321 - CERT-Recommends-Switching-Browser

This article at Wired News pointed me towards a page that fully describes the Download.Ject exploit discussed in the last two posts. The page in question is written by the usually conservative CERT organisation. In a change from their normal general “use a firewall, virus scanner and keep software patched” type advice, this vulnerability gives them cause for more alarm too prompting this recommendation:


Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).


CERT is a US government and public/private sector group that reports on security vulnerabilities; they don’t tend to make knee-jerk pronouncements, making this recommendation all the more compelling.

I’d recommend non-geeks read the Wired article ; geeks should check both =)