Corporate Servers Spreading IE Virus [Updated]

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

yes

http://www.mozilla.org

Re:yes

http://lynx.browser.org/ -- I've yet to see an exploit that's affected me.

Re:yes

I've yet to see an exploit that's affected me.

Perhaps, you've heard of them. It's an affliction called frames.

Re:yes

Perhaps, you've heard of them. It's an affliction called frames.

I've heard of them. I've also heard of tables. This is why I use Links [mff.cuni.cz]

Re:yes

Up from the depths,
Thirty storeys high,
Breathing fire,
His head in the sky,
Mozilla! Mozilla!

(with apologies to the 1980s cartoon)

Re:yes

Hehe, maybe they should have called Firefox Mozooky instead!

Re:yes

Up from your swap
Thirty megs in size
Leaking memory
Thrashing your drive
Mozilla! Mozilla!

Re:yes

http://www.mozilla.org

Two things:

1. Don't use an account that has elevated priviledges.
2. Don't install the latest security patches for I.E. 6.0.

The article mentions that the exploit takes advantage of the recently announced vulnerability in I.E. that an advertising company was exploiting. My testing of this vulnerability revealed that it would be unsuccessful if you didn't use a priviledged account. And oddly, at least with the previous exploit, the code wouldn't run until I installed the latest security updates. A generic install of Windows XP or one with SP1 didn't appear to work. Odd.

Re:yes

real hackers browse the web with "telnet www.whatever.com 80 [return] [return]" :-)

Re:yes

Yeah, but remembering the cookies is a pain in the butt.

Re:yes

...you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or... Or... you install stand-alone software (Mozilla), change several settings in Mozilla and in windows to get it customized as much as IE was and as your default browser. You realize by using Mozilla, some sites written for IE (*cough*banks*cough*) may function improperly. And of course, no matter how many settings you change, they will always stay broken. That's a whole lot better.

Now, I kid. I'm using Firefox right now. I'm just saying that switching over to FF or Mozilla isn't just a cross-your-arms-and-wiggle-your-nose switch. It takes a lot of work, less work than doing all that to IE.

Re:yes

Why, who's that informing? This is slashdot you don't think anyone has heard of mozilla? Now that's funny!

Mozilla Backup!

Mozilla Backup [jasnapaka.com] is what you need. It can be used to easily transfer a profile from one machine to another. (Supports Firefox, Thunderbird, and Mozilla)

Re:Firefox

Thanks fot the link, I've been meaning to switch from IE for a while now. Firefox looks neat, it's small and imported the bookmarks and history from IE. Easy. It also imported the saved passwords on my computer (I rarely use this option but still). Leading to a slightly offtopic and pretty stupid question: If Firefox can easily import my passwords, can't every adware and such also "import" them and send them anywhere?

Re:Firefox

If Firefox can easily import my passwords, can't every adware and such also "import" them and send them anywhere?

I would think so.

Here is the question to ask yourself. Does the program that stores your passwords require any input from you to retrieve them (such as a master password). If so, you may or may not be safe - depending on how the master password is implemented. If not, you are definitely NOT safe. The passwords may be encrypted, but the key is somewhere on the hard drive otherwise IE couldn't make use of them.

If there is a master password then it could be used to encrypt your password database, which would probably make it fairly safe if the crypto isn't broken. Then again, it could just be stored as a hash on the disk and the passwords could be stored in the clear.

Bottom line - if the computer doesn't need to ask you for a password to access data, then spyware potentially doesn't either. Sure, things like sandboxes can protect some data from malicious apps, but they generally aren't perfect. Strictly speaking, neither is a passphrase since it doesn't have all that much entropy.

If you really want to be secure, store your passwords encrypted using strong crypto, and store the key on a smartcard protected by a PIN. To defeat that requires the smartcard at the very least, and unless you can hack the hardware it requires the PIN as well. Most decent smartcards will delete their keys making them useless after so many failed PIN attempts.

If iButton support was a little more mature on linux I'd probably start using it. You should check out their Java ibuttons - sounds like a neat solution for these kinds of problems. And they're pretty cheap.

Wonder How Microsoft Will React

And I also wonder how many people will actually heed the call and switch their browser.

However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.

Re:Wonder How Microsoft Will React

You mean like CNN [cnn.com]?

Re:Wonder How Microsoft Will React

You mean like CNN?

A quick scan of that article and I couldn't see any mention of using an alternative browser, just the usual "update virus checker, etc"

We need these sites to push the idea of Mozilla to the masses

Re:Wonder How Microsoft Will React

Quoth the poster:

We need these sites to push the idea of Mozilla to the masses

And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?

What is needed is for people (Slashdotters???) who provide "level one" tech support to family and friends to do what I did on my fiancee's computer about three weeks ago.

Her installed IE would crash while launching and ask if she wanted to send an error report to MS. I ran ad-aware on her box and found about a dozen "browser hijacks" in amongst all the malware cookies, etc. I removed them, removed all the "Shortcuts to IE and Outlook Express from her desktop, installed Firefox and Thunderbird (along with the AdBlock and Things They Left Out extensions and a theme she liked), then made sure they were set as the default browser and mail program. Next I imported her Inbox from Outlook Express into T-bird. Finally, I turned on pop-up blocking and showed her how to use AdBlock to block ad servers.

She's been happy as a clam ever since. To quote, "Getting on the 'net is fun again."

Don't ask the media to do our job for us.

Re:Wonder How Microsoft Will React

> And just WHY should CNN, or any other news service, "push" one
> product over another? What possible interest could they have?

Rhetorical questions, both. Historically, the media frequently takes positions on all sorts of things. Your questions imply that they don't.

While I share you enthusiasm for a grassroots process of replacing bad software with good software, historically, the evidence that suggests that this might actually happen is pretty poor.

Almost every non-technical person that I've met doesn't care about any of this stuff. In fact, if they did not suffer from viruses and pop-ups and spam and trojans, they would worry that something is actually wrong with their computer.

--Richard

Re:Wonder How Microsoft Will React

And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?

I don't think they should push one product over another, but I would love to see them identify the product & vendor of the vulnerable software. Too often these stories are very generic, saying that the virus infects your computer when you visit a website -- whereas they should say that the virus infects Microsoft Windows(tm) when you use Microsoft Internet Explorer(tm) to visit a website.

In addition, rather than saying that you should just keep your anti-virus software up-to-date, they should offer the useful tidbit that the virus could also be avoided by using alternatives the vulnerable products. They don't have to mention Opera or Mozilla. They don't have to mention Linux or MacOS X. Just let the users know that there are other things they could do beyond paying Symantec (et al) for a more recent anti-virus package.

What's possible interest could they have in doing this? To inform. That's a novel concept for a news source, I know...but I'd still like to see it happen now & then.

Re:Wonder How Microsoft Will React

yahoo news had this [com.com] article from zdnet.
In this article, it says (towards the bottom)
"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."

What I found somewhat funny was this quote (from NetSec's chief technology officer)
"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now"
Does that mean he forsees a time in the near future when this kind of problem will go away? I don't.

Re:Wonder How Microsoft Will React

If we had three major browsers - IE, Moz, and Opera, any given exploit wouldn't have the same impact as an IE exploit does now.

Re:Wonder How Microsoft Will React

>> And I also wonder how many people will actually heed the call and switch their browser.

Very very few. I've got firefox installed on my family computer. Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

However, while Mircosoft are normally very good at patching these secuirty faults, this time they have totally failed. The blame doesn't rest with stubborn users who refuse to switch. The blame rests with Microsoft's inability to provide a patch in time.

Once they do supply a patch, it will then turn into the case of a supid user who doesn't patch. (and my server's apache logs show this, I'm still getting attacked by Code Red from infected servers who have not been patched).

Hopefully Microsoft will adapt to the pressure created by the users not being happy with the situation and release a patch.

Then again, looking at the age of IE and the number of requests to make a better version added to the time its taken them to respond, I'm stating a pool for those who want to bid on the release date of the patch. All dates start from 2005 onwards...

NeoThermic

Re:Wonder How Microsoft Will React

Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

If you would be so kind, I am really curious what the reasons were.

What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla."

I have had no people complain or ask to have the "old" version back. In fact, the only thing I have heard is praise ("It's so fast", "I don't get pop-ups anymore", etc).

I've done this for about 60 users (45 computers), so far.

- Tony

Re:Wonder How Microsoft Will React

You can change the name of Firefox completely with Firesomething [cosmicat.com] - although I use it primarily for the random comedy names.

Go, Mozilla Firebadger!

The best "Fire-" name?

Surely it has got to be:

"FireBillGates"

tough love

this is just generic, I don't know your familuy situation exactly, but for what it's worth,the advice is to stop fixing their computers and let them drag the boxes to the shop and pay for it to be cleaned. I'd say in a business situation the same thing if that apploies to anyone else. The concept is stolen from the way the experts advise to deal with a family member who is an addict to booze or drugs, called "tough love". Right now you are acting like an "enabler" by fixing it when it gets hosed, leaving them with the impression that "it's not that bad", when it really IS that bad, they can't see or admit to the elephant in the living room, so just stop being an enabler.

Re:Little things

Honestly, I've not really made the switch myself. The main reason is actually kind of petty, hotkeys. I've become very used to things like shift-clicking a link to bring up extra pages or hitting ctrl-enter after typing in a word to add the http://www. and .com to it. I've been working with IE for long enough that it's second nature to use those keys. Yes, I'm sure that other browsers have ways to do these things, but one gets used to not having to think browsing the web, so learning new keys feels like a fair burden.

I wont comment on your other problems with switching. But you could at least try these things with FireFox. As it turns out both of those hotkeys do exactly the same thing as IE under FireFox. Just tried it with 0.9.

Re:Little things

IE works.

Well, the fact that you can become infected with a trojan simply by VISITING a web site, with no user interaction at all required, tells me than NO, IE does NOT work.

But that's just a reflection of my personal criteria for whether or not something works.

Re:Wonder How Microsoft Will React

Kind of a shame that you have to lie about what browser you're installing for them, don't you think? In the long run you're doing a disservice to the Mozilla folks by passing it off as IE, not to mention downright deceit to the user.

A much better approach would be to sit down with the users with both browsers, and surf to good and bad sites with both to demonstrate the differences.

Re:Wonder How Microsoft Will React

Oh yeah right. Like my friends and family don't think I'm *enough* of a loser.

Now I'm supposed to sit down with them for a "face-to-face" about two browsers which are *identical* from their point of view?

"Susan, come here for a minute."

"Why? I've got to go in 10 minutes, I'm really busy."

"No this is really important."

"Oh okay"

"I wanted to show this web browser"

"Yeah, explorer, so what?"

"No!!! This is FIREFOX!! AN ADVANCED OPEN-SOURCE WEB BROWSER!! MUCH MORE SECURE!!!"

"It looks like explorer to me."

"Well, it LOOKS like explorer but it's better. Look here, this is etrade.com, it looks just like explorer right? open source rules!"

"Uhh, yeah, it looks exactly the same to me. Well don't mess up my computer I have to go."

"WAIT!!! If there had been a virus there on etrade.com you WOULDN'T HAVE GOTTEN IT!! ISN'T THAT AWESOME!!!!!!!!"

"You are such a loser."

Re:Wonder How Microsoft Will React

"What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla.""

So the only recourse to introducing the new software is to *trick* people into using it? Doesn't sound like a very effective (or fair) argument.

Okay, just this once:

regedit.exe
Open HKEY_CLASSES_ROOT\http\shell\open
Remove the "ddeexec" subkey (subfolder).
Go into the "command" subkey (subfolder).

Change the (Default) string to this value:

"C:\path\to\mozilla.exe" -nosplash -url "%1"

Make sure to use the full path to mozilla or firefox. Also, keep the quotes.

To test, go to the run menu and type in an http:// URL. It should pop up a new mozilla window to the webpage.

Do the same thing for HKEY_CLASSES_ROOT\https and HKEY_CLASSES_ROOT\ftp to get the HTTPS and FTP protocol handlers as well.

Mail (mailto: links) is a little trickier. Use this guide [toast.net] for assistance.

Re:Wonder How Microsoft Will React

The problem is that most people think that that Blue E == The Web == The Internet. E.g. many don't see they're also using internet when they're e-mailing. When you say "I'm gonna remove IE and give you firefox.", they think "He's gonna remove my internet access for some fire security reason! Ahrg!" They somehow just can't grasp what the internet is. What they see is the web, therefore they assume that the web == the internet. To start 'the internet', they click the blue E, therefore they assume that the blue E == the internet.

Somehow you've got to educate those people that The Internet != The Web != Blue E. Now you're just abusing their primitive assumptions. ;)

Re:Wonder How Microsoft Will React

>>Why not?

Its fairly simple where the blame lies here. With Microsoft. No matter how you view it, by not providing a patch, they are the ones to blame. If there was a patch avalible, then yes, blame the users.

If its still hard to see, consider this.
Say a car had a problem by which it would be easy to break into even when locked, without any signs of breakin. You would *expect* the manafacture of the car to recall all the cars and fix them. If they didn't then the blame (and possible lawsuits) lie with the manafacture.

Its the same with this instance. You would *expect* Microsoft to release a patch ASAP. They haven't and thus the blame lies with them.

NeoThermic

Re:Wonder How Microsoft Will React

I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

I'm a long time IE (then myIE2) user and have just moved to Firefox. Some of the things as a long term IE user I dont like is:

1. The default theme is horrible. After some digging I found Qute which is far nicer on apparantly used to be default. Why they changed it is silly.
2. The installer has a checkbox for recommended plugins, but it isn't active. Probably due to it being less than version 1.0. I think that when it does become active it should be on by default. It is worth noting that although geeks love plugins, the normal user is somewhat slightly less ameniable to the idea (especially when the plugin is considered "essential").
3. The settings aren't very newbie friendly. I found i had to take a lot of time setting it up. There are settings hidden away that I have to use "about:config". I should never have to do that - especially not for the ones which aren't completely obscure. It kind of reminds me of Linux (firefox) vs Windows (ie). One is more powerful and customisable, but you have to work a lot at it to get it the way you like. The other isn't, but comes with basic settings that 80% of users are happy with.
4. Error messages in browswer is not on by default. Why not? Why is the setting hidden away? 1995 is not calling. Lets move on.
5. The button bar has about 4 buttons. I don't think it's too much to have, by default, new tab, back, forward, stop, reload, home, bookmarks, history, print and downloads. Power users can remove them, beginners will be fine.
6. Google search by default takes you to the "I feel lucky" page. What was wrong with the normal search?
7. No good support for IE favourites. No wizard, for importing, no ability to automatically detect them (I had to export then from IE and import), no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!
8. Still can't work out how to make shift-click open into a new tab. One extension will allow this - but it doesn't work with the (practically essential) tabbrowser extensions.
9. Loading times are slow. A splash screen that indicates it's loading would be nicer than sitting looking at my desktop wondering if I really did click the icon. Or faster loading times. But there is no option in the config for that. Looks like i'll have to dig again.

Having said all that though:

1. There is some neat functionality both with and without all the plugins. Although having said that I have no idea what the neat plugins are. It's often a case of pick what looks good and go for it.
2. The adblock extension is very good.
3. I like the way I can put folders into the links bar and they drop down with my websites. Especially the open all in tabs.

Now I'm sure I'll get 50+ posts of people telling me that I'm dumb, if I do x, y and z then I can get this, I just need to edit a file, I need to install this plugin, etc.etc. but the point is that I shouldn't need to post complaints to slashdot to get the answers, nor should i need to surf the web, use google or anything else.

Nothing I've asked for is particulary difficult, it just makes migrating less painful.

But yes, Firefox is very good. Got a few rough edges in the userbility department, but very good.

Importing Favorites.

Importing Favorites is easy.

Either let it import them during installation (it will prompt you), or go to the File menu and click on Import...

I'll assume you're having just a bad day. ;)

My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.

Re:Importing Favorites.

My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.

It's not too obvious or intuitive. Go to Tools->Account Settings->[Your Account]->Composition and Addressing and de-select "Compose Messages in HTML Format" (This is for Thunderbird 0.7). I don't know why they put it here and not with the rest of the Compose options under Tools->Options. Oh, well.

Re:Importing Favorites.

Quoting the Parent:

no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!

--
I think this is the big issue here, IE is tied to the OS in many ways and bookmarks are one of them. Its not as easy as simply importing. The replacement browser should provide the neccassary hooks so that the OS can get at the bookmark list and use it as neccassary.

Re:Wonder How Microsoft Will React

Some responses:

1. This has been debated to death by Mozilla fans. Just give it some time, or download another theme.
2. Extensions will be included in 1.0, I think. But there's nothing really missing for someone switching from IE; most extensions are icing for power users.
3. I find Firefox settings very nice for a beginner/someone switching from IE. If you need to dig into about:config, you're not a stereotypical user.
4. Because they are not working right yet. Check bugzilla if you want to know the details.
5. This, I agree with. I'd remove all the buttons immediately, but for people coming from IE, it would be useful.
6. No idea, I have a keyword ('g') set up for google searching.
7. Here, you're just wrong. The installer asks on install if you want to import settings from IE, and I believe there's also a menu item to do it later.
8. That's because shift-click saves a page. Try ctrl-click.
9. I find it is instantanious on my 900 MHz Athlon, but this depends a lot on your computer. For me, it's the opposite: IE draws the window borders, then sits there for a few seconds before I can do anything with it. And Firefox still speeds up with each release.

In short, you don't sound like a typical user; you're more likely a power user, and as a power user, you're expected to dig for a few options. Otherwise, the options dialog would be too overwhelming.

Re:Wonder How Microsoft Will React

"and even gone to the point of deleting IE"

May I ask why? Your users (family) are obviously telling you something: they don't like your solution. In addition, if you're actually deleting IE (not just removing the icon) you're probably breaking a lot of apps like Norton Antivirus that requires the MSHTML.dll (among others), making things worse.

Always make new software an option, not "trick" the user or remove their old software. Explain the reasons for the change and the benefits of the new software. If they don't find any, obviously your argument doesn't hold as much weight as you thought it would.

I thought ZD were MS shills

I have thought for years that Ziff-Davis were Microsoft Shills. [I don't mean all MS software is bad, I just mean Ziff-Davis seemed impervious to facts in their reviews]

If ZDNet is saying to stop using IE things must be bad.

I have tried to depart from IE 2 or 3 times but failed. As soon as I type this message I make the move for good. Hello Mozilla.

Sam

Re:Wonder How Microsoft Will React

Microsoft will always react by protecting their interests. If it's in their best interests to fix it quickly, they will. It it isn't, they won't.

Who I am beginning to hope will start to react to this kind of thing is our governments. As we depend on the WWW/Internet for so much of our daily lives, I think it's time for a summit to be called about improving the state of "Information Superhighway". This particular highway is beginning to look like one of these roads you hear about in Afghanistan where you can't get from point A to B without something nasty happening.

What we need is a solution to the monoculture of Microsoft and not just another fine (like what recently happened with he EU) that MS will just write off in their next quarterly statement. We need them to skip the fines and simply say: Fix your crappy software or we will shut you down. It will never happen, of course.

Re:Wonder How Microsoft Will React

>> Well the simple solution is, unless you're into just microsoft bashing, is to PATCH YOUR SYSTEMS.

That would work, but the article states that there are no patches as of yet for these two secuirty holes...

From the article:

"The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed."

NeoThermic

Re:Wonder How Microsoft Will React

Once again it's UNPATCHED USERS who are having problems

Not sure what article you are reading (maybe it's changed?).

This one [com.com] (from ZDNET, which is the one linked to in the story) states:

"This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch."

FUD ?

They don't mention that much names.
I however think that besides nda policy or whatever, they should give the names of the sites that should be avoided for security reason.
I'd personally advise the corporate DNS maintainer to redirect these to somwhere safer.

Don't Forget Opera

Opera [opera.com] also offeres a very decent alternative to both IE and Mozilla/Firefox.

What's it going to take to make people switch?

I think I'll just have to be content that great browsers like Firefox are available for me to use, because obviously the masses are never going to be interested.
With these unpatched IE flaws in the wild, IE users don't even have to do something silly to get infected. But I suppose you could argue they are already doing something silly!

Re:Education

You got it. Feel free to distribute this email widely. Use it as much as you want. You dont even have to give me credit.

--

Okay, here we go.

First, you need to download a decent web browser. The #1 cause of all that spyware is Internet Explorer allowing websites to automatically install things. (its from all that porn browsing you do.)

Try firefox. Its only 5 megs to download, and its the most simplistic web browser available. You will get no popups. Its very popular, even among non-computer-obsessed folk. My mom uses it.

http://ftp.mozilla.org/pub/mozilla.org/firefox/r el eases/0.9/FirefoxSetup-0.9.exe

Now, I assume you are getting wacky popups and stuff, even when not webbrowsing.

You need to install some spyware killers.

I reccomend Spybot and adaware. These two are will rip through your pc, killing spyware dead. Blam. It may kill some software you like, but its for the better. There will be something out there that can replace anything you have to get rid of. Oh no, no more gator cursors. Whatever. Deal with it, or dont get online ever again.

http://www.safer-networking.org/index.php?page=m ir rors - for spybot. VERY high traffic here, so be warned.
http://www.lavasoftusa.com/software/adawa re/ for adaware.

If those sites arnt working, you can always try "spybot download" and "adaware download" in google.

Then, on top of THOSE. (I know, I know) You need to run a virus scan proggy. Try AVG, its free and better then McAffe
http://www.grisoft.com/us/us_dwnl_free.php

and last, but almost definitely not least, Windows Update.

Open up IE (you have to use IE for this) and go to www.windowsupdate.com Have MS scan your computer and install all the security stuff. Then reboot. This may take a long, long time, but it is the most crucial step.

comprehensive enough? :)

--

This could finally be it

The disaster we all knew was going to happen. Not just some uber1337 script kiddie releasing a buggy worm that crashes the computers it attacks but organized crime attacking the net infrastructure.

But as bad as this may be this might also mean that finally more and more people and institutions will come to the conclusion, that a global infastrcuture depending on one product from one company simply isn't the way to go. Especially if this company has such a horrid track record when it comes to security.

Re:This could finally be it

The disaster we all knew was going to happen.

Nope, the disaster hasn't happened yet. When it happens, the economy will collapse and what's left of Microsoft will be hauled before court. The FBI or some other government body will use its existing evidence to show that Microsoft knew about the risks posed by its monoculture OS/desktop yet failed to take the necessary measures to protect consumers and businesses. It will be a grey area but it won't matter, since mainstream IT will be shattered. The nerds will rebuild, and will be filthy rich. Women will throw themselves at us.

Re:This could finally be it

The nerds will rebuild, and will be filthy rich. Women will throw themselves at us.

This implies that all nerds are men. Or lesbians.

one thing I never get...

...that enough people buy spam goods to pay for organized crime.

What really happens...

Since the article is very vague, what happens is that once they compromise the IIS server, they modify each site on the server to write a document footer to every page. The document footer calls a DLL placed in the %windir%\system32 directory. The DLL writes a line of JavaScript to each page which redirects the user to a remote server to download the malicious code.

Re:What really happens...

This isn't a new technique, I remember the web development agency I worked for a few years back being caught out by a similar effect. A co-worker took some work home with him, and his (unpatched, unfirewalled, broadband-connected) IIS installation was infected. When he synced up with us the next morning, he infected about two hundred websites, some of them were very high profile. Hundreds of thousands of users were exposed.

It was a stupid company, and I was always trying to get them to change policies that let things like this happen. When we started getting phonecalls from clients about this, the owner blamed stupid kids with too much time on their hands, and said we had absolutely nothing to do with it, couldn't be blamed, etc. All our clients fell for it, hook line and sinker. I think the owner had himself convinced by the end of the day (he was the type that refused to accept he was capable of screwing up).

It's a sad state of the industry that we were responsible for infecting thousands of people and we got away with it scot-free.

They won't list the sites

This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.

"There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."

The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "To prevent further abuse"???? Wouldn't giving the public NOTICE about these sites help prevent more infections by having people NOT go to those sites?

public health comparison?

Replying to my own post: :)

If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.

I know the analogy isn't all that great, but it's the best I can do right now. :)

Re:public health comparison?

If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.

Oh, you'd not only have people wanting to go there, you'd have people determined to go there (whether just to "test their mettle" or because they're crazy or just stupid or whatever), and the authorities would physically block access to the site by closing roads and posting armed security personnel around the perimeter. That's what's missing with the internet: a truly controlling authority with rapid response capabilities to answer "emergency" calls such as we might expect to come in to the local 911 switchboard, plus the ability (and willingness) to quarantine "sites" that pose a potential "public health risk" to the rest of the 'net. That's both bad (from a potential-victim standpoint) and good (from a personal liberties standpoint), but there's got to be some middle ground better than just running the internet "WFO" and depending on the good nature and virtue of the general public.

Because it would make me ANGRY

WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one.

They are probably not listing the sites in order to prevent (or minimize) a consumer backlash from consumers againts the sites and then a subsequent backlash from the companies against Microsoft. I tell you what - if I found out that any of my banks were irresponsible enough to be running infected servers like this I would immediately move my accounts elsewhere. I'd also be very eager to participate in any class action lawsuit against said institutions. If you don't know how to drive you stay off the road. If you don't know how to keep your servers secure, stay the hell off the Internet. My banks have a fiduciary responsibility to protect my money and if they are knowingly running an infected server, I would consider that a breach of their responsibility, and I would hope that the courts agree. This is like a brick and mortar bank keeping money and records on location when it knows that the locks on the doors don't work!

Re:They won't list the sites

Nope, I think the real reason is protecting the businesses.

Even if the sites' admins had aleady removed the infecting code, a "dangerous sites" list like that would likely prevent many potential visits to the site for weeks to come.

RTFA "To prevent further abuse"

Ok, the article states: To prevent further abuse, the list is not published. The exploit is server side, not client side according to reports. Admins of the servers must have been warned and hopefully have cleaned the server already by now. So the public at large is not under threat from their high-profile site. Then not publishing the list is logical under the following reasoning.

What if it is a Zero day exploit on IIS. There is no fix yet. Admins are struggling to clean the servers, but have no clue if what they did to prevent whatever is going on, actually works. Criminals all over the world will be searching for clues on what the exploit is and will want to actively exploit it as well. We don't know what is going on, so it might be possible to put a nice little rootkit undetectible on the server and later use it for interesting purposes. By not naming the sites they are putting an extra, albeit thin, layer of protection around the sites. The list of websites for criminals to target, will be much longer than it could have been if each and every site that was affected would be named on the internet. Most sites are (hopefully) clean right now, so the public is not at risk, but until we know what goes on, the server sure is.

Security Advisories

US-CERT [uscert.gov] and Internet Storm Center [sans.org]. Less talk, more information.

Opera? Firefox? IE.....hell no

I know its not fashionable around these parts, being closed source, but Opera (www.opera.com) really is the bees knees. On my machine it renders faster, everything is snappier than mozilla/firefox and has more features than you can shake Darl Mcbride at. Its not free, true, but costs about the same as a pop-up blocker for Internal Exploder Plus, Operas built in mail client is wonderful Not that Im badmouthing firefox, I have that too, I just like Opera even better

Hmmm....

I've always wondered how my coworkers who "only" go to major sites like Yahoo and Ebay, pick up all sorts of spyware and adware.

Re:Hmmm....

Yeah... But that's also the excuse I get when I have to clean off XXXToolbars that has infected their computer.

"I swear, I never go to those sites, only the major ones."

This just in...

It has just been brought to our attention at the root of the problem this site [microsoft.com]

Ask Microsoft

http://www.microsoft.com/security/incident/downloa d_ject.mspx

Linked to from their home page, has been for quite a few hours. Gives more information, including an inference that the server portion is self propogating, and that (contract to /.) that a patched PC is safe.

Hello? Use Firefox!

Christ man, how many times do people have to be told to use Firefox or another alternative, more secure browser? IE's browser development efforts have been long gone, and it shows in both features/functionality as well as security.

But How Many People Will Switch?

My dad had horrible spyware gunking up his PC at home. (Which he bought against my recommendation of a Macintosh.) I used my limited knowledge of spyware to clean it up, and told him to use Firefox. Next week, the default browser was back to IE. I changed it because I thought Windows had done something. The following week he told me "I don't want to use Firefox. Nothing works in it!"

He'd rather have me wipe spyware and adware from his machine than deal with it. It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page.

Of course, now IE doesn't work at all, so he runs AOL through his broadband connection to surf the Internet.

And yes, I have since stopped wiping adware/spyware from his machine. I told him if he wasn't going to buy a machine that didn't get the stuff, or use a browser that was secure, he can deal with it himself.

How to kill it

I think this is the one I caught at work.
No security restrictions in IE will stop it.

I caught it here:
http://www.yetanotherhomepage.com/j7xx/j7xx .html
There's a reason that this one isn't a link. ;)

I killed mine like this (Windows 2000):

Delete these:
C:\Winnt\System32\Swin32.dll
C:\Winnt\Sys tem32\Automove.exe
C:\Winnt\System32\Trans.exe

And this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ws\Curr entVersion\Run
[Adstartup] C:\Winnt\System32\Automove.exe

Seek and destroy Swin32.dll in the registry
Take out all of the CLSIDs it occurs in.

Infected ferociously

I was wondering where I got this from. I spent 4 hours removing Malware from my computer the other day. Since I don't tend to visit pr0n sites at work, I had know idea how I was so badly infected until now... Ad-aware, spybot, and Nortons did not find the evil software. My process list was filled with MANY unkillable process with random names. Every time I killed one, it would start again with a new name. I found the executables on my drive and deleted them, they would RE-CREATE themselves!! Also, it looked like one of the installed viruses(?) would download new Malware! I was wondering, is this a virus? is it spyware? It was hard to classify as far as I could tell and it SUCKED.

I call bullshit

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

I don't buy it.
If your goal is to have the problem fixed, then name names, contact the affected companies so they can fix it (or have their contracted webmasters fix it) and move on.
The whole thing stinks of FUD tactics, and the last line in the article seals it for me:

NetSec's Houlahan advocated drastic action.

"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.

Puleeeeeze

--

Undisclosed sites?

WTF is that? So it can infect the rest of the world?

This reeks of criminal negligence IMHO, they know of a crime, and they wont tell how or who will do it to you..

"/Dread"

not detected by AV software?

This "virus" is not detected by antivirus software, according to the article. Does anyone know why? I run eTrust on my IIS boxen. (yes, I have a few, no I didn't put them there, no, they shouldn't be there, but our dev team wants ASP) Etrust is a fine product, but supposedly this offending code isn't detected. That bothers me a little, but this leads to another question.

Why isn't spyware classified as viral code? I realize it doesn't spread in the same manner as a virus, but it a) installs itself uninvited b) causes the PC and its software to behave erratically and c) makes my job needlessly more difficult. It bothers me that virus scanners aren't picking up spyware.

Anyway, to bring this back on topic, this situation requires a server side fix. I'm sorry, I can't tell every customer to switch browsers. I can't even get my internal users to switch. Most can't, because of some oddly coded piece of software that only runs in IE. My point is, my boxen might be infected right now. Not caught by AV software, how am I supposed to determine whether this thing lives on my server?

How to tell and Fixes

According to M$ [microsoft.com], if you've applied the update [microsoft.com], then you're OK.

The Internet Storm Centre [incidents.org] has good information about what will be on your box if you're already infected.

One reader (thanks, Ben!) submitted a list of files found on his compromised IIS server. The files he sent us included: Code snippits.doc iis6xx.dll (multiple copies, where xx varies) iis7yy.dll (multiple copies, where yy varies) Download_Ject_Symantec.doc ipaddress.txt issue.csv ads.vbs agent.exe ftpcmd.txt security_log.rtf

I think they're in \winnt\system32\inetsrv

Sorry about the duped links but more fixes, less FUD please. Yes, evil empire blah blah blah, but how about we tell people how to fix the problem instead?

Re:what sites are infected?

So does anyone know what sites are infected? I'm sure most of us would like to avoid them...

Avoid them? Hell, I'd start by blocking them on my web proxy immediately until I get the all clear. We've got thousands of desktop users running IE. This could get nasty.

Liability of sites that recommend IE?

So many places say "this site best when viewed with IE." IANAL, but it seems irresponsible for a site to recommend IE, especially if site handles sensitive materials such as financial services or downloadable software. If IE includes known vulnerabilities, can sites be held liable for making that recommendation?

Any thoughts from the more legally minded amongst us?

Is it an IE only exploit?

The original post mentions a "combination of two unpatched IE security holes", but both the US-CERT [uscert.gov] and Internet Storm Center [sans.org] only mention javascript and not a specific browser as being able to be compromised by the infected IIS servers.

My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.

Re:Is it an IE only exploit?

In Real Browsers javascript is sandboxed and it cannot do anything harmful. This thingy uses javascript to perform IE-only exploit.

Re:Is it an IE only exploit?

Javascript is sandboxed in IE, too. The problem is, the IE sandbox leaks...

Another nail in Javascript's coffin

It won't be long before Javascript is considered a complete security risk and it's the web developers who are going to suffer. Despite the rantings of sysadmins who don't touch web development it is actually a very useful language to supplement HTML.

Javascript menus and first pass form validation, anyone?

Re:Another nail in Javascript's coffin

I *always* try to develop web sites that work with javascript disabled. It isn't always easy to make this coincide with client requests, but you can usually do it (even if you have to have a no-js version).

I've worked in an environment before (a corporate centre for a major UK bank) where javascript was stripped from downloaded web pages at the firewall.

Microsoft's Response

What You Should Know About Download.Ject [microsoft.com]

I'm so happy

...that my mother has been running Gentoo on her desktop machine for three weeks now.

Just yet another "security" problem than I won't have to care about. Ahhhh.

Do your part

Help more people switch to mozilla/firefox. Mozilla hacker Blake Ross has started a weekly brainstorming effort for firefox marketing ideas on his weblog [blakeross.com]. Go thither and chime in. I just did.

I believe that this all goes back to...

...the uneducated user. Let's face it: the internet has been sold as this great tool and all you need to get on it is a PC and a phone line, cable, or whatever. If you preach the need for basic education, you are some kind of geek (how often have you heard, "I don't want to know all that, I just want to get online!") and if you make even the slightest suggestion that some people just don't belong online due to their own lack of common sense, you are some kind of elitist (try telling people to use the BCC option of their e-mail client instead of CC'ing everyone in their address book and see what kind of reaction you get). As a previous poster said, it is, once again, unpatched systems that are causing the problem. And here's the chorus now, "I didn't know! No one told me! It's not my fault!" And we, of course, will pick up the pieces.

Can anyone tell me how to develop for Mozilla then

I really wish I could switch to Mozilla (ok, Firefox). My co-workers are switching to Firefox. My users are switching to firefox. But I can't, because I have no idea how to implement my pet project [jbrowse.com] as a mozilla-type plugin.

All it has to do is read in a dictionary file, then catch the 'new page loading' event, perform morphological analysis on the page, and edit the page as it loads to include ruby tags and/or something to display definitions in the toolbar. That's it! It's fairly computationally intensive and sometimes the right html to insert at a given point is a bit of a guessing game, but it's not rocket science. But HOW THE FORK DO I DO IT IN MOZILLA??

PS Yes I have rtfm and no I cannot implement the analysis algorithm usefully in javascript and yes I do have to insert ruby tags, as well as regular javascript that talks back to the plugin, into the page on the fly.

Considering the amount of research that seemed necessary to get it working in the minefield of IE, I expected that I would be quite capable of figuring it out in mozilla, but it just seems to be an order of magnitude harder.

I would be grateful for advice (eg a pointer to a similar project). Or failing that, remarks on the lines of 'if u cant use mozilla u r lame u lame wind0z3 lu20r hehe l8trz' would also be fine.

Re:Can anyone tell me how to develop for Mozilla t

I don't know how to do it as the page loads but for performance you probably want to edit the page after it's loaded, so at least the user can see the images etc.

Basically: create an XPCOM component in C++ (if JavaScript or Python are too slow for you) which performs the computation. Mark your XPCOM interface as scriptable, use the typelib compiler to expose it to javascript then pass in the browser DOM so it can be edited by your component. Then write an extension to catch "page loaded" and pass the DOM to the loaded XPCOM component. I think that should work.

Re:Can anyone tell me how to develop for Mozilla t

Maybe it's not as you want is, but a similar plugin already exist: http://moji.mozdev.org/

Studying this source might be useful for your own project.

I had been infected.

I was infected by stratics.com They use a third party pop up ad services and one of the ads is what installed the malware. It installed Lycos and STI on my machine, plus other junk.

It ended up embedding itself everywhere in my registry. After an hour of deleting all registry entries and even uninstalling IE6 and then reinstalling it, My search section of IE was still Lycos and banner ads would show up in it.

The only option i had left was to format and reinstall micosux windcrap.

The exploit installs fun stuff

http://www.f-secure.com/v-descs/padodorw.shtml [f-secure.com]

Seems like a nice keylogger. It also installs another trojan. Virus vendors seem to be getting on the ball. Also the site which distributes the payload is currently dying under the load. The virus is apparently bit too succesful for it's own good.

What about this?

There's apparently a newly discovered exploit in IE that can compromise an IE user's machine THROUGH AN IMAGE ON A WEB PAGE.

So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected". Even those running Linux. The only solution is to stop using IE and pray that Firefox, Mozilla, Opera, etc. exploits are few and far between. Article on graphics exploit here [eweek.com].

Re:What about this?

Hmmm... it seems the exploit is limited to denial of service, which isn't exactly serious. Essentially, windows appears to trust the calculated image size, and attempts to allocate a huge amount of memory.

Let's see Microsoft astroturf this!

First off, I note that this uses vulnerabilities in two of my most favorite pieces of software; IIS and IE. Two of the most security-hole laden software that Microsoft has ever released. Is anyone here really surprised?

Secondly, this puts the lie to the most common Microsoft trolls here every time a new virus/trojan outbreak occurs:
1. Viruses are spread by clueless lusers that click on e-mail attachments. No luser inteeraction seems to be needed here, just browse on by your favorite corporate web-site!
2. If everyone kept their systems patched, there would be no way that viruses like this could spread. Microsoft has known about the IE vulnerabilties used in this case for months now and still hasn't released a patch! To be fair, the article also says that Researchers believe that attackers [may] seed the Web sites with malicious code by breaking into unsecured servers, so an IIS vulnerability that has previously been patched might be part of the problem here, but that still leaves no excuse for the unpatched IE vulnerabilty!
3. Virus writers always use disclosed patch descriptions to determine how to write new viruses; none of them are capable of finding and exploiting vulnerabilties on their own. Note that the article says this may be spread by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server (IIS).
4. Up-to-date anti-virus software is sufficient to stop these exploits. The article says: the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software.

Nothing else needs to be said.

The Google Toolbar & Such

I can't operate without the google toolbar, which has no complete mozilla equivalent. There are many sites which people can't do without which use Internet Explorer. Many tools that work only with the browser. Apart from that, Firefox is the ideal browser at the moment.

Re:The Google Toolbar & Such

Google Toolbar:
http://googlebar.mozdev.org/

And please name a few sites that only work with IE.

what is it missing? (Re:The Google Toolbar & S

I can't operate without the google toolbar, which has no complete mozilla equivalent.

Um, what exactly is the mozilla google toolbar (http://googlebar.mozdev.org/ [mozdev.org]) missing that you can't do without?

Remember, it doesn't need popup blocking (Mozilla does that itself).

0-day?

I can't help but chuckle every time these come out because all I hear in my head is the line,"All viruses are created after the exploit has been announced."

Keep those 0-day exploits coming, boys.

IE was a great friend...

as I quiety tap the nails of the coffin.

Old news

In the the 2001 May Cryptogram [schneier.com], Bruce Schneier writes

I am regularly asked what the average Internet user can do to ensure his security...

6. Browsing. ... If at all possible, don't use Microsoft Internet Explorer.

11. General. ... If possible, don't use Microsoft Windows.

Mozilla switch starting?

Looking at the stats on my web site, which receives over 1000 unique visitors/day on average (and almost all of them are Windows users because I distribute Windows software)... here are this year's proportions:

Jan: IE 73%, Mozilla 12%
Feb: IE 76%, Mozilla 15%
Mar: IE 75%, Mozilla 16%
Apr: IE 75%, Mozilla 16%
May: IE 71%, Mozilla 19%
Jun: IE 71%, Mozilla 20%

And for some historical reference, in July of 2003 I saw: IE 78%, Mozilla 11%.

Why alternative browsers may not be possible

I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.

I'm not talking simple forms here, this for Foreign Exchange transactions.

Certificates, multiple passwords, encryption...all moot

Re:Why alternative browsers may not be possible

I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.

Sounds like your IT director has done a horrible job and should be fired.

You would have been much better off implementing that stuff in a browser agnostic, standards compliant way, using Java for any heavy lifting required.

How to configure Internet Explorer

1. First, install an alternate [mozilla.org] browser [opera.com].

2. Go to Control Panel | Internet Options | Advanced | Multimedia, and uncheck "Show pictures". (FDA warning: I have not verified that this setting prevents this image exploit from infecting your system, since I don't know of any infected servers. But it will at least force you to use the alternate browser we installed in Step 1.)

3. Switch to the Security tab, and move Internet into "high". This will disable most forms of scripting. However, It also disables the Windows Update site. You can add windowsupdate.microsoft.com to a list of trusted sites (it will give you the instructions when you try to visit it in this mode), but I'd be very careful with that, since I do not doubt that the Windows Update site is very high on the crackers' lists of sites to infect. (Wouldn't that be ironic?)

FWIW, I don't know whether setting Internet zone security to "High" disables the automatic Windows update feature or not. I'll tell you as soon as there's a critical update to be notified of.

NetSec's Houlahan advocated drastic action:

"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
Uh, use a different browser...remind me to never buy anything NetSec says (whoever they are)or sells henceforth.

Do NOT use Internet Explorer...

...if you want to be able to browse safely on the Internet.

That's the advice I give to my friends after I saw this page:
http://web.archive.org/web/20030603192725/http://w ww.pivx.com/larholm/unpatched/ [archive.org]

(too bad that page now no longer host that information :(

There are more holes in IE than a piece of Swiss cheese, and Microsoft doesn't seem to be concerned if that will cause you to be accused of collecting child porn [wired.com].

Full details of securing a WIndows workstation can be read here [harrysufehmi.com]. HTH.

Google provides a nice list of sites

http://www.google.com/search?q=%22217.107.218.147% 22&hl=en&lr=&ie=UTF-8&start=20&sa=N&filter =0 Personally I'd rather know the list so I don't get infected, but then again I use netscape so....

Mozilla/Firefox issues

OK, I've read plenty of "just use Mozilla" posts and backpatting here, but IMO we should be thinking about Mozilla/Firefox security as well.

True this particular exploit didn't affect Mozilla/Firefox, but it is certainly possible that something similar might in the future.

So, with that in mind, what new security features would help make Mozilla/Firefox even safer and better?

These come to my mind:

• A trusted site list to which I can easily add the current site, and indicate whether it can load images, run scripts and/or download applets.
• An option that will pop up a dialog asking for permission if an untrusted site tries to do any of the above.
• Some type of "zone" concept similar to IEs so that internal (company) sites can have more privileges than external sites.
• Capability of central administration and control (in a business setting) so that users can easily be protected from themselves in a business or large network environment.

Thoughts? Can some or all of this be easily implemented as Firefox extensions?

If Mozilla/Firefox is clearly a better, more secure solution, it will gain marketshare rapidly.

How ironic....

that the page for reading the responses included a large banner ad for Microsoft that claimed they take your security seriously and saying, "visit microsoft.com/it/security/IT today.

The solution to every web problem in Windows

Layers of protection.

Base: An up to date host file [mvps.org]. This can probably block 95% of web nasties, regardless of source, yet is overlooked by most people.
Second: Proxomitron [proxomitron.info]. The second browser-independent tool, it's a relatively little-known local proxy that filters the crap (including more ads than virtually every other solution) from a webpage before feeding it to your browser. Also handily removes most of the ActiveX and Javascript that causes these exploits. I simply cannot recommend it enough. In addition, it's fully configurable, and there are plenty of people out there who will write custom filters [computercops.biz] to get rid of any sort of ad that slips through.
Third: Firefox [mozilla.org]. I hesitate to suggest Opera because I don't feel it's as high a quality a product, and is closed-source, meaning it could be almost as susceptible to this stuff as Internet Explorer, should the bad guys aim their sights on it.
Fourth: In-browser plugins such as Adblock [mozdev.org], which probably won't do much to stop this particular problem, but are nice to have around regardless.

Okay

This news has now made front page at news.bbc.co.uk under the heading "People urged to avoid Internet Explorer until Microsoft fixes a serious security hole."

LISTEN UP Mozilla/Firefox/Opera people. Get your marketing divisions off their asses. You will most likely NEVER EVER get another chance like this. If you don't do something now, before MS responds, you deserve to to stay marginalised to the end of time.

Protect the Corporations from Further Abuse

>>"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

That's great an all, but what about protecting the users, which can mount to millions of IE users being infected, because they aren't willing to say..."This week don't visit: eBay, Bank of America, etc., etc."

I'd say its more important to protect the uninformed masses of millions of IE users that they need to not visit 25-50 websites for a week, or switch web browsers, then it is to protect those 25-50 websites.

Monopolies create their own competition

Monopolies, since they have no competition, drag their feet. They chug along at their own pace. But when they start having serious problems with their products, it's already too late. They have a cumbersome task of fixing them. The end result is customers seeking an alternative. Monopolies literally create their own competition due to negligence and lack of motivation. This holds true for Microsoft.

Re:MSN Search is infected

If that post [neohapsis.com] is related (msits.exe) then you have real shit going on when you get highjacked:

This popped up six windows which installed both the default-homepage-network hijacker and also some nasty stuff [...]

This crashed Windows Media Player and then it was overwritten with a small windows executable (I have it if you want it) - this was called wmplayer.exe and was in the Windows Media Player folder. The real Windows Media Player had been deleted. [...]

The next time a WMP media file was accessed the new wmplayer.exe file ran and installed lots of adware, junkware, spyware etc, etc. [...]

Now, I use K-meleon [sourceforge.net] and privoxy [privoxy.org] for 99% of my browsing and only switch to IE when I can't do otherwise.

AVG free edition [grisoft.com] sygate personal firewall [sygate.com] and Spybot seach and destroy [google.com] (site down) will complete your collection nicely. Might want to have a look at Hijack this [spywareinfo.com] and this tutorial [wizardsofwebsites.com] as well.

Yes, this is a lot of work for the price of keeping windows running. Some people don't have a choice... Me, as soon as my favourite IDE [vim.org] gets ported to Linux, I'll swap ;-)

Seriously though, if there are any other tools you guys use to try and keep windows secure, please share.