Security risks swell for Microsoft's Explorer
By Byron Acohido and Jon Swartz, USA TODAY
SEATTLE — Using Microsoft's Internet Explorer Web
browser to surf the Internet has become a marked risk — even with the
latest security patches installed.
That's the upshot of the discovery of yet another
Internet Explorer security hole being exploited by intruders bent on
swiping personal information from unwitting Internet users.
The SANS Institute Internet Storm Center issued an
alert this week about pop-up ads designed to download a program that keeps
track any time a PC user clicks to the log-in page of 50 financial
institutions worldwide. The program captures log-in information and sends
it to another Web site, before the bank can encrypt the data.
In a similar attack discovered last week, intruders
sprinkled invisible coding that accomplished much the same thing on
Microsoft Web servers that serve up hundreds of high-traffic commercial
Web sites. Both attacks appear to exploit security holes in Internet
Explorer for which Microsoft has not yet issued a patch, says SANS
researcher Tom Liston.
Security experts say the two new attacks likely have
been in operation for weeks, infecting tens of thousands of PCs. Given the
history of cyberthreats, they are bracing for copycat assaults.
"Internet Explorer's track record is such that the
software just cannot be trusted right now," says Jeremiah Grossman, CEO of
WhiteHat Security.
The FBI's Cyber Division is investigating, a
spokeswoman says.
Banks in the USA, Europe, Asia, Australia and the
Middle East — Citibank, Deutsche Bank and Barclays, among them — were
among 50 targeted sites.
A Citibank spokesman says the bank, with 2 million
online users, took steps to protect its Microsoft Web servers several
weeks ago. However, the only thing banks can do to stop the most recent
kind of attack is recommend that customers stop using Internet Explorer,
says Joe Stewart, a researcher at security firm Lurhq.
The threat of increasingly sophisticated online fraud
is "a reality that banks face across the world," says Chris Pepper, a
spokesman for Royal Bank of Canada, one of the banks targeted. He says the
Toronto-based bank had received no complaints from any of its 2.5 million
online customers.
Banks contacted by USA TODAY would not say whether
they are considering displacing Microsoft Internet Explorer as their
primary browser.
Microsoft last week began advising customers to set
the browser's Internet zone security on high. However, that could cause
Web sites that use animation and graphics not to work, says Neil Charney,
a Microsoft Windows product manager. Microsoft is working on a patch it
plans to deliver later this summer in its Windows XP Service Pack 2, a
free product upgrade.
"Vulnerabilities are not unique to IE. It's something
all browsers share," Charney says. "Microsoft takes vulnerabilities very
seriously, and we're working on a comprehensive fix."
The latest attack was discovered only because an
alert worker at a technology company noticed a weird file that had
implanted itself unseen on an employee's browser.
When SANS performed digital forensics, it discovered
a new type of spyware that records log-ins. The filched log-ins were
forwarded to a San Diego Web site, which was shut down Wednesday after
SANS notified the FBI.
Meanwhile, some employers are experimenting with
alternative Web browsers, including Opera and Mozilla. "People are allowed
to surf with anything they want — except with Internet Explorer," says
Mikko Hyppönen of F-Secure.
Jon Swartz reported from San Francisco |