Bugs and Fixes: Microsoft: Cripple IE to Protect Your PC

Illustration: Campbell Laird
Microsoft is doing something unprecedented: It wants you to break one of Internet Explorer's key features. Why? Because only by limiting the browser's functionality can you be sure of stopping a sneaky--and dangerous--new breed of Internet virus. This latest targeted attack scenario, which uses malicious code dubbed "Scob" or "downlad.ject," exploits three flaws: two in Windows and one in Internet Explorer. One of the holes involves JavaScript; targeting this flaw, the Scob code lets a hacker attach a program written in JavaScript to Web pages. If you visit an infected Web site, the program automatically executes in IE, and voila! you're infected.

Taking advantage of these multiple flaws, a group of Russian crackers recently mounted attacks on several hundred Web sites--aimed at putting lots of visitors at risk. Included on their hit list were some very reputable sites.

Some Scob virus strains installed keystroke-logging software on users' PCs--apparently to steal financial data (head to "Known Trojan Still Plagues Web Servers" for more details).

Microsoft says that your PC will be protected if you're running the beta version of Windows XP Service Pack 2. (Visit "Windows XP Service Pack 2 Release Candidate 2 Preview" for a link to the close-to-final version of SP2). The company says it is still working on a patch to deal specifically with this combination of flaws.

Microsoft also wants you to take the extreme step of disabling JavaScript. Many sites use JavaScript--to display video, say--and without this programming language, some sites, including Microsoft's own Windows Update site, won't even function properly.

If you want to go this far--and I recommend that you do--you need to adjust your IE settings. To disable JavaScript in IE, click Tools, Internet Options and choose the Security tab. Click the Internet icon, click the Default Level button, and move the slider to High. To get around any problems with sites not loading, in IE click Tools, Internet Options and choose the Security tab. Click the Trusted Sites icon and add the sites you want to access. Your machine is still protected. (For Microsoft's full list of safety measures, visit "Increase Your Browsing and E-Mail Safety".)

If all this sounds like too much hassle, you might want to consider switching to a browser like Mozilla or Opera. You can have JavaScript turned on in these browsers, yet remain safe from IE-like attacks. At least, for now.

1 2 Page 1
Shop Tech Products at Amazon