A major security hole discovered in Microsoft's Internet Explorer last week has become a golden marketing opportunity for alternative browsers such as Mozilla and Opera that are unaffected by the flaw.
To avoid falling prey to a concerted attack aiming to steal log-on information and passwords, some security experts advised Web surfers to either turn off some Internet Explorer (IE) features or switch to another browser as the best immediate fix. Unknown attackers who had taken control of several Web servers used the flaw last week , dubbed JS.Scob.Trojan, onto the PCs of visitors to those sites.
"Using another Web browser is just one possibility," said Art Manion, Internet security analyst with the , which administers US-CERT. "We don't recommend any product over another product. On the other hand, it is naive to say that that consideration should not play into your security model."
CERT also noted that people who opt for non-IE browsers but who continue to run the Windows operating system are still at risk because of the degree to which the OS itself relies on IE functionality.
Mozilla's Hofmann recommended that Windows users who want to ditch Internet Explorer increase their security level in Windows' Internet options to help thwart those kinds of attacks. While Windows comes by default with those options on "medium," Hofmann said that setting them to "high" would have offered sufficient protection against last week's exploit.
He also encouraged Web developers to stop writing Web sites that rely on ActiveX. Game and photo-uploading sites are among the worst offenders, he said.
"We encourage people not to use these proprietary technologies that we've seen security vulnerabilities associated with," Hofmann said. "ActiveX is one of the biggest areas where these exploits have occurred, and from these recent exploits, you can see that exposing users and making that technology available has some real danger. Sites need to rethink what they're doing to protect users."