European governments warn against Internet Explorer
Microsoft faces pressure for quick patch.
By John E. Dunn | Techworld | Published: 14:43, 18 January 2010
The French government has become the second in days to warn its citizens to steer clear of Internet all versions of Explorer (IE) until a serious security flaw is fixed in the browser.
Last week, The German Federal Office for Information (BSI) Security warned users against using versions 6, 7 and 8 of the browser until Microsoft patched the vulnerability referred to Microsoft in advisory 979352, the remote execution security hole believed to be connected to recent high-profile attacks on Google servers which saw the search giant threaten to quit China.
Now the French Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique has issued its own terse warning to the same effect. As with the German government before it, Microsoft's optimistic idea that users can avoid the issue by tweaking their browser to the maximum security level appears to have cut little ice with the French.
Related Articles on Techworld
This is turning into to be Internet Explorer's darkest week ever. In the space of a few days, a flaw in IE has been blamed for a hack that not only affected Microsoft's rival Google, but which also affected several dozen other companies in the US, was incorrectly pinned on Adobe's PDF Reader by iDefense, and ended up causing an historic row between the Chinese authorities and Google.
On top of all this came last week's publication of the attack code for the flaw, leaving Microsoft to withdraw red-faced to work out a fix before the situation causes more high-profile problems. Now nation states are now ganging up against the browser, leaving Microsoft's proposed browser tweak looking like a counsel for the naive.
"These were not attacks against general users or consumers," said Microsoft Germany spokesman, Thomas Baumgaertner, doing his level best to defend the browser. The attacks were the work of "highly motivated people with a very specific agenda."
Unfortunately, because the attack code is now in the public domain, and because the flaw allows criminals a large degree of control over the compromised system, there is now a serious risk that ordinary computer users will face attacks in the coming days, whether they set IE to the highest security setting - which inconveniently happens to block some innocent sites - or not.
Some commentators have warned against over-reaction.
"Switching rashly away from Internet Explorer might be a mistake. Some users may be unfamiliar with a different browser and cause support problems, and some web-based applications may not work at all if you're not using Internet Explorer," said Graham Cluley of Sophos.
"Switching browsers only makes sense if you really know what you are doing with the browser you are swapping to. It may very well be a case of 'better the devil you know'," He said.
Microsoft's next scheduled Patch Tuesday on 9 February, but an earlier issue is now looking probable.
"Microsoft teams are continuing to work around the clock on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing an out-of-cycle security update," said a Microsoft response on the flaw.