Tuesday, January 19, 2010

France & Germany warn against IE use

The German and French governments have warned against using Microsoft's Internet Explorer to browse the web because of security flaws. The Federal Office for Information (BSI) Security told Germans to avoid use of all versions of Explorer after a security hole led to attacks against Google and others by hackers.

Microsoft admitted last week that its browser was the weak link in recent attacks by Chinese hackers who pried into e-mail accounts of human rights activists. Following the attack, Google threatened to end its operations in China [Guardian / Telegraph / WSJ / BBC].

Microsoft rejected the German government's warning as too strong and has sought to reassure users that the security threat was low. "These were not attacks against general users or consumers," said Thomas Baumgaertner, a Microsoft spokesman in Germany, adding that the attacks on Google were carried out by "highly motivated people with a very specific agenda". Microsoft claims the security risk can be limited by setting the browser's security zone to "high", although they admit this limits functionality and blocks many websites [NSS PDF report].

But the BSI insisted that such measures were not sufficient and urged internet users to use alternative browsers, such as Mozilla's Firefox or Google Chrome. "Using Internet Explorer in 'secure mode,' as well as turning off Active Scripting makes attacks more difficult, but cannot fully prevent them," the BSI said in a statement.

Following the German announcement the French government followed suit, issuing an advisory suggesting that all versions of Internet Explorer, which is included with Windows, were vulnerable to attacks. The French government through the CERTA (Centre d'Expertise gouvernemental de RĂ©ponse et de Traitement des Attaques) website, said security holes existed in IE6, 7 and 8 which allowed malicious people to execute arbitrary code remotely.

"Pending a patch from the publisher, CERT recommends using an alternative browser. CERT said it is also strongly advised to browse the Internet with a user account with limited rights and the disabling of interpretation of dynamic code (JavaScript, ActiveX, ...)," a statement on the French government website read. "Moreover, activation of the DEP (Data Execution Prevention) may limit the impact of this vulnerability."

Graham Cluley, a senior security consultant for UK-based security firm Sophos PLC, said he could not recall another example of "such strongly worded advice" from a European government for users to switch from a piece of software. "The way to exploit this flaw has now appeared on the Internet, so it is quite possible that everyone is now going to have a go," Cluley said. "We've been working with Microsoft to see if the damage can be mitigated and we are hoping that they will release an emergency patch."

But he warned against complacency of just switching browsers. "One thing that should be stressed is that every browser has its security issues, so switching may remove this current risk but could expose you to another," he said. 

Australia's computer emergency response team, AusCERT, which compiles the cyber threat alerts for the Government's Stay Smart Online website, has said the threat has been overblown. Although Microsoft has yet to issue a patch to fix the issue, AusCERT has published instructions allowing people to greatly reduce their risk of being attacked by changing settings and installing a temporary fix. "It doesn't remove the problem. It just stops the exploit from working properly," AusCERT senior information security analyst Zane Jarvis said [SMH].

It is a feeling held too by the British government which has not released an advisory. The Cabinet Office, which oversees the deployment of computers in government, said Monday that "it doesn't think the issue (of being open to hacking) would be resolved any better by going elsewhere". This seemed to contradict government advice according to Labour MP and former Cabinet Office minister Tom Watson. "The government's own advice to businesses and consumers, through its Get Safe Online site that it helps to fund, is to not use IE6. So other than the fact that they aren't taking their own advice, it's preposterous that they wouldn't take this threat seriously. With the added security threat, all departments should certainly ditch IE6 and upgrade," he said.

The advisories appeared to have given at least one Microsoft competitor a boost. Opera Software ASA, a Norwegian software company, said the number of downloads in Germany of its Opera browser doubled to 18,000 a day over the weekend. The firm did not have statistics for France however and there were no figures immediately available to show if there had been an upsurge in traffic to Google Chrome of Firefox download pages [BBC blog]

There have also been heighten concerns expressed over e-mail account security [CNN]. There have been reports that journalists' accounts have been hacked prompting the Foreign Correspondents Club of China to issue its own advice.

tvnewswatch, Beijing, China

No comments: