New Vulnerabilities in Microsoft Software Threatens Internet Users

( [email protected] ) Jun 26, 2004 05:25 AM EDT

Microsoft Corporation reported two weeks ago that two new vulnerabilities were found in the Internet Explorer browser. The two security holes allow malicious code writers to cause damage to Internet Explorer users on an unprecedented level. Within the past two weeks, web sites have been reported that infect users computers with adware – malicious program that serves targeted advertisements – just by users simply visiting the site.

This week, a new breed of malicious sites has appeared, threatening to steal sensitive financial information from unknowing internet users. The new reported vulnerability lies in the Microsoft Internet Information Server (IIS). Because of security holes in that software, computer hackers have been able to break into several high-profile corporate sites and insert malicious JavaScript code. This code, coupled with the Internet Explorer security holes reported last week, allow the hackers to send sensitive information such as social security numbers and credit card information to their own servers without detection.

This new breed of digital information theft represents the most recent in an escalating series of attacks by sophisticated hackers. Until now, many of the so-called ‘phishing’ scams – scams in which legitimate looking websites steal your personal data – have involved mass mailing and detectable web page reproductions. The recent series of attacks targets sites that you would comfortably give your financial information to. Your information is then sent to the hacker’s email without a single detectable trace.

The Internet Storm Center is a group that monitors threats from security exploits such as this. On Friday, they reported on their site that “We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched." Sites that had been compromised but are now fixed include sites such as the Kelley Blue Book site.

While Microsoft is working on patches for their server software and their browsers, Internet Explorer users have few choices left to battle this scourge. One of the recommended safeguards is to set the security options on Internet Explorer to the highest. The problem with this is that many sites use the same language as the hackers, and those sites may be impaired. Another more drastic solution is to use another browser. Because these attacks are Internet Explorer specific, users of browsers Mozilla and Opera, or Mac users, are not in danger.

Brent Houlahan, Chief Technology Officer at NetSec offered even more drastic advice: “I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.