Following the news last week of a series of hack attacks on Google and other companies, the governments of France and Germany both issued warnings on Friday suggesting that Microsoft’s Internet Explorer browser is too dangerous to use.
Microsoft on Thursday acknowledged that a vulnerability in Internet Explorer was one of several attack mechanisms used in the attacks on Google and others, causing it to issue a security advisory on the topic that day.
The company also suggested workarounds for avoiding the problem, which is focused on IE 6 but could potentially be exploited in versions 7 and 8 as well.
Workarounds Not Enough
France and Germany, however, are encouraging users to avoid the browser entirely until the zero-day flaw is completely fixed.
The workarounds Microsoft suggests — including running IE in protected mode on Vista and later Windows operating systems — may make exploits more difficult, but they are still not enough to completely prevent the problem, according to Germany’s Federal Office for Information Security (BSI).
As a result, the BSI recommends that users switch to another browser until the problem is fixed.
Data Execution Prevention
The French government body CERTA issued a similar warning.
“Pending a patch from the publisher, CERTA recommends using an alternative browser,” reads an advisory from the agency.
Microsoft did not respond by press time to TechNewsWorld’s requests for comment.
‘It’s Good to Have Multiple Browsers’
It may make sense to steer clear of Internet Explorer until the flaw is fixed, but the browser should not be abandoned entirely, Johannes Ullrich, chief technology officer at the SANS Institute, told TechNewsWorld.
Users should immediately upgrade to the current version, IE 8, which will also ensure they get the fix when it is published, he added.
Fundamentally, “there is not a huge difference” among browsers, he pointed out; Firefox and others also exhibit vulnerabilities from time to time.
In general, though, “it’s good to have multiple browsers for situations like this,” Ullrich concluded.
‘All Browsers Have Security Problems’
“Web browser security in general leaves something to be desired,” agreed Michael Sutton, vice president of security research at ZScaler.
Vulnerability statistics, in fact, “don’t tell the whole picture,” he told TechNewsWorld.
If one browser is found to have 10 vulnerabilities in any given year, whereas another has just two, for example, that doesn’t mean it’s necessarily less secure, he noted. Rather, “it reflects more than one browser had more research done on it.”
The fact is, “all browsers have security problems, so it’s overly simplistic to say IE is more or less secure,” Sutton added.
‘They Were Using a Very Old Version’
“What I do think should be taken away from this is that enterprises should not be using outdated browsers,” he asserted.
The fact that the attacks were successful only on IE 6 “illustrates the overall point that just because a browser is still supported by a vendor is not a good reason to keep using it,” he warned. “Every new edition of software packages, in general, improves security.”
So, for the companies that were victims of the recent attacks, “it wasn’t the fact that they were using IE, it was because they were using a very old version,” Sutton pointed out. “If they hadn’t been, this particular attack wouldn’t have succeeded. That, to me, is the weak link of this whole thing.”
‘We Can Never Achieve 100 Percent Security’
The reactions from France and Germany, then, are not warranted, in Sutton’s view.
“There are critical vulnerabilities in every browser — simply not using IE is not going to protect you,” he said.
In general, “zero-day attacks are extremely difficult to protect against — we can never achieve 100 percent security,” he added. “The goal is to expend enough to get adequate value back from it, so you’re comfortable that you have mitigated the risks efficiently.”