Mozilla 1.7 was released last week. It is just an incremental upgrade to the open source browser, which you can download from http://www.mozilla.org, but there are some improvements.
If you use Windows, you need to seriously consider using Mozilla instead of IE as your browser. There are three main reasons for doing so.
First, it is better than IE. It has more and better features, such as the pop-up blocker, tabbed browsing, anti-spam controls in the email, and better support for Internet standards.
Second, it is both free and open source. You are not being locked in to any proprietary system. It is continually being improved by people working on it around the globe, with its source code available to all.
Third, it is safer than IE. There have always been bugs and security flaws in IE, and the model they use for add-ins and active content, ActiveX, has always been dubious. The past couple of weeks have been among the worst in the history of IE, but have certainly been good if you write about computer bugs.
It’s not just the BugBlog saying you should use Mozilla instead of Microsoft Internet Explorer. A number of other computer writers and now, US-CERT suggests you may want to use a different web browser, too. (Altought they don’t specify Mozilla.) As US-CERT says at http://www.kb.cert.org/vuls/id/323070, “There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.” Of course, it won’t give you total security (IE is deeply embedded in Windows systems, and is next to impossible to turn off) and some sites function correctly only with IE.
What were some of these problems? Here are a couple of the significant ones from the past week or so. (Some of the vulnerabilities and exploits overlap, because they all take advantage of some of the IE weaknesses that US-CERT outlined.)
A number of web sites using Microsoft Internet Information Server 5.0 were infected with malicious code know as Download.Ject, or JS.Scob.Trojan, Scob, and JS.Toofeer. If you visit these infected sites while using Microsoft Internet Explorer, you may then be infected. The end users will have files called Kk32.dll and Surf.dat on their computers. This attack was being controlled by a server in Russia, that was stealing keystrokes and thus could be used to steal passwords, credit card numbers, and other sensitive information. That site was shut down, but that didn’t fix the underlying vulnerability
The Internet Storm Center (ISC) says that a new Trojan program may install itself via a pop-up ad on Microsoft Internet Explorer, and then aims to steal keystrokes used to log on to nearly 50 different Internet banking sites, including Citibank, Barclays Bank and Deutsche Bank.
US-CERT says that Microsoft Internet Explorer has another security problem. In this case, it doesn’t correctly check the security context of a redirected frame. This may allow an attacker to trick the browser into running a script with Local Machine Zone security, rather than in the Internet Zone security, leading to potential information theft problems.
Back at the Bugblog, there are another two years worth of bugs and security threats against IE. Maybe it all comes down to this: do you want to wait and switch after the Russian hacker has stolen your credit card numbers, or do you want to be proactive?