Friday, January 15, 2010

New zero-day vulnerability might sink IE

Is the end in sight for Internet Explorer?

Browsers such as Firefox, Chrome, Safari and Opera have all be slowly chipping away at Microsoft's Internet Explorer's (IE) dominance, as each seeks to gain the title of "world's most poplar browsing software".

To date, although it has lost ground to its rivals, IE has remained the most popular browser in cyberspace (over 60%) -- however the writing may now be on the wall in the wake of the most recent vulnerability in Microsoft's product.

According to reports now circulating on the Net, it was a zero-day flaw in IE that enabled Chinese hackers to target Google this week -- an attack that ultimately saw the search-engine giant back out of an agreement to censor its content in that country.

The bug that allowed hackers to gain access to some users' systems affects versions 6 through 8 of IE on most versions of Windows (including XP, Vista, Windows 7, Server 2003/2008 and even legacy systems such as Windows 2000).

It wasn't just Google who fell prey to this concerted attack via the zero-day vulnerability though.

Some 30 hi-tech companies throughout Silicon Valley were targets and big names such as Grumman, Dow Chemical, Yahoo, Symantec and Adobe were also in the hackers cross-hairs.

The effect of the bug was to allow a hacker to seize control of a computer if the user encountered a suitably crafted webpage loaded with malware that exploited the hole.

Unlike many previous attacks based on a zero-day vulnerability, this one seems to have been extremely well organised and precisely targeted at individuals and organisations that were known to have significant amounts of "high value" data on their systems.

Microsoft has acknowedged the bug, describing it as taking advantage of an invalid pointer reference. Unfortunately, despite the magnitude of the problem and the fact that it's already being widely used to launch attacks, no date has been confirmed for the release of a patch.

Given the scope, sophistication and (in some cases) the effectiveness of the attacks that were based on this browser bug, I suspect that many IT managers who haven't already opted to ditch IE in favour of another option might well be spending the weekend weighing up the pro's and con's of Microsoft's browser offering.

Of course switching to an alternative may provide at best, only a temporary respite from the exploitation of such vulnerabilities.

No software is perfect and there are some who claim that IE receives more than its fair share of bad press simply because it is the largest target in the market. Whichever browser takes IE's crown will then become the primary focus for the attention of hackers and malware purveyors -- so will anything really change?

Such a move will certainly represent a huge challenge for the creators and maintainers of Firefox, the most likely candidate to wrestle the crown from IE.

As the Chinese would say -- we live (and browse) in interesting times.

No comments:

Post a Comment