Report abuse
Posted by: antibozo | November 22, 2005 6:39 PM | Report abuse
Posted by: soeyth | November 22, 2005 7:43 PM | Report abuse
Posted by: P | November 22, 2005 8:25 PM | Report abuse
Posted by: discojohnson | November 22, 2005 9:54 PM | Report abuse
Posted by: NoMoDRM | November 23, 2005 5:38 AM | Report abuse
Posted by: Bob | November 23, 2005 9:57 AM | Report abuse
Posted by: Gov't Lawyer | November 23, 2005 12:06 PM | Report abuse
Posted by: antibozo | November 23, 2005 2:55 PM | Report abuse
Posted by: Mark Odell | November 23, 2005 5:34 PM | Report abuse
Posted by: P | November 23, 2005 6:05 PM | Report abuse
Posted by: antibozo | November 23, 2005 6:30 PM | Report abuse
Posted by: P | November 23, 2005 7:07 PM | Report abuse
Posted by: LJ | November 24, 2005 3:35 PM | Report abuse
The comments to this entry are closed.