Germany warns about using IE

Rik · Jan 17, 2010, 12:19:14

The BBC reports that:

QuoteThe German government has warned web users to find an alternative browser to Internet Explorer to protect security.

The warning from the Federal Office for Information Security comes after Microsoft admitted IE was the weak link in recent attacks on Google's systems.

Microsoft rejected the warning, saying that the risk to users was low and that the browsers' increased security setting would prevent any serious risk.

However, German authorities say that even this would not make IE fully safe.

Thomas Baumgaertner, a spokesman for Microsoft in Germany, said that while they were aware of the warning, they did not agree with it, saying that the attacks on Google were by "highly motivated people with a very specific agenda".

"These were not attacks against general users or consumers," said Mr Baumgaertner.

"There is no threat to the general user, consequently we do not support this warning," he added.

QuoteHowever, Graham Cluley of anti-virus firm Sophos, told BBC News that not only did the warning apply to 6, 7 and 8 of the browser, but the instructions on how to exploit the flaw had been posted on the internet.

"This is a vulnerability that was announced in the last couple of days. Microsoft have no patch yet and the implication is that this is the same one that exploited on the attacks on Google earlier this week," he said.

Computer expert Alan Stevens: "It's like having a window left open in your house"

"The way to exploit this flaw has now appeared on the internet, so it is quite possible that everyone is now going to have a go."

We live in interesting times.

Simon · Jan 17, 2010, 13:49:47

zappaDPJ · Jan 19, 2010, 06:30:34

France has got in on the act now:

QuoteFrance has echoed calls by the German government for web users to find an alternative to Microsoft's Internet Explorer (IE) to protect security.

http://news.bbc.co.uk/1/hi/technology/8465038.stm

The UK government reportedly had this to say:

QuoteThe UK government had said that it would not issue a similar warning. However, it said the Centre for the Protection of National Infrastructure (CPNI)was "monitoring the situation" and would "publish further advice if the risks change".

Of course what they really said was '...would "publish further advice as and when they had found the on/off switch, it really must be around here somewhere...'

I'm not sure what to make of this, governments advising on the use of computer applications is pretty unprecedented and as the report goes on to say, some organisations suggest that IE8 is currently more secure than other browsers anyway. One thing I am pretty sure about is Microsoft's insistence on creating browsers that break away from industry standards is probably the root cause and it may come back to haunt them. Had they not taken this path, it would at least allow people to upgrade to the latest and most secure versions.

Rik · Jan 19, 2010, 08:48:25

Quote from: zappaDPJ on Jan 19, 2010, 06:30:34
One thing I am pretty sure about is Microsoft's insistence on creating browsers that break away from industry standards is probably the root cause and it may come back to haunt them. Had they not taken this path, it would at least allow people to upgrade to the latest and most secure versions.

Good point, Zap.

Glenn · Jan 19, 2010, 16:08:05

A patch is due soon http://blogs.zdnet.com/security/?p=5268&tag=nl.e589

sobranie · Jan 19, 2010, 16:13:48

This from MS I think.
Note that IE8 can be affected and IE8 is not affected.
Kind of gobbledegook one can expect from MS I suppose.

Quote:
Software giant Microsoft has confirmed that Internet Explorer 6 exploit code is out in the wild.
By Maggie Holland, 18 Jan 2010 at 09:00
Microsoft has warned users of its Internet Explorer 6 (IE6) browser to protect themselves againsts a vulnerability that has already been exploited by the bad guys.

The hole - an invalid pointer reference - could, in certain circumstances, allow an attacker to perform remote code execution, according to the software giant which has issued guidance as to how to safeguard against attack.

IE6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and IE6, IE7 and IE8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable, Microsoft has confirmed.

"Microsoft is aware of public exploit code released that impacts customers using Internet Explorer 6 and of limited, targeted attacks attempting to use this vulnerability against Internet Explorer (IE) 6. As a result of the reports, we released an update to Security Advisory 979352 to alert customers and provide actionable guidance and tools to help with protections against exploit of this IE vulnerability," said a Microsoft spokesperson, in a statement.

"Customers using Internet Explorer 8 are not affected by currently known attacks and exploits due to the improved security protections in IE8. To help protect our customers, we recommend that all customers immediately upgrade to Internet Explorer 8. Customers should also consider applying the workarounds and mitigations provided in our Security Advisory such as putting Internet zone security settings to High."

Microsoft claims that it is working "around the clock" on a resolution that may result in the release of an out-of-cyle security patch.

Further updates on the situation and how the resolution progresses can be found on Microsoft's Security Response Centte (MSRC) blog.

Unquote/

Rik · Jan 19, 2010, 16:25:37

Thanks, Rick. An interesting piece of Redmond-speak there.

Glenn · Jan 19, 2010, 16:53:42

Microsoft is doing its best to deflect from the software vendor's ugly, fat security hole in Internet Explorer 6, by telling customers to not only upgrade their browser for the latest version of IE, but also to ditch Windows XP while they're at it.

The much-loved operating system that refuses to die is vulnerable to attack, said Microsoft. Cue the company's wonks declaring - yet again - that it's time to move on to Windows ~~Vista~~ 7.

http://www.theregister.co.uk/2010/01/19/microsoft_xp_ie6_windows_7_security_nightmare/

Technical Ben · Jan 19, 2010, 18:01:07

Quote from: zappaDPJOne thing I am pretty sure about is Microsoft's insistence on creating browsers that break away from industry standards is probably the root cause and it may come back to haunt them. Had they not taken this path, it would at least allow people to upgrade to the latest and most secure versions.

As Rik said, I agree.
I won't touch Silverlight with a barge pole. I don't want hundreds of different plugins and programming languages to browse the internet (having Jave, flash, shockwave etc is already enough). I just get a bad feeling about Silverlight, like it's bloatware or something.

Edit: Quote markup sorted...

Gary · Jan 20, 2010, 10:01:55

Quote from: Technical Ben on Jan 19, 2010, 18:01:07
As Rik said, I agree.
I won't touch Silverlight with a barge pole. I don't want hundreds of different plugins and programming languages to browse the internet (having Jave, flash, shockwave etc is already enough). I just get a bad feeling about Silverlight, like it's bloatware or something.

Edit: Quote markup sorted...

Silverlight is not bloated, it has some great possibilities having checked it out when I used a windows box, as Adobe have more and more issues, maybe Silverlight will become a safer alternative? The silverlight film sites although rare are amazing. Saying that I have not got it on my mac.

Looks like Microsoft will issues a out of cycle patch as IE7 and IE8 can be fiddled with by the same vulnerability although there is no exploit code for those browsers just yet, so hopefully that will be done soon. Companies should really move on from IE6

somanyholes · Jan 20, 2010, 13:59:33

Now with dep bypass on ie8..... http://isc.sans.org/diary.html?storyid=8017

Rik · Jan 20, 2010, 15:24:37

I'm going to get my BBC micro out.

Steve · Jan 21, 2010, 09:06:06

Apparently the IE patch is out http://news.bbc.co.uk/1/hi/technology/8469632.stm

Glenn · Jan 21, 2010, 09:14:37

No update available with Win 7 for me just yet.

Gary · Jan 21, 2010, 09:15:08

Quote from: Steve on Jan 21, 2010, 09:06:06
Apparently the IE patch is out http://news.bbc.co.uk/1/hi/technology/8469632.stm

Saw that, good news for everyone all round, I just hope companies update from IE6 soon and move to maybe Windows 7. Looks like the move has started and without a SP either,

Gary · Jan 21, 2010, 09:16:06

Quote from: Glenn on Jan 21, 2010, 09:14:37
No update available with Win 7 for me just yet.

Probably will be after 6pm our time tonight, thats when Microsoft patch tuesday patches hit us

Glenn · Jan 21, 2010, 09:22:49

That was my 1st thought Gary, according to the bulletin, it should already be available. http://www.microsoft.com/security/updates/bulletins/200812_oob.aspx

somanyholes · Jan 21, 2010, 09:46:22

wrong link i think Glen.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249

Steve · Jan 21, 2010, 09:48:40

I am not getting anything on that So unless its very slow

Sorry re phrase no go via idnet DNS ok via Open DNS