Custom Search

Search My Download Corner

Thursday, December 18, 2008

Firefox is still safer

Firefox is still safer even though Microsoft patches IE.

Internet Explorer's latest security vulnerability, the so-called XML exploit released on Dec. 17. IE flaws cry out for switch to Firefox to avoid similar weaknesses that are certain to be discovered in IE in the future.

There's no easy way to secure IE against similar flaws that will inevitably be discovered and used by hackers to their advantage in the future. For this reason —
the simple solution is to use a different browser, such as Firefox, with a few easy customizations that allow you to switch to Microsoft's browser only for sites that absolutely require IE.

Foxit_Reader_Professional_3.1.4_Build_1125

Foxit Phantom x32 & x64 v1.0.1.0901
(Foxit Phantom is a business ready PDF toolkit, with everything)

* Step 1: Switch to Firefox, Opera, Chrome, or another contender and configure it to be your default browser. Use IE only to visit sites that require Microsoft-specific technology — probably because they rely on ActiveX to function. (For example, you need to use IE to download patches at the Windows Update site.) Firefox is recommended because of the numerous add-ons available for that browser.

* Step 2: Install the Firefox add-ons known as User Agent Switcher (see UAS's download page) and IE Tab (download page).

User Agent Switcher lets you change your browser's identity. If a Web site demands the use of IE but actually works fine with other browsers, you can change the name of the operating system and browser the site thinks you're using. Many "IE only" sites render perfectly well in Firefox and other browsers.

IE Tab lets you open a site in a new Firefox tab that's driven by IE's rendering engine. This allows sites requiring ActiveX or other IE-only components to work in the same way they do in IE itself.

Unfortunately, using the IE rendering engine in a Firefox tab leaves your PC just as susceptible as it would be if you'd opened an IE window in the first place. Use this technique with caution and only with sites you feel are very unlikely to be hacked, such as Microsoft.com.

* Step 3: For added security, install the NoScript plug-in, which disables JavaScript, Flash, Silverlight, and other "active content" (see NoScript's download page). Because most Web sites of any complexity use JavaScript for menus and other functions, place in the utility's "whitelists" sites such as Microsoft.com and WindowsSecrets.com that are unlikely to try to run malicious scripts on you.


* Step 4: Open an Internet Explorer window and set the security level of IE's Internet zone to High. To do this, click Tools, Internet Options, Security. Choose the Internet zone in the box at the top of the dialog and move the slider control below it to High. Note that this setting will cause many sites you haven't added to IE's Trusted Sites zone to render incorrectly or display error messages.

* Step 5: If for some reason you can't install Microsoft's Dec. 17 IE patch, for workarounds, adjust Access Control Lists by using Registry scripts in an oledb32.zip file you can download from Microsoft. (see link 1) (see link2)

Be aware that some of the workarounds Microsoft recommends can have unexpected side-effects.

If you need any more evidence that weaknesses in IE can be rapidly used by hackers, take a look at a wiki page provided by the Shadowserver Foundation, a security group that lists sites known to be infecting unsuspecting visitors. IMPORTANT: Do not visit any of the sites on the list, even if you think your browser is secure — these sites are or were infectious.

The point is that thousands of sites became carriers within days. (The Press Association quotes Trend Micro as saying more than 10,000 sites were compromised by Dec. 16.) If you use a URL filtering system or block list, you should add the sites cited by Shadowserver to prevent access — at least until all your machines are patched or a specific site is proved to be clean.
Excerpts from Mark Joseph Edwards write-up.

View blog reactions

0 comments:

Post a Comment