IE alert issued

National Cyber Alert System technical alert TA04-293A

Homeland Security Department officials this week issued another cybersecurity alert, warning of newly discovered vulnerabilities in Microsoft Corp.'s Internet Explorer browser.

The alert recommends that users apply a software patch that Microsoft has released to plug the security holes. It advises users to disable browser functions known as Active scripting and ActiveX controls and to install Windows XP Service Pack 2, Microsoft'security upgrade for the Windows XP operating system.

Users who do not take steps to protect their computers from the nine vulnerabilities described in the alert could have their computers targeted by attackers who try to gain control of computers on the Internet for malicious or criminal purposes, such installing spyware or stealing financial information.

"Service Pack 2 has a lot of improvements to make Internet Explorer and Windows in general a lot more secure," said Marc Maiffret, cofounder and chief hacking officer at eEye Digital Security, which makes security software.

To produce Service Pack 2, Microsoft's developers audited its source code and used new compiler technology that helps prevent common software vulnerabilities such as buffer overflows, Maiffret said. Buffer overflows, which occur when excessive data is placed in a computer buffer or temporary storage, cause the computer to crash and allow attackers to create a back door that provides unauthorized access to the computer.

The best protection against overflow vulnerabilities is available in 64-bit microcroprocessor hardware, Maiffret said. "Intel and AMD in their newer processors finally support the ability to basically stop buffer overflow," he said.

Most users' computers, however, have only 32-bit microprocessors.

Because Microsoft's buffer overflow protection is Service Pack 2 is provided through software emulation, it can be bypassed by knowlegeable attackers, Maiffret said. The alternative is to be vigilant, Maiffret said, by using a combination of vulnerability assessment and protection software to insulate users from cyberattacks.

Unlike a previous alert related to the Microsoft browser, the latest warning from DHS' National Cyber Alert System does not advise users to consider dropping their use of Internet Explorer and switching to another browser as an interim measure.

"That's not really a manageable thing," he said.