I received the following warning at a financial services site....

Security Alert
A serious security alert involving scams targeting bank and credit card customers has come to our attention.

While the main concern revolves around specific vulnerabilities in Microsoft's Internet Explorer, other aspects involving scripting and ActiveX controls also put consumers at risk.

Issue:
A team of hackers allegedly based in Russia has exploited a virus by inserting JavaScript code into certain websites.

When users visit these sites, a pop-up ad is initiated allowing keystroke analysis of information the user types in. While the identities of the affected sites are not known, the target is believed to be credit card numbers. CERT (The US Computer Emergency Readiness Team) has estimated that as many as tens of thousands of websites may be affected.

The implication is that when a user logs in to a secure site infected by the virus a secretly installed BHO (Browser Helper Object) is grabbing their login information before it is encrypted by SSL. Once this information is captured the BHO feeds the captured data (userid and password) to an outside source.

CERT said vulnerabilities in IIS and IE could include MIME-type determination, the DHTML object model, the IE domain/zone security model, and ActiveX scripts.

Microsoft said earlier in the week that it is working with law enforcement officials to identify the source of the latest Internet virus.

Fix:
Microsoft may release a patch/configuration change for the recent Internet Explorer update. Please check Microsoft Update.

This fix is already available via the Microsoft Download Center. http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp

Users can also download Mozilla, a free browser that does not allow "silent BHO installation," from: http://www.mozilla.org

Mozilla and Mozilla Firefox are not subject to the vulnerabilities of Internet Explorer including those involving scripting and ActiveX controls.

If you continue to use Internet Explorer, be aware that even a "patched" IE may not protect users, CERT warns, if it invokes ActiveX control or HTML rendering engines. The only defense may be completely disabling scripting and ActiveX controls within IE.

While many websites will not display correctly when ActiveX has been disabled, this function is not required for Member Services and can be re-enabled at a later time.

It is also important to note that the information being "grabbed" by the virus is what the user is typing in before they enter a secure site (i.e. their login credentials). All information entered inside the secure site is still protected by SSL.

*Note that a "pop-up blocker" may kill some or many pop-up windows but there is no program known to completely and successfully block all pop-ups.

With the ongoing problems with security when using Microsoft problems I have downloaded the Mozilla Browser and find it to be easy to use and faster that MSIE. - bonus!

I am also trying out their email program which does not suffer from the same virus and security problems as Outlook - and so far find that it does everything Outlook does for me.

And, it is all for free. How about that, greater security from viruses and hackers - and it is free. You gotta like that!

[This message has been edited by doug (edited 07-05-2004).]

Hey Doug..

Thanks for the info... If anybody else has any other browsers they have used and have had success with, please drop us a note off...

Duane