A new Fixit for another Internet Explorer 0day

If you’re still using Internet Explorer 6 or 7, and haven’t upgraded to IE 8 or started using a better browser, you need to run over to Microsoft’s Security Advisory 981374 and apply the “Fixit” patch.

According to SANS Internet Storm Center, Microsoft posted the Fixit a few hours ago.

The Fixit disables something called the “peer factory” in IE6 and IE7. Apparently there’s working zero-day code running around that takes advantage of the security hole to run “backdoors” – programs that take over your computer, without your knowledge or consent.

Now (almost) everybody is advising you to stop using Internet Explorer

I’ve been saying it for years. I’ll say it again.

Upgrade Internet Explorer to the latest version. Keep it patched. But don’t use it. Use Firefox or Chrome or Opera or any other Web browser you fancy.

Sorry if I sound like a broken record. I’ve been advising on this blog since November, 2006, that you should dump IE and use Firefox.

Ed Bott has come down hard on IE 6. “Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice.” I wouldn’t go quite that far with IE 7 and IE 8, but with rare exceptions there’s absolutely no reason to continue using any version of IE. The German government and French government have both recommended abandoning IE, and I’m with them.

If your company absolutely insists on sticking with IE for compatibility reasons, they should be focusing most of their development resources on bringing their internal systems up to snuff. There are no good excuses left. Switch.

Should I delete Internet Explorer?

Reader Ted wrote in with an interesting question that I hear frequently:

I have followed your advice and started using Firefox instead of IE, and I sometimes use Google Chrome. What I don’t understand is if IE is part of the Windows operating system won’t it just kick-in anyway and be used by various programs even in Firefox and Google? Or, if you don’t use it at all, is it just taking up space on the computer? I’m really confused as you can tell. Should IE be deleted, or even can it? If it can’t and it’s not used, should it still be updated, following the advice in your MS-Defcon system?

Thanks so much for helping because like I said, I’m confused!

Ted, IE does lurk in the background sometimes and, depending on the version of Windows you’re using, the lurking can be more or less intrusive.

You can remove it completely in Windows 7, but in XP and Vista, it’s pretty much baked in. Even if you want to remove it, though, there are some times when you really need IE – for example, Windows Update and Microsoft Update require it.

Your best bet is to update IE, but use Firefox.

Two more IE patches released: stick with Firefox, please

As I anticipated a few days ago, Microsoft has just released two Out of band patches and one security advisory for Internet Explorer.

If you are running the Windows 7 Release Candidate, you’re vulnerable, but the Windows 7 RTM version is clean.

SANS Storm Center has full details.

This is another screwed up patch-of-a-patch that didn’t work, only this time there are hundreds – probably thousands – of third-party programs that are affected. Brian Krebs in the Washington Post steps you through the Keystone Kops aspects.

In spite of what Brian says – and, yes, you should apply the security patches one of these days – you’re safe if you stick with Firefox. Just don’t do anything weird online, like allowing a web page to install a program, OK?

We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

The guys at the Black Hat Conference in Vegas this week are going to have a field day.

No Internet Explorer in Europe?

This story’s changing rapidly.

Ina Fried at CNN reported that she had seen a memo from Microsoft saying that the versions of Windows 7 sold in Europe will not have any browser pre-installed: if you want IE8, you have to get it and install it independently (presumably from a free CD).

For starters, there’s a huge chicken-and-egg problem: how do you download a browser (much less all of the Windows Live Essentials) when you don’t have  a browser?

But of course there are many other ramifications.

The EU has jumped into the fray. International political theater – and I have to admit that MS has taken the first round. Fur is flying. Let’s see how it shakes out.

Firefox on Windows hardest target to crack

Ryan Naraine just posted a fascinating interview with Charlie Miller, the guy who broke into a fully patched MacBook at the annual Pwn2Own competition at the CanSecWest security conference.

Charlie confirms what you’ve known all along:

It’s really hard to exploit Firefox on Windows… For all the browsers on operating systems, the hardest target is Firefox on Windows.

Read what he says about Chrome. I, for one, was very impressed.

Thanks to reader GE for the heads-up…