The tech media is playing up a long existing hole in Internet Explorer as a threat and in truth, there are apparently some attempts being made to exploit the hole.

Look at your browser window at the bottom right... you should see "Protected Mode: On". If you don't see this... fix it in the Options control panel. Protected mode will keep the exploit from occuring.

There is a lot of hype about holes in the various browsers and in fact the unscrupulous are looking to work their nefarious tasks through executables hidden in advertising and pictures. Simply accessing a web site can be all you need to do to become infected.

Protecting yourself by installing all operating system patches, keeping an up to date antivirus program installed and using either a software or hardware firewall is a requirement these days. If you use Windows, Vista is far more secure than XP. If you are a Mac user you have less to worry about, but know that recently two exploits were discovered that were targeting Mac's specifically.

Servers hosting these infected web sites are freuently located in the Far East (China, in particular) but even a legitimate web site can be infected. Hosting services and webmasters have tools designed to root out and eliminate these problems, but you know how well that is probably being done.

You are not going to go to an Amazon.com or a CNN.com and have problems but learn to practice safe surfing. Adult sites are notorious as infection sources. If you download anything from online, save it to your desktop and scan it with you antivirus software before installing it.

Larry

Unfortunately, this isn't 100% true. This bug affects ALL versions of IE (from 4 onwards) and ALL Windows OS. There are some things that you can do to help mitigate this, but they are not 100% effective. (Microsoft advisory here (http://www.microsoft.com/technet/security/advisory/961051.mspx)) There is currently no patch to fix this.

The number of infected sites that can exploit this is growing and there are a few SQL injection style attacks that are on-going that are causing the most worry in the industry right now.

Hopefully a patch will be forthcoming soon to address this.

The tech media is playing up a long existing hole in Internet Explorer as a threat and in truth, there are apparently some attempts being made to exploit the hole.

Look at your browser window at the bottom right... you should see "Protected Mode: On". If you don't see this... fix it in the Options control panel. Protected mode will keep the exploit from occuring.

Not true: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123338&source=NLT_PM

"It turned out that a lot of available information and assumptions were wrong."

Among those, said Eiram, was the belief that the vulnerability existed only in IE7 and was related to XML processing -- as some, including Secunia, first thought.

Also incorrect, or at least partly so, is the idea that setting IE's Internet security zone to "High" and disabling scripting will keep one safe from attack, added Eiram. "Technically no ... it is still possible to trigger the vulnerability," he said. "However, it does make exploitation trickier as it protects against attacks using scripting." Instead, Eiram said, users should disable the oledb32.dll file by editing the Windows registry as per the revised Microsoft advisory.

Microsoft has not disclosed a timetable for patching the problem, and it did not reply to questions Friday about its plans.

One researcher is betting that Microsoft will again unveil an emergency "out-of-cycle" patch. "It's always difficult to guess with Microsoft," said Andrew Storms, director of security operations at nCircle Network Security Inc., in an instant message exchange today. "[But] since they do know so much about the exploit, I would place a wager that they already have the fix and are doing QA [quality assurance]."

http://tech.yahoo.com/news/ap/20081215/ap_on_hi_te/tec_internet_explorer_security

According to the link above,it's not hardly a non-issue.

From Yahoo:
Microsoft is releasing an emergency IE patch tomorrow,12/17.

http://news.yahoo.com/s/afp/20081216/ts_afp/uschinaitinternetsoftwarecrimemicrosoft

http://tech.yahoo.com/news/ap/20081215/ap_on_hi_te/tec_internet_explorer_security

According to the link above,it's not hardly a non-issue.
It would appear that this is indeed more than a donut hole. :D

Simply accessing a web site can be all you need to do to become infected.

Protecting yourself by installing all operating system patches, keeping an up to date antivirus program installed and using either a software or hardware firewall is a requirement these days. If you use Windows, Vista is far more secure than XP. If you are a Mac user you have less to worry about, but know that recently two exploits were discovered that were targeting Mac's specifically.

The difference is that with Windows and IE you can get the infection just by visiting the website. With the Mac you have to visit, download, and give the installer your password. That's a lot of steps to get infected vs the drive by nature of Windows.

The best advice would be to:
1) Install Firefox, Opera, or Chrome from Google and relegate IE for Windows Updates only.

2) The next time you need a computer, look at a Mac or a Linux distribution.


I do IT by day (Windows) and you do need a lot of ancillary software to keep it running properly. Been a Mac user since 2002 - no Virus software, no malware, and just a trouble-free computing experience.

If nothing else, stop using Internet Explorer. You are doing a huge disservice by stating this is a non-issue. Microsoft's poor code is the issue and will be the issue as long as they can get away with it.

MS needs to de-couple the Web browser from the OS like OS X and Linux. Perhaps that is something else they can copy from the other OS's.

The status of this problem changed after I originally posted the first time and the seriousness of the issue escalated. As with many of these exploits, there was a very real danger but the exposure was actually quite limited. So far, most of the problem is coming from outside the United States.

At any rate... Microsoft will issue an emergency patch on Wednesday, Dec 17th.

http://www.microsoft.com/technet/security/Bulletin/MS08-dec.mspx

From Yahoo:
The security patch for IE is now available from Microsoft.

http://tech.yahoo.com/blogs/null/112848/ie-hack-patch-is-out-how-to-get-it/

In a nutshell,open Windows Update,check for updates and the patch should appear for download/install.
You may/may not have to restart your PC after installing the update.