Security risks swell for Microsoft's Explorer

By Byron Acohido and Jon Swartz, USA TODAY

SEATTLE — Using Microsoft's Internet Explorer Web browser to surf the Internet has become a marked risk — even with the latest security patches installed.

That's the upshot of the discovery of yet another Internet Explorer security hole being exploited by intruders bent on swiping personal information from unwitting Internet users. 

The SANS Institute Internet Storm Center issued an alert this week about pop-up ads designed to download a program that keeps track any time a PC user clicks to the log-in page of 50 financial institutions worldwide. The program captures log-in information and sends it to another Web site, before the bank can encrypt the data.

In a similar attack discovered last week, intruders sprinkled invisible coding that accomplished much the same thing on Microsoft Web servers that serve up hundreds of high-traffic commercial Web sites. Both attacks appear to exploit security holes in Internet Explorer for which Microsoft has not yet issued a patch, says SANS researcher Tom Liston.

Security experts say the two new attacks likely have been in operation for weeks, infecting tens of thousands of PCs. Given the history of cyberthreats, they are bracing for copycat assaults.

"Internet Explorer's track record is such that the software just cannot be trusted right now," says Jeremiah Grossman, CEO of WhiteHat Security.

The FBI's Cyber Division is investigating, a spokeswoman says.

Banks in the USA, Europe, Asia, Australia and the Middle East — Citibank, Deutsche Bank and Barclays, among them — were among 50 targeted sites.

A Citibank spokesman says the bank, with 2 million online users, took steps to protect its Microsoft Web servers several weeks ago. However, the only thing banks can do to stop the most recent kind of attack is recommend that customers stop using Internet Explorer, says Joe Stewart, a researcher at security firm Lurhq.

The threat of increasingly sophisticated online fraud is "a reality that banks face across the world," says Chris Pepper, a spokesman for Royal Bank of Canada, one of the banks targeted. He says the Toronto-based bank had received no complaints from any of its 2.5 million online customers.

Banks contacted by USA TODAY would not say whether they are considering displacing Microsoft Internet Explorer as their primary browser.

Microsoft last week began advising customers to set the browser's Internet zone security on high. However, that could cause Web sites that use animation and graphics not to work, says Neil Charney, a Microsoft Windows product manager. Microsoft is working on a patch it plans to deliver later this summer in its Windows XP Service Pack 2, a free product upgrade.

"Vulnerabilities are not unique to IE. It's something all browsers share," Charney says. "Microsoft takes vulnerabilities very seriously, and we're working on a comprehensive fix."

The latest attack was discovered only because an alert worker at a technology company noticed a weird file that had implanted itself unseen on an employee's browser.

When SANS performed digital forensics, it discovered a new type of spyware that records log-ins. The filched log-ins were forwarded to a San Diego Web site, which was shut down Wednesday after SANS notified the FBI.

Meanwhile, some employers are experimenting with alternative Web browsers, including Opera and Mozilla. "People are allowed to surf with anything they want — except with Internet Explorer," says Mikko Hyppönen of F-Secure.

Jon Swartz reported from San Francisco

 

 

Company Information
Yennik, Inc.
4409 101st Street, Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

Please visit our other web sites:
Internet penetration security audits
The Community Banker - Bank Web Site Audits
Credit Union Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

 

All rights reserved; Our logo R. Kinney Williams & Associates is registered with the United States Patent and Trademark Office.
Terms and Conditions
, Privacy Statement, © Copyright Yennik, Incorporated