January 17, 2010, 7:05 PM — I've always known that Internet Explorer was an insecure mess, but this latest attacks on Google and dozens of other companies has really opened my eyes to just how bad it really is. The latest zero-day flaw exists not just in bad old IE 6, but in every modern version of IE.
To be exact, according to Microsoft, the same security hole is in IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are vulnerable to attack. In other words, if you're running any remotely current version of IE or Windows, you can be hacked. Great. Just great. How anyone on the planet can actually believe Microsoft when, with every new release of either their browser or operating system they claim that they're more secure, is beyond me.
Windows has been, is now, and always will be insecure . It's baked into its single-user, stand-alone computer design that was never designed to handle a networked universe with attackers always one network connection away.
Microsoft tells us that you can try to block the IE attack vector by setting "Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone." In addition, you should "enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions."
What they don't say is that you'll find working on the Internet a lot harder with those settings. Essentially, the prevention, for this is no cure, requires you to cripple your Web browser.
Pouring salt on the wound, the IE attack code is now public. That means anyone can use it. And guess what? They are. It's already inside one automated attack script. That means any script-kiddie moron can, and will, use it.
Let me make this perfectly clear. If you're running IE, especially IE 6, today and wandering around the Web there's a decent chance you're going to get attacked and your PC is going to be owned by a hacker.
It doesn't have to be that way. Dump IE now. It would be smarter still if you moved off Windows, but I know that practically speaking it's not easy for people to move to Linux of Mac OS X at the drop of yet another serious Windows security hole. You should, on the other hand, start thinking about it. Whether Microsoft releases an out-of-band patch for this or not, there's always going to be another Windows security hole. They come free with every copy of Windows.
What you can do today is to get rid of IE. Any other browser is better. Any other browser is safer. I recommend Firefox or Google's Chrome myself. The latest version of Firefox, which is still a release candidate, Firefox 3.6 is a vast improvement on earlier versions and Chrome is, hands down, the fastest Web browser around.
Which ever one you pick, it won't take you long to get up to speed on it and you'll be safe from both this current IE threat, and whatever the next one will turn out to be in a few months. I don't care if you're just running IE for yourself or at a multi-billion dollar company, it's too unsafe to use anymore. It's that simple.