To all the folks I have bashed over the head with the mantra that if you take precaution and use proper configuration methodology, you can use Internet Explorer safely without inflicting harms on yourself, I am sorry.
To all my colleagues I have called clueless in the past because they don't think IE is safe or trustworthy, I profusely apologize while masticating huge amount of tasteless crows.
To all fellow travelers in the "believe in IE" caravan, please listen to me and abandon ship NOW! This caravan is headed to .... well ..... who knows where. Wherever it is headed, it is not a place for any sane person to go to anymore.
I have a point to make. But before I do, please let me rant a little bit. If you are in a hurry, just scroll down and ignore this IE rant. But I seriously have to get it out of my system for my sanity.
I am not a MS-basher. Truth be told, and in the interest of disclosure, I am pro-Microsoft. My livelihood depends on their technologies and MS has been good to me over the years. I have spent many hours advocating for and supporting MS technologies, including Internet Explorer, the subject currently at hand. I personally know a lot of people inside Microsoft, at various levels, and I can testify that, contrary to popular beliefs, they don't have horns and they don't have the mark of the beast tattooed on their body parts. They are well-meaning, hardworking, and exceptionally gifted individuals with a passion for creating the best software they can create.
Which brings us to this oddity called Internet Explorer. We will not need to go into the history book and dredge up the reasons that led to IE becoming an integral part of the Windows Operating system. This has been documented and commented upon ad nauseam. We are just going to state the obvious here: regardless of the merits or demerits of the decision to make IE a core component of the Windows OS, one thing is crystal clear at this late stage in the game - Windows is worse off for it. While we may have won the browser war as a result of that decision, Windows inherited a slew of security vulnerabilities directly attributable to IE. In fact, of the numerous security flaws that have been discovered in Windows to date, the single most prevalent vector of a majority of those vulnerabilities is Internet Explorer.
Over the years, MS has valiantly battled to remedy the situation. A patch here, a complete code rewrite there, a kill-bit over there, dropped components in that corner, etc, etc. It would be funny if it were not so disturbing that the attempts to cure IE of its numerous ills have so far resembled the whack-a-mole arcade game you see kids play all the time. In this game, you see certain creatures popping out of a hole and you try to smack them down with a mallet or stomp on them as fast as possible. The longer the creatures stay up, the lower your score. There is no denying the fact that IE has single-handedly contributed the greatest negatives to Windows security and stability, dragging down Windows health scores into the gutters.
OK, so why am I ranting here?
This is Why
"Yeah, so?", you said. Why is this different or news? We've been finding bugs in IE for a long time, so this one, too, will be fixed.
Let me explain this very slowly. Until now, and for about 4 or more years now, we have been able to say this with a clear conscience: IF you disable "Active Scripting", or if you set your "Internet Zone" to "High Security", you will be protected. Of all the recent vulnerabilities discovered in IE, one thing has ALWAYS been true - IF "Internet Zone" is set to "High Security", you are protected. This has worked so well that MS has even decided to make it the default behavior of IE in Windows Server 2003 SP1. As soon as you apply SP1 to your Windows Server 2003 system, you will discover that your IE's internet zone is set to high security and if you try to lower it, you will get a nasty popup that tells you "Sorry, nothing but high security here".
High Security and the separation of the internet zones have worked so well ....until now. The vulnerability described by the link above simply defeats the protections offered by High Security or a disabled Active Scripting configuration in IE. It also does not matter whether or not the site that chooses to exploit this vulnerability is in one IE zone or the other.
According to Secunia, this vulnerability has now extended beyond the theoretical and "demo" phases" into the sphere of real working exploit codes.
Here's why I'm scared, and why you should be, too:
The only thing that has been giving me confidence in IE is the ability to restrict the scope of a malware's execution on MY system, by either selectively setting security levels in the different IE zones, or by just disabling Active Scripting and all the other enablers on my IE installation. It has been a painful experience, but I have always been able to truthfully claim that exploits do not work if I make the conscious efforts to secure my IE installation and use IE properly and safely. That was until now.
Now, there is simply no "SAFE" or "PROPER" way to use IE. If you do not believe me, read the original advisory again test the PoCs available on that site.
IF the original poster had NOT taken the initiative to publicly disclose this disrobing of IE "security", we'd all still be walking around with the fallacious beliefs in the efficacy of IE "High Security", "Active Scripting" and "Zone Separation" voodoo.
How painful it is to realize that you've been so wrong for so long. How bitter the taste of crows. How scary the thought of venturing out to the internet with ANY IE installation. How insidious that all the makeover and code rewrite that went into SP2 and the major IE "security rollups" have failed to discover a vulnerability so benign, yet so effective that it pulverizes all the defense mechanisms built around IE.