RSS
StrictEarlier this week, Microsoft released their monthly security updates for Internet Explorer (IE). As usual, this update is deemed "Critical", which means that it fixes bugs in IE which could lead to a remote attacker taking control of your computer.
How critical are these bugs? Well, one of them is so bad that an attacker can take over your computer using a simple JPEG image. For the less technically inclined, let me put it this way: someone can hide a virus, spyware, or some other nasty critter into an image on a website in such a way that simply viewing the website can let them take control of your computer.
I’ve posted several times before why you should immediately switch from using IE to Mozilla Firefox instead. In case you haven’t made the switch yet, read the rest of this article to find out why you should be very concerned.
How many times have you clicked on a link to a website, only to be bombarded by popups with advertisements? Well, those popups are certainly annoying, but thanks to this bug in Internet Explorer, they could now take over your computer. Big deal, you say — I have Automatic Updates and XP SP2, so I’m safe, right?
OK, look at the date on which the bug was first reported: June 17, 2005. And when was a patch finally released? August 9! That means that for over a month and a half, your computer could have had virus or spyware installed, even if you had all the latest patches (including XP SP2) installed!
So, why does it take the largest software company in the world so long to fix this problem? One reason is that Microsoft has a stated policy that they only release bug fixes, regardless of how critical they are, on the second Tuesday of every month. You see, they used to release bug fixes as quickly as possible (which even then was way too slow), but their corporate customers told them that there were simply too many bug fixes, coming too often, for them to keep track of. So, to appease their largest customers, they decided that they will instead put everyone else at risk by needlessly delaying critical fixes for their software. You can’t make this stuff up!
Now, I’m not saying that Firefox doesn’t have any bugs in it. As a programmer myself, I’ll be the first to tell you that there is no such thing as a bug-free program. The difference is that Mozilla routinely has updates out in a matter of hours — days at the longest — when one of these bugs is found. For example, one particular "Critical" bug in Firefox was discovered at 13:46 GMT, July 7 2004, and the fix was on their download site by 21:57 on July 8 — just under a day and a half later! See a timeline detailing the finding and fixing of this bug, and you’ll see how much more quickly a bug can get squashed when corporate executives and marketing policy don’t get in the way!
In case this anecdotal example doesn’t convince you, the numbers back me up as well. According to this article, even if someone had applied every IE patch in 2004 the day it was available, they would still have been vulnerable to attack for 98% of the year! This is in contrast to 15% of the time for Firefox. Of course, 15% is still not ideal, but many times these are theoretical cases. To my knowledge (and I keep up with this stuff every day), there has never been a working exploit of Firefox which allowed someone to attack your computer; most bugs in Firefox will, at worst, crash your browser.
Now, in case you’re thinking "guess I’m lucky… I haven’t been hit by one of these viruses yet!" or "only people who are careless when they browse the web get hit", think again — many viruses and trojans these days aren’t as obvious as those in the past, where your computer instantly crashed or you had files deleted. Instead, they install "back-door" programs on your computer that let the attacker use your PC to do such things as send spam or attack others’ web sites. Not only does this mean your computer is being used for illegal and unethical activity, it can also slow down your internet connection dramatically. Notice how your computer isn’t as fast as it used to be? You could very easily have a virus or trojan already.
I hope I’ve convinced you that you can no longer take a passive approach to computer security. Keeping bad stuff off your computer is something you must take seriously. I will follow up this post soon with some more pointers that all users should follow to help protect themselves, but for now, download Firefox by clicking on the link below and begin using it instead of Internet Explorer. It will automatically copy all your Favorites and settings over, and it will always be free to use.
