Dump Internet Explorer? Stay alert but not alarmed
|
In the wake of cyber attacks on Google and 33 other corporations, media outlets including the ABC are reporting recommendations from Australian, French and German government information security agencies to stop using Microsoft’s Internet Explorer web browser. The recent attacks took advantage of what’s called a zero day exploit — that is, a vulnerability that is already being actively exploited by hackers before software vendors have even become aware of it, let alone developed, tested and issued a security patch. Zero day exploits are common, and the bugs are usually fixed in software vendors’ regular update cycles. Microsoft, for example, has its “Patch Tuesday” on the second Tuesday of every month US time, and issues updates for Windows, Microsoft Office and other products in a batch to make it easier for IT staff to manage their workload. Until a patch is released, systems administrators are warned of newly discovered vulnerabilities and recommended actions to mitigate the risk through notifications known as “security advisories”. “AusCERT and the other national cyber safety bodies provide advisories and alerts like this on almost a daily basis,” security consultant Crispin Harris told Crikey. “This one is of course highly visible because of the companies involved. It is unusual for advisories to be picked up by the media but not uncommon.” In the case of this specific vulnerability, announced in Microsoft Security Advisory 979352 last week, the bug is currently only known to be demonstrated in attacks on the obsolescent Internet Explorer version 6. Microsoft has issued a temporary fix , and is still investigating. However, the Australian, French and German advisories all flag it as potentially affecting versions 7 and 8 of Internet Explorer as well. “All software suffers from security vulnerabilities from time to time, but Microsoft’s Internet Explorer is more deeply integrated into the operating system. This allows greater functionality, but it comes at the cost of increased risk in the event of a problem,” security consultant Crispin Harris told Crikey. “Intenet Explorer is currently the leading browser in terms of percentage of users, and thus it’s the most common target,” Harris said. The advisories suggest using an alternative web browser for Windows, such as Mozilla’s Firefox or Apple’s Safari. Both are free downloads. Harris agrees with this advice, but suggests we stay “alert but not alarmed”. |
|
|
|
13 Comments
Honestly, why does anyone use Internet Explorer anymore? I have used Firefox for about six years. It’s faster and more secure. I also have add-ons like Foxmarks which synchronises my bookmarks across my three PCs in two different countries. There is no way I would go back to Internet Explorer even if Microsoft came and paid me. IE is the
I agree with Nigel. People should dump IE because it’s a bread-free shit sandwich, never mind the security risks. Having used Firefox for years, I can also heartily recommend Google Chrome, which is fast, stable and not taxing on system resources.
Yes, I only use IE on internal corporate pages which force me to. Otherwise it’s Chrome all the way. Love the one process/tab philosophy.
I see two main reasons people use Internet Explorer, and especially the obsolescent (to say the least!) IE6:
1. They have no choice. It’s a mandated corporate Standard Operating Environment. This is especially the case when internal workflow applications have been written in IE-specific code years ago and there isn’t the budget or management willpower to re-write it to modern software standards.
2. They have no clue. And I don’t mean that as a denigration, merely as observation. Many of my small business clients don’t know what the term “web browser” means, let alone the implications of anything we’re talking about here.
And, if their manager is not computer literate, they won’t perceive the need to change and will almost certainly baulk at the idea of people having to learn something new.
Meanwhile the infosec consultant I quoted has updated his opinion: “Big deal, just another 0-day. Nothing special except the target’s ability to talk about it.”
Stilgherrian:
1 - yes, don’t get me started on that, there are lots of apps here that expect 6 (or 7) - you run Windows 7 x64 and you’ve got 8, so you end up running these apps in a VM inside your box running XP.
2 - for these, remove the blue IE icon from everywhere, set default browser to chrome or firefox. Set them up to use Gmail instead of outlook express. If it’s firefox, install noscript.
The infosec consultant has been jaded by too many 0-day vulnerabilities that appeared to do nothing.
I havent used IE om my Mac for years. The only time I have so help somebody with a particular website that I manage to solve their problems. Everytime I use IE, it without mu knowledge downloads a 10MB file cache file which slows down my machine and is very hard to delete. Why would I bother with IE as a my main browser? I’d used Firefox any day.
Microsoft discontinued all support for Internet Explorer on Macintosh on 31 December 2005 after the final release on 11 July 2003. It’s a dead parrot.
Use open source - Firefox, Open Office, Songbird, Sunbird, Gnucash, and Thunderbird. Free and functional.
In fairness to Microsoft (which is a real effort) it should be noted that the widespread use of IE invites the hackers to attack it instead of some of the others. If we all stop using IE then the hackers will probably attack Firefox and then reveal previously undetected security weaknesses.
Meski,
As the quoted security consultant, I have to agree with you somewhat. Mostly, however, this particular Zero-Day vulnerability is nothing special. As I see it, the Adobe Acrobat vulnerability from December was much more important, just as dangerous, and had a substantially larger footprint of potentially vulnerable people.
Yes - All Zero-Day vulnerabilities are worrisome and important, and should be managed as such.
But… Is this one special in some important manner? No.
I think thee doth complain too much.
Considerable effort is spent trying to convince people to switch away for old and insecure browsers and yet when mass media attention sends the same message we complain that this single incident has been unfairly singled out?
@Martin Barry: I was thinking about that point last night and I think it’s related to geek arrogance. Sure, we want everyone to use what we reckon are the “right” web browsers — and other software and tools and toys for that matter. But we also want them to do it for the right reasons.
We want them to understand, to figure it out for themselves and — especially! — to do it because we taught them to do so over time. Not because they heard it from mainstream media, and especially not when they got some aspect of the story wrong.
Maybe it’s sulking rather than arrogance, then. “We’ve been telling you this for years and you didn’t listen? But now you listen because they tell you? Don’t you believe us? Don’t you trust us?”
The patch for the fix in IE is already available, yet Microsoft didn’t include it in the security updates. The bigger question is why does Microsoft let security holes stay unpatched? There is also the issue of compatibility : people are forced to use IE6 because of compatibility issues means they can’t move to IE7 and IE8 (and now IE9).
Can we ask Bill for a refund?