Sunday, January 24, 2010

Upcoming Blackhat presentation: ""IE turns your personal computer into a public file server"

I don't know how much credence to put in this announcement, but Core Security is a legitimate company with a long history of doing good security research, and Blackhat is a legitimate conference. If this is true, anyone with sensitive data on their computers (bank accounts, credit card numbers, tax returns, and the like), should probably not use IE for the foreseeable future.

I don't use IE except for Windows Updates, but those of you who do should STRONGLY consider switching to Google Chrome or Mozilla Firefox. Chrome is possibly safer because it runs partially sandboxed from the OS but everything you do on the Internet is fed into Google's databases; Firefox is much safer than IE, especially when enhanced with NoScript and Adblock Plus but unless you run as a non-administrative user (as I do) it runs with administrative access to the system.  FWIW I use Firefox -- Google already knows too much about me ;-).

"IE turns your personal computer into a public file server" -
I dunno. We just get a patch for a major vulnerability in IE and breathe a sigh of relief only to learn about another nasty vulnerability in IE that will be demonstrated at the upcoming Black Hat Conference. Sigh.

Researchers at Core Security, one day after Microsoft patched IE, have announced another set of vulnerabilities in Internet Explorer that involve stringing several minor vulnerabilities together to enable a hacker to have complete access to all files on the user's computer. The user would need to be enticed to click on a malicious link first.

The vulnerability, along with proof of concept, will be demonstrated at the Black Hat conference which begins Feb 2 in Washington. Core Security states that they are working with Microsoft to try and find a way to mitigate the risk. Microsoft has declined to comment.

Core Security page
Blackhat Conference Announcement
Reuters story about this

No comments: