In the wake of cyber attacks on Google and 33 other corporations, media outlets including the ABC are reporting recommendations from Australian, French and German government information security agencies to stop using Microsoft’s Internet Explorer web browser.
The recent attacks took advantage of what’s called a zero day exploit — that is, a vulnerability that is already being actively exploited by hackers before software vendors have even become aware of it, let alone developed, tested and issued a security patch.
Zero day exploits are common, and the bugs are usually fixed in software vendors’ regular update cycles. Microsoft, for example, has its “Patch Tuesday” on the second Tuesday of every month US time, and issues updates for Windows, Microsoft Office and other products in a batch to make it easier for IT staff to manage their workload.
Until a patch is released, systems administrators are warned of newly discovered vulnerabilities and recommended actions to mitigate the risk through notifications known as “security advisories”.
“AusCERT and the other national cyber safety bodies provide advisories and alerts like this on almost a daily basis,” security consultant Crispin Harris told Crikey.
“This one is of course highly visible because of the companies involved. It is unusual for advisories to be picked up by the media but not uncommon.”
In the case of this specific vulnerability, announced in Microsoft Security Advisory 979352 last week, the bug is currently only known to be demonstrated in attacks on the obsolescent Internet Explorer version 6. Microsoft has issued a temporary fix , and is still investigating.
However, the Australian, French and German advisories all flag it as potentially affecting versions 7 and 8 of Internet Explorer as well.
“All software suffers from security vulnerabilities from time to time, but Microsoft’s Internet Explorer is more deeply integrated into the operating system. This allows greater functionality, but it comes at the cost of increased risk in the event of a problem,” security consultant Crispin Harris told Crikey.
“Intenet Explorer is currently the leading browser in terms of percentage of users, and thus it’s the most common target,” Harris said.
The advisories suggest using an alternative web browser for Windows, such as Mozilla’s Firefox or Apple’s Safari. Both are free downloads.
Harris agrees with this advice, but suggests we stay “alert but not alarmed”.
Honestly, why does anyone use Internet Explorer anymore? I have used Firefox for about six years. It’s faster and more secure. I also have add-ons like Foxmarks which synchronises my bookmarks across my three PCs in two different countries. There is no way I would go back to Internet Explorer even if Microsoft came and paid me. IE is the
I agree with Nigel. People should dump IE because it’s a bread-free shit sandwich, never mind the security risks. Having used Firefox for years, I can also heartily recommend Google Chrome, which is fast, stable and not taxing on system resources.
Yes, I only use IE on internal corporate pages which force me to. Otherwise it’s Chrome all the way. Love the one process/tab philosophy.
I see two main reasons people use Internet Explorer, and especially the obsolescent (to say the least!) IE6:
1. They have no choice. It’s a mandated corporate Standard Operating Environment. This is especially the case when internal workflow applications have been written in IE-specific code years ago and there isn’t the budget or management willpower to re-write it to modern software standards.
2. They have no clue. And I don’t mean that as a denigration, merely as observation. Many of my small business clients don’t know what the term “web browser” means, let alone the implications of anything we’re talking about here.
And, if their manager is not computer literate, they won’t perceive the need to change and will almost certainly baulk at the idea of people having to learn something new.
Meanwhile the infosec consultant I quoted has updated his opinion: “Big deal, just another 0-day. Nothing special except the target’s ability to talk about it.”
Stilgherrian:
1 – yes, don’t get me started on that, there are lots of apps here that expect 6 (or 7) – you run Windows 7 x64 and you’ve got 8, so you end up running these apps in a VM inside your box running XP.
2 – for these, remove the blue IE icon from everywhere, set default browser to chrome or firefox. Set them up to use Gmail instead of outlook express. If it’s firefox, install noscript.
The infosec consultant has been jaded by too many 0-day vulnerabilities that appeared to do nothing.