IE Vulnerability Exposing Banking Logins, Spreading Rapidly

jfruh writes "A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly. Sites compromised by the malware run the gamut from U.S. Veterans of Foreign Wars site, to a site frequented by French military contractors, to a Japanese dating site. Microsoft has released a 'fix-it tool' but not a regular patch."

If you're dumb enough to use IE when banking...

[gestalt_n_pepper]

I'm not sure what anyone can do for you.

Band Aid Security Industry Top to Bottom

[BoRegardless]

CEOs have ignored security researchers since the start of the modern internet, because CEOs only want "Results now!"

Yes, IE is to be blamed.

[140Mandak262Jamuna]

The hackers have to lure you into visiting the compromised website. How difficult is that? Once you visit that site using IE, it corrupts the memory. Then it takes advantage of a wild pointer read error in IE to get remote execution ability.

Of course Secunia will count this is as "one bug", after Microsoft agrees it is a bug. On the other hand, it will look at bugzilla of Firefox, and every bug report by everyone will be counted towards the total bug count on Firefox. Microsoft will continue to insist its browser has fewer bugs than Firefox. Gartner will issue a TCO report based on these numbers. And everyone will be scratching their head, why IE market share continues to fall when all these numbers say IE is the safest browser in the world.

Re: Laugh

[tom229]

Our default browser is IE, and it's not because I have any love for Microsoft, or spending extortionate amounts of my IT budget on Microsoft licensing. I personally use firefox on a day to day basis, but the official "supported" browser in the company is still IE simply because it's easily configurable within the domains group policy, and most widely supported when it comes to corporate browser applications.

I know what you're getting at, and I'd have to disagree. Most company's are forced to be a Microsoft shop simply for compatibility reasons. The software my users depend on daily to do their jobs is Windows only... and there's nothing I can do about this.

Accounting needs Word and Excel. In fact, they "need" 2010 or they all need to be on the same versions. If I have even one of them on a different version they will complain about compatibility issues.

Geology needs a plethora of Windows only client/server software first written in the early 2000's and sparingly updated. This is specialized stuff.. you can't just get it off the shelf anywhere. This requires Windows desktops and Windows servers.

I could go department by department but I think you get the point. Once you require Windows on the desktop for end user software, it makes the most sense to have a Microsoft domain and Exchange Server because they all play nicely together. Exchange is especially nice since every member of my staff took some business course in community college and is comfortable with Outlook. We did a test run of gapps using the outlook plugin but it wasn't nearly as intuitive or function rich as an Exchange environment; especially when it comes to calendars, room booking, scheduling, and tasks.

So at the end of the day, when everything else is Microsoft, it makes the most sense to use IE, because it plays nicely with all of the above. I probably could struggle with getting everything to work on Firefox, and deploying policies through the registry or batch scripts, but in my experience it's just not worth the hassle. You're not busy enough, or responsible for enough if you haven't yet learned to leave your ideals at the door, and just use what works.