Microsoft has issued a statement confirming that it plans to release a patch for a security vulnerability in Internet Explorer which saw Google fall victim to some targeted and sophisticated attacks recently.
George Stathakopoulos, Microsoft Security, confirmed the news in a company blog posting. “Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability” said Stathakopoulos. He also added that Microsoft will share specific timing of the release tomorrow.
The vulnerability was unveiled when Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property. Due to the attack, and the background behind it, Google announced it will no longer be providing censored results for its Chinese Google search engine. Currently Google offers censored search results as part of an agreement with the Chinese government.
Since the news of the un-patched flaw broke, Microsoft has been on damage limitation. This week Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. Currently the flaw exists in Internet Explorer versions 6, 7 and 8 but exploit code is only available for Internet Explorer 6. The patch, when released, will protect all affected versions of Internet Explorer.
Should you stop using Internet Explorer?
Microsoft has had a torrid time over the past week as governments and customers question the security of the popular web browser, Internet Explorer.
The issues began when Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property. Due to the attack, and the background behind it, Google announced it will no longer be providing censored results for its Chinese Google search engine. Currently Google offers censored search results as part of an agreement with the Chinese government.
The news created waves across the world and last week Microsoft admitted that an un-patched Internet Explorer 6 vulnerability was one of the vectors used in the targeted attacks against Google. To many the news wasn’t surprising. Internet Explorer 6, released in August 2001, is over eight years old. It has been subject to a number of high profile vulnerabilities over the years. The alternatives that exist in the marketplace today are not only much more improved in terms of features and standards support, but crucially, offer a greater safety net for online browsing. If you’re still using Internet Explorer 6 then quite frankly, you’re mad.
Ed Bott wrote, shortly after the admission by Microsoft, that any IT pro allowing IE6 use in a corporate setting is “guilty of malpractice” and I couldn’t agree more. However, unfortunately in a corporate setting it’s not always as easy as hitting an upgrade button. Most corporate infrastructure is based on a global directory, email and intranet websites as the core ways of communication between employees. Updating and maintaining internal only (intranet) websites is always a challenge for corporations as many will have been left untouched for years with code specific to aged Internet Explorer versions. Websites is only the beginning; there are also custom applications and systems that utilize Internet Explorer that could be incompatible with Microsoft’s latest versions.
This week Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. However, for corporations and web designers there’s a continued reminder that for many years Microsoft ignored emerging and defined web standards in Internet Explorer, especially in version 6. Developers originally griped about the lack of standards support for Cascading Style Sheets (CSS) after the introduction of Internet Explorer 6 in 2001. At the time the software giant dominated the browser marketplace and many would argue its actions slowed down web development. Flash forward to 2010 and it’s a whole different ball game. Microsoft’s market share is slowly ebbing away thanks to competitive and promising offerings from both Mozilla and Google. Microsoft improved its web standards support in Internet Explorer 7 and 8 and now it plans to extend that with 9, due later this year. But is it too little too late?
The question of whether to stop using Internet Explorer is one that many businesses and consumers are likely asking this week. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. Currently the flaw exists in Internet Explorer versions 6, 7 and 8 but exploit code is only available for Internet Explorer 6. The reason IE 7 and 8 are both unaffected for now is due to the increased security of the software. Internet Explorer 7 introduced a phishing filter, protected mode to run the browser in a sandbox at low level security rights (vista only) and improved management of ActiveX controls. Microsoft improved security in IE8 by running the browser frame and tabs in separate processes and per-site ActiveX controls. Both IE 7 and 8 also include support for Data Execution Prevention (DEP) that prevents buffer overflow attacks.
So do these attacks mean you should stop using Internet Explorer? Simply put, no. Although it’s true that a vulnerability exists, Microsoft is currently working on a patch to resolve this as soon as possible. If you’re still running Internet Explorer 6 then it’s definitely time to upgrade. Neowin spoke to Cliff Evans, head of security and privacy for Microsoft in the UK yesterday. Evans urged consumers and businesses to “look at this vulnerability in a broader context and think about what the risk is.” He argued that although the vulnerability exists, it’s highly unlikely that the average business or consumer would be targeted by the type of attack Google experienced. Evans insisted that “normal organisations have little to fear” over the recent attacks and that Microsoft recommends all businesses and consumers upgrade to Internet Explorer 8, especially if they are currently using 6. I questioned Evans over corporations who may be stuck on Internet Explorer 6 for compatibility reasons but he urged them to look at their upgrade plans again. According to data from Net Applications (December 09), as a percentage of Internet Explorer use, IE6 maintains 36.57% and IE8 36.27%. Internet Explorer 7 lags behind with 27.11%. With Internet Explorer 6 still the most popular of all Internet Explorer variants, Microsoft is going to have a tough time convincing people to upgrade. Evans would not commit to a release date for the fix but said it was more likely that it would be distributed as an out of band patch shortly or as part of Microsoft’s monthly “patch Tuesday” which is due on February 9.