Network News

X My Profile
View More Activity

Incomplete Advice From Uncle Sam

In a blog entry earlier today, I pointed out that the Department of Homeland Security -- in its partnership with the Carnegie Mellon University Computer Emergency Readiness Team, a DHS-run outfit now known as US-CERT -- is once again unwilling to give users the simplest bit of advice on how to protect themselves against the latest unpatched flaw in Microsoft's Internet Explorer Web browser.

My comments may make more sense with a bit of historical perspective:

Flash back to the June 2004, when a multi-pronged attack leveraged two separate flaws in Microsoft products to spread a dangerous backdoor Trojan horse program -- variously dubbed by anti-virus companies as "download.ject," or "js.scob." That attack took advantage of what at the time were recently-discovered security flaws in IE and in Microsoft's Internet Information Services (IIS) Web server software. Attackers managed to break into hundreds of Web sites using the Web server flaw and plant a virus that then installed a keylogger onto any machine that browsed the site with an unpatched version of IE.  Anything that victims typed on certain e-commerce and online banking sites, including passwords and account numbers, was then sent to the virus authors.

I wrote about that attack for washingtonpost.com and The Washington Post. In that piece we cited advice from US-CERT that urged IE users to disable Javascript in their browsers or consider using another Web browser. US-CERT didn't specify what other browser options were available, so somewhere along the way in the editing process a second clause was added to that sentence that named  alternative Web browsers like Firefox, Opera and Netscape.

When I arrived at work the next day I already had voicemails from people at Microsoft and from their public relations folks, as well as more than a few messages from people at US-CERT, asking us to print a correction clarifying that US-CERT was not specific in recommending other browsers. We ultimately agreed that what we printed could be construed as putting words in the mouths of US-CERT, and the newspaper ran a short clarification in the following day's paper.

Fast forward to today and I can't find one instance in a vulnerability alert on any browser flaws since then (IE or otherwise) where US-CERT has even hinted that people consider using an alternative, free browser until an IE patch is made available by Microsoft. In each case where the organization has detailed a flaw in IE, US-CERT has suggested disabling the offending portion of the browser (such as ActiveX, or in this week's example, Javascript).  While effective, these steps make cruising the Web about as useful and fun as driving on a freeway studded with speedbumps every 100 yards.

The director of US-CERT, Jerry Dixon, was slated to be on a conference call this morning about this very subject, a call organized by US-CERT, the SANS Institute and others to discuss the Top 20 most dangerous computer security threats (Post reporter Jonathan Krim had a story about their findings in today's paper).

Dixon was not on the call, so I was unable to put my questions on this topic to him. When I called him directly, he referred me to the public relations folks at DHS, who have not returned my calls.

I guess if I have a point to make it's this: DHS says US-CERT is responsible for helping to protect the nation's information infrastructure from destruction or damage.  A big part of that effort involves reaching out to and educating millions of home and business computer users. No doubt Microsoft is a big partner in that effort, but omitting the simplest and most elegant solutions when problems arise with a Microsoft product smacks of an organization going out of its way not to upset the nice people in Redmond.

Granted, most people probably go elsewhere for advice on computer security (Web site monitoring firm Netcraft's anti-phishing toolbar ranks US-CERT.gov as the 220,589th most popular site on the Web). But it seems to me that an organization like US-CERT would better serve taxpayers' interests if it provided a complete set of options users can follow to avoid online security threats. That might encourage Microsoft to more quickly release patches, and it would solidify US-CERT's reputation as a neutral honest broker.

Is Microsoft the bad guy here? I'd like to say no, given the company's many efforts over the past few years to improve security in its products. For what it's worth, I gave Microsoft a heads up about this blog post, and their response was that "all software contains vulnerabilities and as long as malicious hackers exist, there will always be an opportunity for online threats. But ultimately, customers will choose the browser that best meets their needs."

Back to the present security threat. Here's what you can do to protect yourself against the Microsoft IE flaw that US-CERT and other groups warned the public about this week:

My first recommendation is to use another browser -- at least for now. There's nothing wrong with having multiple browsers installed on your computer. Indeed, at home I use no fewer than four different browsers, and IE is indispensable for several trusted sites that don't load well enough in the other browsers (like the administration page for my wireless router, for example.)

For those users who positively must continue using IE for everyday Web browsing, disabling scripting in the browser should protect you from this flaw. Here's how you do that:

1) From IE's top menu, go to "Tools."
2) Choose "Internet Options."
3) Click on the tab marked "Security," then the button marked "Custom Level."
4) Change the buttons under the "Scripting" heading from "Enable" to "Prompt" or "Disable."

Be advised that this produces some interesting and often frustrating results: Use IE with scripting set to prompt and visit washingtonpost.com, for example, and you'll get no fewer than six pop-ups saying: "Scripts are usually safe. Do you want to allow scripts to run?"

The problem with prompting users to make this decision before the site has even loaded is that if the user has never even visited the site before, he or she has no basis for making that judgment call. If you disable scripting in IE altogether, much of the interactive content and tables on washingtonpost.com disappears completely.

Browse our site in Firefox with the "no script" extension enabled, and the browser silently blocks the scripts, giving the user a little prompt at the bottom that allows users to enable scripts after they have determined whether they want to trust the site or not. Plus, the noscript extension doesn't appear to block non-ad-related content on sites.

One thing I should note is that the exploit released to take advantage of the IE flaw may also partly affect Firefox users if they visit a Web site that has this malicious code on it. Johannes Ullrich, CTO of the SANS Internet Storm Center, said he tested the exploit and found that it caused Firefox to freeze up, but he was running Firefox on a Linux machine, not one running Windows. However, Firefox users who take advantage of the "noscript" extension should not have any problems with this exploit. 

By Brian Krebs  |  November 22, 2005; 5:15 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Check Your Exposure to Microsoft Flaw
Next: Fake CIA, FBI E-Mails Power Sober Worm

Comments

An organization such as US-CERT must be very careful not to make problems worse. In this case, imagine that they start recommending Firefox, and the following day an even worse vulnerability is discovered in Firefox.

Working in incident response is very tricky. It's a boy-who-cried-wolf job--if you say too much people start ignoring you. You don't want to say "do X" one day, and then have to say "no, don't do X" the following day, because you lose credibility. For US-CERT, maintaining credibility is the single most important objective. They're better off saying, "this is a problem," and leaving specific alternatives to the rest of the industry, you included, to suggest. That way people still get viable options, but US-CERT preserves its credibility so people still learn that a problem exists.

In other words, US-CERT doesn't exist to solve everyone's technical problems--an entire industry exists to support that. US-CERT is focused on notification. Any solutions they propose are intentionally conservative.

Posted by: antibozo | November 22, 2005 6:26 PM | Report abuse

Also worth mentioning: your conflation of US-CERT with Carnegie Mellon CERT is not quite accurate. CM CERT still exists as the CERT Coordination Center (CERT/CC) at www.cert.org, which is rated at #5561 by Netcraft. This is the portal most people use; US-CERT disseminates the same advisories and works closely CERT/CC on practically everything it does.

Posted by: antibozo | November 22, 2005 6:39 PM | Report abuse

to long!!!

Posted by: soeyth | November 22, 2005 7:43 PM | Report abuse

Please explain to me how the Government/FEMA will only accept registration using IE 6 Windows.

Using Firefox, Safari the page opens to BAD GATEWAY.

The Gov. knows IE is trash and the most hacked browser in the world and yet they continue to do nothing about it.
It is the total reverse, someone in the Gov. is making some good money using IE.
Or the coders with the Politicians are just plain stupid.

It's disgraceful.

Posted by: P | November 22, 2005 8:25 PM | Report abuse

OK, I think that it should be known that if you have XP SP2 and popup blocking off--problem solved. Also, it crashes IE6 if you allow the popup. Moreso, it just crashes FF. It basically affects those that do not have the proper updates (which thanks to windows auto update, that shouldn't be an issue). This is, realistically, a problem that will truly exploit a very very small percentage of the surfers out there.

Posted by: discojohnson | November 22, 2005 9:54 PM | Report abuse

In regards to this part of your article "
If you disable scripting in IE altogether, much of the interactive content and tables on washingtonpost.com disappears completely."

I think a seperate question is when are large sites like The Washington Post going to stop using Scripting, ActiveX, Java and all the other 'features' that cause these huge security holes in the first place?

I use IE but have it buttoned down tight. No scripting, activeX, java etc, etc. Practically every setting in the Security Level is set to Disable for regular internet sites. It's frustrating that the website developers themselves continue to require these security holes in order to just view the website.

The Washington Post (and other sites) are just as responsible for cleaning up this mess as is Microsoft.
My 2 cents.

Posted by: NoMoDRM | November 23, 2005 5:38 AM | Report abuse

While I agree as a technologist that having multiple browsers loaded is the way to go, it is not practical for the average person out there. I personnaly have three browsers loaded. I can control my families 4 computers and tell them what to do. But my parents and in-laws who live 2000 miles away are a different story. They are not capable of supporting multiple browsers much less understand the reasons to use different ones. So while the solution of having multiple browsers sounds good, in practice it is just not practical for the technically challenged.

The solution? I don't have one beyond staying in contact with those that need help and giving them the best advice I can. For now we all use Firefox, we keep them updated, and I follow these sorts of blogs to keep myself informed. We're just trying to stay one step ahead of the bad guys, and so far so good.

Posted by: Bob | November 23, 2005 9:57 AM | Report abuse

One reason US-CERT may be reluctant to mention alternate browsers by name is fear of running afoul of Government ethics rules that prohibit agencies or employees from offering endorsements of products or services. This may sound like a ridiculous precaution, but it is a very real concern. In addition to the legal penalties involved, US-CERT could also be bombarded by every yahoo with a homemade browser program objecting to being left off the list of alternate browsers.

Posted by: Gov't Lawyer | November 23, 2005 12:06 PM | Report abuse

Gov't Lawyer, that's a good point, but it's really much simpler than that. The solution to the IE problem is to patch IE. Since there is no patch available, the best workaround is to disable scripting. Using an alternate browser doesn't protect you if some other program invokes IE to view a URL, nor does it protect you in other Microsoft applications that might use the IE engine.

So suggesting that US-CERT should recommend alternate browsers to solve this problem is way off base. The reasons to use an alternate browser are numerous, but they aren't directly related to this problem. The reason it comes up is because if you disable scripting in IE a lot of sites won't work anymore. Using an alternate browser is a solution to /that/ problem.

As I posted earlier, it's not US-CERT's responsibility to solve everyone's technical problems. They exist to notify people that problems exist, and to provide conservative workarounds that are as universally effective as possible without introducing any new vulnerabilities. Installing another browser definitely has the potential to introduce new vulnerabilities. After all, suppose someone has an early version of Firefox already installed; US-CERT couldn't just say, "Use Firefox"; they have to also then provide instructions on updating Firefox if you already have it installed. And what happens when a new vulnerability in Firefox is discovered? Once they start down that road, a vulnerability announcement about IE turns into a full-blown technical support problem. Instead, US-CERT does what's responsible: they give you instructions for fixing the problem with IE. That this cripples IE in some contexts isn't a good reason for them to become the Internet's help desk.

US-CERT and CERT/CC serve as authorities on what vulnerabilities are real. Anyone can go to www.cert.org and see with confidence whether a new threat actually exists. For recommendations on alternate browsers, this blog is one excellent resource among many thousands.

As for Krebs's implication that US-CERT isn't doing the most with taxpayer money, I'd take strong issue with that. I've worked directly with US-CERT on a number of issues, and they are an exceptionally competent and dedicated group of people. They would be among the top groups I might point to as exemplary of good taxpayer value.

Note that I personally, recommend Firefox.

Posted by: antibozo | November 23, 2005 2:55 PM | Report abuse

>>"[...]But ultimately, customers will choose the browser that best meets their needs."

"You can have it in any color you want as long as it's black." -- Henry Ford
http://daringfireball.net/2004/09/choose_microsoft

>>If you disable scripting in IE altogether, much of the interactive content and tables on washingtonpost.com disappears completely.

``I'd change that to: "People should stop creating websites that _require_ JavaScript unnecessarily." Unless your application _really_ relies on JavaScript (eg. GMail, etc) your web-app should degrade gracefully on browsers that either don't support JavaScript or where the users have exercised their right to switch the bloody thing off.''
http://it.slashdot.org/comments.pl?sid=153785&cid=12900516

In that case, WaPo would bear the burden of convincing (one hopes, by reputation) IE-using readers to enable Javascript -- preferably by means of:
1) setting the Internet zone's security settings to High;
2) enabling active scripting in the Restricted Sites zone; and
3) adding washingtonpost.com to the Restricted Sites zone list.
(In this scheme, the Restricted Sites zone is used as a whitelist of Javascript-permitted sites, instead of being used as a blacklist of known-malicious sites as IE-SPYAD and SpywareBlaster do.)

Posted by: Mark Odell | November 23, 2005 5:34 PM | Report abuse

No answer. Go to Fema.gov and see what browser you HAVE to use to register for relief.

Let's see, it's not up to US-CERT to provide an answer to ALL the problems IE creates but to give workarounds.

Am I missing something.
Our tax $'s are being used by the Gov.' to use the worst browser at this time. There are many reasons not use IE but it is lazy programming to use IE.

Are you telling me that a browser like Firefox that can be used by Linux, Windows, Mac computers isn't as good as IE for Windows.

That if IE is patched (HEH,HEH) it will support other platforms.

If you get a virus using IE it wont bring down your entire system.

And Please, if you're going to turn off all the features that IE allows malicious hackers to use then why use IE and not a 3rd party neutral browser that won't bring down your entire system.

One more point, Polls, how much market share do you think MSIE would have if the IE browser didn't come loaded with the Windows OS?
Try this for a popup when loading the OS:
Which browser would you prefer to load?
Firefox
Opera
MS Internet Explorer

Posted by: P | November 23, 2005 6:05 PM | Report abuse

P, I think you're confusing a lot of issues.

The Federal government, in general, does not require citizens to use any particular browser to access web sites. And in fact, the vast majority of web services deployed by the government work fine in most browsers.

Remember that most of these web applications are authored by contractors. Some of those contractors, like many developers for private industry, are not that competent, and you end up with stupidity such as FEMA requiring IE. But just because some bozo built a broken web app for FEMA, that doesn't mean there's a vast conspiracy to force everyone to use IE--it's merely a reflection of one team's poor planning.

And all that has nothing whatsoever to do with what recommendations US-CERT should make to people about protecting themselves against a vulnerability in IE.

As I've said, personally, I recommend Firefox. I use IE only for Windows Update, and that's to the extent that I use Windows at all, which is minimal. But that doesn't make Firefox a solution to a vulnerability in IE, any more than it makes Firefox a solution to a flaw in Word or TurboTax or Quicken or any other Windows application. As long as a vulnerable IE is sitting on your system, some other program may invoke it and create a problem. No one says you shouldn't use a third-party browser. But doing so doesn't fix IE.

Posted by: antibozo | November 23, 2005 6:30 PM | Report abuse

Thanks antibozo, for replying.

Yes, I understand I had a few points in that post but I wasn't confused. I was just giving simple examples and points.

As for Fema, they're promising change, right. You said it, contractors/developers. Some people must be getting paid to use a broken web app. I imagine powerful lobbying.

I agree US-CERT should be contacting the masses with any vulnerabilities.

And as mentioned, IE should be slowly removed because it is vulnerable. Every Windows computer I sit at and it only has IE to use, I ask if I can download Firefox.

It's a workaround for US-CERT, NOT use IE.
Thanks P

Posted by: P | November 23, 2005 7:07 PM | Report abuse


Technical correction. September 2004 US-CERT recommended using a different browser. See http://www.kb.cert.org/vuls/id/490708

Posted by: LJ | November 24, 2005 3:35 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company