Unless you're brand new-to using computers, the recent news that an Internet Explorer hole was exploited in China-based attacks against Google Gmail users and dozens of high-tech companies was no surprise.
Lately, malicious software has increasingly targeted holes in media players such as Adobe's Flash Player and Reader PDF software, so the Chinese attack on IE is in some ways a throwback. Many tech pundits have responded by recommending against using Internet Explorer at all. The free and easy availability of alternative browsers such as Firefox, Opera, Apple's Safari, and Google's own Chrome would appear to make this sound advice.
Unfortunately, some Internet users don't have a choice in which Web browser to use. The Web sites of many organizations use custom applications that require IE. More importantly, Windows itself relies on Internet Explorer to receive updates and for other behind-the-scenes operations. Even if you never open IE, you still need to make sure the browser is fully patched and up to date.
Review IE's security settings
In a mid-November post, I compared the security features of IE 8 with those of Firefox 3, Chrome 4, Safari 4, and Opera 10. Topping the list of new security features in IE 8 are automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar.
That's why the safest thing any Internet Explorer user can do is upgrade to version 8. If you must use IE 7, be sure to keep the browser patched and set to either its High or Medium-High security setting. To check IE's security settings, click Tools, Internet Options, Security. In IE 7 and 8, make sure the option to Enable Protected Mode is checked (it's on by default in IE 8 on XP SP3, Vista SP1 and SP2, and Windows 7).
IE 8 also enables Data Execution Prevention by default, although you can turn on the feature in IE 7 by clicking Tools, Internet Options, Advanced, scrolling to the Security section, and making sure "Enable memory protection to help mitigate online attacks" is checked. About.com's Mary Landesman provides instructions for setting DEP in IE 6.
Enabling IE's Protected Mode and DEP features will go a long way toward keeping your computer safe from malware attacks. However, if you're still feeling vulnerable, there are two other things you can do to batten down IE's hatches.
The first is to sign in to a standard user account rather than to an administrator account. When using a standard account, you'll be blocked from such activities as downloading and installing programs and changing system settings. You can overcome the block by entering an administrator ID and password for the PC.
Lastly, you can set Internet Explorer to the High security setting by raising the slider control under the Security tab in Internet Options. Many people find IE's highest security level too restrictive for everyday browsing, but you can customize the settings by selecting the "Custom level" button, making your own security choices, and clicking OK twice. You'll have to restart IE for your new settings to take effect.
For Microsoft's take on the IE security flaw targeted by the Chinese government, see the company's Security Advisory 979352, which was released on January 14, 2010, and updated the following day. On the Microsoft Security Response Center blog, Jerry Bryant says that the company will release the update that patches this hole "as soon as the appropriate amount of testing has been completed."