Internet Explorer Exploits
Defects in the Windows Internet
Explorer browser, some for which patches have not been available, have been used to install Adware, Spyware, and other malicious
programs on computers visiting malicious or compromised web sites (or clicking links in
e-mail messages that lead to malicious or compromised web sites). This installation
may occur without operator intervention or notification once the web site is visited.
Email messages containing links to malicious web sites have been generated by
SPAM and worms.
Our security devices pick up dozens and sometimes hundreds of attempts daily to
exploit Internet Explorer on computers connected to the JMU network. The
stop some of these attacks but not all of them. Home computers have no such
protection leaving their security entirely up to the operators.
|Number of exploit packets. Number of involved systems is significantly less.
Risk Reduction Measures
It goes without saying that keeping a Windows computer up to date with patches,
enabling the Windows XP firewall,
and using anti-virus software is mandatory in these days of constant worms and
exploits. However, even with these precautions, there is risk. Security related defects have been discovered in Internet Explorer features
almost every other month for the past three years Note 1.
Sometimes, these defects are exploited by people before patches are available
from Microsoft to fix them. Updates, firewalls, and anti-virus software are
generally powerless to prevent a compromise via a new exploit in such cases.
Malicious web sites, compromised web sites, and links to such sites in e-mail
and instant messages can result in instant compromises of visiting computers to
install spyware or worse
with no action on the part of the visitor.
The following steps are offered as options to
further reduce risk. People operating computers accessing sensitive data,
elevated privilege accounts, or applications attractive to the criminal element,
such as electronic banking, may want to pay particular attention.
- Avoid clicking links in SPAM and other untrusted, unexpected, or unusual e-mail messages.
its easy to make a mistake, hard to determine trustworthiness of a message, and sometimes
even trusted web sites get compromised.
- Avoid untrustworthy web sites. Pornography sites in particular seem to be
using exploits to obtain information about visitors (email addresses seem
popular) and/or install malicious software on visiting computers. Unfortunately, its
easy to make a mistake, hard to determine trustworthiness, and sometimes even
trusted web sites get compromised.
- Perform day to day operations, particularly web browsing and email
reading, using an unprivileged account which will
restrict the ability of malicious web sites to take over your computer. Do not
use the Windows 'Administrator' or 'power user' account or a Windows account that is a member
of the administrator or power users groups for day to day use. This decreases the
functionality available to malicious programs or exploits you may encounter
and the repercussions of accidents. This is particularly recommended for
shared or unattended computers or those used by children.
Instructions for Windows XP. Instructions for
other Windows operating systems on University of Texas web site. More
- Disable scripting and other browser functionality that increases risk.
using Internet Explorer, you can do this selectively allowing trusted sites to
have more functionality and control over your browser than untrusted or
This will prevent exploitation of most defects, patched or unpatched. It may also, however, reduce
convenience or functionality.
Safer Browsing Instructions
JMU Instructions with more details and
- Configure your email client to display email in plain text. This reduces
functionality available to malicious messages.
- Use the
Windows XP Software Restriction Policies to restrict the computer to
running only approved programs. This is particularly recommended for shared
or unattended computers or those used by children.
- Use another browser when visiting web sites where Internet Explorer functionality is not needed.
For example, the Firefox or the Mozilla
- Many web sites have been designed and tested only for Internet
Explorer. This may make it necessary to use two browsers if you need to access
Mozilla products and other browsers also have security defects
reported but at the present time, not as frequently, nor as often exploited.
Because other browsers also have problems, minimizing functionality, such as
scripting, is an effective risk reduction technique for those products too.
Unlike Internet Explorer, however, this is an all or nothing decision. There
is no way to have different settings for different sites.
- If you choose to switch from Internet Explorer to another browser, it is
still recommended that you set Internet Explorer's Internet zone to High
security. This is because Internet Explorer can sometimes be used by other
United States Computer Emergency Readiness Team Alerts
Incidents of compromised web sites compromising visitors' computers through
Internet Explorer defects:
Worms Exploit Internet Explorer Defect
"Internet Explorer Carved Up by Zero-day Hole"
The following link describes just one example of a known malicious program being
installed by using an Internet Explorer defect. Reportedly, it is being
installed using a defect for which a fix was made available at the Windows
Update site in April. Without the update, visiting a web site exploiting this
defect will automatically install the program on your computer. From that point,
the program will watch your browsing habits, wait until you visit an electronic
banking site, collect your passwords, and send them off to the people performing
this crime. While up to date anti-virus software will detect this particular
program, it won't detect all the programs that are being installed by this type
of activity. Similarly, while being up to date with patches from the Windows
Update site will stop older exploits, newer ones can only be stopped by using
additional risk reduction techniques like those mentioned earlier.
Note 1: Determined by counting patches for Internet
Explorer as described on
Security Bulletin web page.