In the wake of cyber attacks on Google and 33 other corporations, media outlets including the ABC are reporting recommendations from Australian, French and German government information security agencies to stop using Microsoft’s Internet Explorer web browser.
The recent attacks took advantage of what’s called a zero day exploit — that is, a vulnerability that is already being actively exploited by hackers before software vendors have even become aware of it, let alone developed, tested and issued a security patch.
Zero day exploits are common, and the bugs are usually fixed in software vendors’ regular update cycles. Microsoft, for example, has its “Patch Tuesday” on the second Tuesday of every month US time, and issues updates for Windows, Microsoft Office and other products in a batch to make it easier for IT staff to manage their workload.
Until a patch is released, systems administrators are warned of newly discovered vulnerabilities and recommended actions to mitigate the risk through notifications known as “security advisories”.
“AusCERT and the other national cyber safety bodies provide advisories and alerts like this on almost a daily basis,” security consultant Crispin Harris told Crikey.
“This one is of course highly visible because of the companies involved. It is unusual for advisories to be picked up by the media but not uncommon.”
In the case of this specific vulnerability, announced in Microsoft Security Advisory 979352 last week, the bug is currently only known to be demonstrated in attacks on the obsolescent Internet Explorer version 6. Microsoft has issued a temporary fix , and is still investigating.
However, the Australian, French and German advisories all flag it as potentially affecting versions 7 and 8 of Internet Explorer as well.
“All software suffers from security vulnerabilities from time to time, but Microsoft’s Internet Explorer is more deeply integrated into the operating system. This allows greater functionality, but it comes at the cost of increased risk in the event of a problem,” security consultant Crispin Harris told Crikey.
“Intenet Explorer is currently the leading browser in terms of percentage of users, and thus it’s the most common target,” Harris said.
Harris agrees with this advice, but suggests we stay “alert but not alarmed”.