The German and French governments have advised citizens to avoid using Internet Explorer until Microsoft patches a zero-day flaw that was used by hackers to access Google systems.
Microsoft confirmed last week that the IE flaw was used in cyberattacks on Google's infrastructure — which included an attempt to access the Gmail accounts of Chinese human-rights activists — and on a number of other US companies.
Attack code exploiting the invalid pointer reference flaw has been published on mailing lists and on at least one website, security company McAfee said in a blog post on Friday.
The German Federal Office for Information Security (BSI) said on Friday that users should switch to another browser until Microsoft addresses the problem, which is rated 'critical'. It also advised people not to rely on workarounds suggested by Microsoft.
"Running Internet Explorer in protected mode and disabling Active Scripting will make computers more difficult to compromise, but cannot completely prevent an attack," the cybersecurity agency said in a press statement. "Therefore, the BSI recommends switching to an alternative browser until Microsoft issues a patch."
The BSI said people should drop their use of versions 6, 7 and 8 of IE on computers running XP, Vista or Windows 7.
French government body Certa also warned people on Friday not to use Internet Explorer until Microsoft issues a security fix.
"Pending a patch from the publisher, Certa recommends using an alternative browser," said Certa, part of the French cybersecurity agency Anssi, in an advisory.
Certa strongly advised people to surf using a browser with limited rights, and with JavaScript and ActiveX disabled.
Microsoft acknowledged on Sunday that exploit code had been seen in the wild. Noting that the code targeted IE6, the company issued a supplementary advisory urging people to use IE8, which has higher protections.
"Customers using Internet Explorer 8 are not affected by currently known attacks and exploits due to the improved security protections in IE8," Microsoft said in a statement. "To help protect our customers, we recommend that all customers immediately upgrade to Internet Explorer 8."
Talkback
I have never seen such blatant denial from MS as those relating to this browser. We're told from various sources <A HREF="http://news.bbc.co.uk/1/hi/technology/8463516.stm">including this BBC news page</A> as well as in information that some European government departments are issuing that IE versions 6, 7, and 8 are all affected and yet the MS guy tells everyone to upgrade to IE8 . . .
As <A HREF="http://community.zdnet.co.uk/blog/0,1000000567,10014866o-2000673651b,00.htm">I have stated before</A>, it seems we can't trust the statements being issued by MS around this particular issue, because they think that if millions of end users start migrating to alternative browsers they may continue to go on and migrate their office software and other stuff once they realise the amount of choice that's available to them. That's my opinion anyway. MS will eventually lose money if they lose browser market share.
FPDW
Miguel de Icaza, Microsoft MVP?
Yep, it’s true. The open-source rabble-rouser who was prevented from hosting a session inside Microsoft’s 2005 Professional Developer Conference has been accepted into the ranks of the company’s “Most Valuable Professionals” less than five years later. He announced the news on his blog.
De Icaza is the leader of the open-source Mono project, sponsored by Novell, which previously set off alarm bells inside Microsoft for its ability to expand Microsoft .NET applications to other platforms, including Linux. Relations between de Icaza and Microsoft have warmed following the Redmond company’s partnership with Novell.
He’s also on the board of the Microsoft-supported CodePlex Foundation, Meanwhile, Mono spin-off project Moonlight, an open-source implementation of Microsoft’s Silverlight interactive technology, has won the blessings of the Redmond company.
Considering that MS didn't know about this vulnerability either until people started exploiting it, I hardly find MS's statement reassuring. I just wonder what other "zero day" exploits these same people have up their sleeves.
Running IE is always a risk, because this is not the last exploit you will see. This browser is a problem, in part, because it has always been the only one you get with a new, off the shelf, computer. And newbies have no concept of security, so they associate MS, and its products, as being the best, and they are given a false sense of security. One would think MS would have gotten something right as long as they have been in business, and seeing as how you are forced to buy their software on a new computer.