A-to-Z Index

Computing Homepage

Information Technology Help Desk

Mon -Thu: 8:00am -9:00 pm
Friday: 8:00am - 5:00pm
Saturday: Closed
Sunday: 3:00pm - 9:00pm

(when classes are in session)

Exceptions for the year


 

 

Internet Explorer Exploits

Defects in the Windows Internet Explorer browser, some for which patches have not been available, have been used to install Adware, Spyware, and other malicious programs on computers visiting malicious or compromised web sites (or clicking links in e-mail messages that lead to malicious or compromised web sites). This installation may occur without operator intervention or notification once the web site is visited. Email messages containing links to malicious web sites have been generated by SPAM and worms.

Our security devices pick up dozens and sometimes hundreds of attempts daily to exploit Internet Explorer on computers connected to the JMU network. The security devices stop some of these attacks but not all of them. Home computers have no such protection leaving their security entirely up to the operators.

IE
Number of exploit packets. Number of involved systems is significantly less.

 

Risk Reduction Measures

It goes without saying that keeping a Windows computer up to date with patches, enabling the Windows XP firewall, and using anti-virus software is mandatory in these days of constant worms and exploits. However, even with these precautions, there is risk. Security related defects have been discovered in Internet Explorer features almost every other month for the past three years Note 1. Sometimes, these defects are exploited by people before patches are available from Microsoft to fix them. Updates, firewalls, and anti-virus software are generally powerless to prevent a compromise via a new exploit in such cases. Malicious web sites, compromised web sites, and links to such sites in e-mail and instant messages can result in instant compromises of visiting computers to install spyware or worse with no action on the part of the visitor.

The following steps are offered as options to further reduce risk. People operating computers accessing sensitive data, elevated privilege accounts, or applications attractive to the criminal element, such as electronic banking, may want to pay particular attention.

  1. Avoid clicking links in SPAM and other untrusted, unexpected, or unusual e-mail messages. Unfortunately, its easy to make a mistake, hard to determine trustworthiness of a message, and sometimes even trusted web sites get compromised.
  2. Avoid untrustworthy web sites. Pornography sites in particular seem to be using exploits to obtain information about visitors (email addresses seem popular) and/or install malicious software on visiting computers. Unfortunately, its easy to make a mistake, hard to determine trustworthiness, and sometimes even trusted web sites get compromised.
  3. Perform day to day operations, particularly web browsing and email reading, using an unprivileged account which will restrict the ability of malicious web sites to take over your computer. Do not use the Windows 'Administrator' or 'power user' account or a Windows account that is a member of the administrator or power users groups for day to day use. This decreases the functionality available to malicious programs or exploits you may encounter and the repercussions of accidents. This is particularly recommended for shared or unattended computers or those used by children. Instructions for Windows XP. Instructions for other Windows operating systems on University of Texas web site. More detailed information:
  4. Disable scripting and other browser functionality that increases risk. If using Internet Explorer, you can do this selectively allowing trusted sites to have more functionality and control over your browser than untrusted or unknown ones.  This will prevent exploitation of most defects, patched or unpatched. It may also, however, reduce convenience or functionality.
    1. Microsoft Safer Browsing Instructions
    2. JMU Instructions with more details and screen shots
     
  5. Configure your email client to display email in plain text. This reduces functionality available to malicious messages.