Confirming some of our worst suspicions, published in The Register newsletter. ____________________________________________ IE workaround a non-starter By John Leyden Doubts have been raised about the effectiveness of a workaround issued by Microsoft to guard against a potentially devastating vulnerability in IE. Left unchecked the flaw creates a means for hackers to turn popular websites into conduits for viral transmission. On 24 June many websites running Microsoft's IIS 5 Web server software were infected with malicious JavaScript code called Download.Ject. If IE users visited websites hosting Download.Ject their PCs attempted to download a virus from a Russian website. This website was quickly shut down, but the incident illustrated serious security shortcomings with IE and prompted security clearing house US-CERT to advise users to ditch IE in favour of alternative browsers. Last Friday, Microsoft rolled out configuration changes to the Windows XP, Windows Server 2003 and Windows 2000 designed to protect against the Download.Ject attack as a workaround prior to the availability of patches. But postings to the insecure.org full disclosure mailing list over the weekend provide evidence that a slightly modified exploit can still yield full system compromise even on systems that have applied the workaround. Users are advised to disable Active Scripting, except for trusted websites, as a precaution, until Microsoft comes out with a fix. Alternative browsers such as Mozilla, Opera or Netscape - which are not subject to this IE-specific attack - remain a much safer option. ®

I'm getting pretty tired of IE. Been using Firefox off and on for 7 -8 months now, and last week installed the latest version and made it my default browser. MS isn't going to fix anything; they're only interested in the money they make off new programs. They put out garbage, and people keep upgrading to it. If we all quit buying the new OS when it came out, MS would start doing things better.

They (M$) put out garbage, and people keep upgrading to it. To achieve a better quality garbage? i_XpUser

Since any website can be infected I reckon you should also disable active scripting on Trusted Sites too. As for IE, well it's bound to be the most attacked because it is the most widely used. I daresay other browsers would quickly fall apart if the hackers tried to attack them. Derek.W

Well, Derek, maybe get all the IE users to post around the internet that they've gone to, oh let's say Opera. Then all the hackers will leave IE alone, and MS will be great again, huh? I think the problem is deeper than that, the way I read it, MS leaves holes that hackers just fall into while they're checking their email, etc.

JohnO Well, who knows, maybe you are right about the holes. Just the same, I still think that the hackers kinda assume we all have IE so it's what they go for every time. I'VE JUST MOVED TO OPERA (lies LOL). Derek.W