If you havent heard it by now it must be because you are “offline” – all the news reporting on the newly discovered (or should I say publicly discovered) 0-day vulnerability effecting IE 6-9 (pretty much all of them). I figured I couldn’t have a security related blog without making some comments on this, so here you go:
1. I want to start by taking a slightly different approach and say someone needs to hire these folks. According to what I have been reading this was discovered by the same folks that brought us the Java 0-day a few weeks back. That’s two 0-days that affect a good chunk of all browsers – huge potential impact. They are obviously on to something – hopefully we can all benefit well at least once MS patches things.
2. What does this mean to you and me? Well in short, It means if you surf a malicous site with IE you could easily be compromised. For the time beinging I would recommend using a different browser for Internet surfing. Yes, MS has some work arounds but I don’t think they are very pratical (prompt user for active X and scripts – like a “regular” end user is supposed to know the difference between a good scipt and a bad one). This is not a bash on MS or IE – it simply is the one “under atack” so we should stay clear from it until patched. Not to sound like a commercial but look at FireFox or Chrome as good alternatives.
3. Its easy to take action once you know, but how do you get informed in the first place? That is a good question and I am glad you asked. For this particular vulnerability it made all the press so it was pretty easy to hear about it; however that is not always the case. Some recommendations: a). Twitter – I hear most “news” on Twitter first. Follow popular security professionals, as well as companies and use it as part of your personal/commercial incident response plans. b). Google – more specifically security related blogs. Once the news on this broke there were several (including mine now) blogs that picked it up. One decent one is: http://www.securitybloggersnetwork.com a collection of bloggers.
4. Keep your AV up-to-date – How effective they are – seem to always be up to debate; however, I personally say to have at least one (or two) and keep it up to date. There are plenty of good free options so, you don’t have to spend any money to be secure.
5. Protect your sensitive information – if you are using your computer for anything sesnitive (taxes, finances, work, etc.) make sure you protect the data. An easy way of doing this is via encryption (truecrypt is a nice option). That way if you do get compromised then your data may be better protected. On this note perhaps more secure strategies should be used (to be covered in future post) to protect your online information as well.
6. Backups – if it is important have a back up of it. This can be as simple as copying files to a USB hard drive. There are several nice tools that help with this. See my write up on CloudFogger for a secure backup solution http://wp.me/p1Wgsg-4a
7. Have a plan. Security is ever evolving – new vulnerabilitles are constantly coming out. Having a plan and knowing when to put it into action. Also just like security, your plan has to be adaptable. Be willing to change it and update it (when it makes sense). For example, you should already be familar with other browsers – this shouldn’t be your first experience with Firefox and/or Chrome.
UPDATE: Ok, so no sooner than posting this MS comes out with a “fix it now” program and an upcoming patch (Friday release) http://blogs.technet.com/b/