Internet Explorer – what actions to take
If you’ve been seeing some of the tech news, you’ll know that a group overseas called Xfocus published some details of Internet Explorer vulnerabilties on the web right before Christmas. And while the press can say [clearing their throats] “Microsoft hasn’t responded”, I can say that every time I sent in an email to the Secure alias [secure - at - microsoft.com] I got a response back. They know and are “responding“ in their own quiet way when such things occur.
But in the meantime some general rules to keep safe until a patch is released:
- Begin to push for running in lesser “rights“ on the desktop. This isn’t easy at all, but it’s something that we all need to push our app vendors to do natively in 2005. I don’t expect you guys to do this right away, but start thinking about preparing your end users and clients to not being able to download and install just willy-nilly.
- Ensure that you always use up to date antivirus
- Only surf where you know you’ll be safe [I know...this one is kinda dumb as there have been reports of “good sites“ that don't keep themselves up to date on patches getting turned into “bad sites“ - but just try to be AWARE]
- Block all unnecessary email attachments. Whether you use the native to SBS Exchange attachment blocker or Trend’s blocker, PICK ONE and don’t even let this stuff get in your network.
- Consider running IE with High security turned on, and only place those web sites into “trusted“ zones that you need fully functional for business purposes.
- While you can use alternative browsers like Firefox, Mozilla, I’d still recommend that you not “install and forget it“. Mozilla today just released a new patch for a security issue it had. Remember that Windows update does not patch Firefox, Mozilla, so you are on your own. The default for Firefox is to check every 7 days [apparently as I’m guessing from the about:config that I’m looking at. Brian Livingston has a great primer on Firefox that he had to dig up from their web site and other locations.
- Just in general be aware. If an email sounds too good to be true, or is trying to sound like the sky is falling, check it out on the snopes.com web site.
P.S. Next time guys, send an email to the secure alias and work with them for a patch FIRST? Don’t just disclose this stuff and then contact Microsoft? Be part of the solution, not part of the problem.