Microsoft aims to blunt Internet Explorer exploit

The software maker has issued configuration changes for three versions of Windows in an effort to lessen the effects of a recently exploited vulnerability in its widely deployed Web browser.

Microsoft said it has released configuration changes to several of its operating system platforms to help protect against recent attacks on its widely used Internet Explorer browser. The company also said it will release security updates in the coming weeks that will provide additional protection.

The recent attacks caused a flurry of criticism from security experts, which included some calls for customers to consider using other browsers. But switching browsers isn't always a reasonable alternative, although it is one way to combat the most recent exploit that affects Internet Explorer. The Scob, or Download.ject, exploit is set in motion when a user visits an infected

It's not clear that another browser will do exactly the same things in all cases.


Dan Kusnetzky, IDC research VP

,
Web site and a malicious JavaScript hidden in the page infiltrates the IE browser.

This week, the U.S. Computer Emergency Readiness Team recommended that users consider browsers other than IE until Microsoft develops a patch for the flaw. Today, Microsoft released a configuration change to Windows XP, Windows Server 2003 and Windows 2000 Server that is designed to make systems more "resilient" to the attack, Microsoft said in a statement. Security updates in the coming weeks are expected to provide even more protection, the software maker said.

In the meantime, Johannes Ullrich, CTO for the SANS Institute's Internet Storm Center, said the only way to be completely safe is for a user to turn off JavaScript or avoid browsing a site that may have malicious JavaScript. Enterprises may have some other layers of protection, but even a virus scanner only helps to some extent, he said.

Many factors involved in whether to switch browsers

Ullrich said his advice to use another browser applies to this exploit only. Whether customers should completely abandon Internet Explorer in favor of another, less vulnerable browser depends on other factors.

"People should use what ever browser they are comfortable with," Ullrich said. "It's just that for this particular issue, your options are turning off JavaScript for all sites or using a different browser."

In the majority of cases, users won't switch browsers because it requires an enormous shift in their behavior, said Alan Paller, director of research at SANS Institute, which is a center for security training and certification based in Bethesda, Md.

Paller said that a software customer's best strategy for dealing with security breaches is to get together with other users and put pressure on vendors. "Use your combined buying power to make vendors more responsible," he said.

There are alternatives to Internet Explorer for the Windows, Linux, Unix and Mac operating systems, but most people choose to use what is provided to them, said Dan Kusnetzky, vice president of system software research at International Data Corp., a Framingham, Mass., market research firm.

Different users, different needs

Kusnetzky divides users into four groups: consumers, developers, enterprise users and transaction-oriented users.

Consumers

For more information

Read a news analysis of the Internet Explorer exploits

 

See why the IIS attack may portend future attempts

essentially use what is delivered on their systems and often do not make any changes until they buy a new system.

Developers are likely to use IE if they are developing software for deployment on Windows. "Increasingly, we are seeing people developing platform-neutral software," he said. "They are likely to be using one of the alternative browsers if they are using Linux for development. If they are using Windows, then for them, an alternative browser may be viable."

A knowledge worker might be willing to make the switch, but it would most likely be done over the objections of an IT department that wants to maintain a consistent and supportable computing environment, Kusnetzky said.

Transaction-oriented workers also use the systems they are given, and it's not likely they would have the knowledge to change the configuration of their desktops.

Possible compatibility issues with a switch

For most people who do switch, the learning curve of a new browser probably wouldn't be that great, Kusnetzky said. Most have similar features and functions. But it could cause a few problems with some application packages that deliver help and advice as HTML files, possibly with attached DLLs or calling specific functions that are part of IE, he said.

"It's not clear that another browser will do exactly the same things in all cases," Kusnetzky said. "If the organization uses IE as an interface to Web-based applications, it's feasible that some applications may not function as intended. They may even function better, but it's hard to say."

One thing this recent exploit clearly highlights is the argument for keeping the browser separated from the operating system, said John Pescatore, an analyst at Gartner Inc., in Stamford, Conn. "The browser is part of the OS, so you can't just patch the application," he said.

Dig deeper on Windows Operating System Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close