The French and German Governments have urged their citizens to avoid using Microsoft’s Internet Explorer browser in order to avoid critical vulnerabilities which could be used by hackers.
The incident comes after a number of cyber-attacks were launched against internet giant Google and several other large software companies using the Internet Explorer software.
The German Federal Office for Information Security, known as the BSI, wrote in a statement it advised the “temporary use of alternative browsers” due to a “critical security hole” in the software.
“Running Internet Explorer in protected mode and disabling Active Scripting will make computers more difficult to compromise, but cannot completely prevent an attack… Therefore, the BSI recommends switching to an alternative browser until Microsoft issues a patch.”
Now the French Government has joined Germany in its warnings, with security agency CERTA releasing an official statement.
“Pending a patch from the publisher, Certa recommends using an alternative browser,” it wrote.
Both countries are reacting to the cyber-attacks launched against Gmail accounts and a number of companies such as Adobe, which are believed to have originated from China using the Internet Explorer software.
The attacks have prompted Google to discuss abandoning its operations in China, while the company is reportedly investigating its own employees to discover if the attack was an inside job.
The attack is a major blow for Microsoft. Internet Explorer is the market leader in web browsers with about 69% of the market, with Mozilla Firefox coming up second with just 20%.
But Microsoft has spoken out against the French and German warnings, saying the attacks are targeting a vulnerability found in an earlier version of the software, Internet Explorer 6.
Instead of abandoning the program, the company said users should upgrade to Internet Explorer 8 in order to avoid the malicious code used to exploit the vulnerability.
“The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time,” the company said.
“It is important to note that all software has vulnerabilities and switching browsers in an attempt to protect against these highly publicised but currently limited attacks inadvertently creates some false sense of security.”
If users continue to use Internet Explorer, Microsoft has warned them to move their security settings to “high” in order to enable prompts warning the user of potentially harmful code.
The attack has prompted security firms to warn users and businesses about upgrading their anti-virus and firewall software.
Vincent Weafer, vice president of Symantec security response, says Microsoft is working on a patch but no release details have been announced.
“The technology in Internet Explorer has been a prime target for hackers over the last few years. These hackers would use code in your machine with the same privileges as an administrator, allowing them to install a downloader or backyard Trojan.”
“What Microsoft is saying is that because this vulnerability has been left unpatched, you could be exposed. But no full-scale exploits have occurred yet… that isn’t here yet.”
But Weafer also says moving to another browser may not be an all-out save.
“The general picture when you look at Safari, Chrome, Firefox and other browsers, is that all of them have vulnerabilities. Running to another browser is not necessarily an answer, because we know hackers are using vulnerabilities in all of them.”
McAfee wrote on its official blog the attacks seemed to use Internet Explorer in order to obtain intellectual property, and said the internet security industry has changed as a result.
“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios,” worldwide chief technology officer George Kurtz wrote.
“The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value.”
COMMENTS
SmartCompany is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while it is being reviewed, but we’re working as fast as we can to keep the conversation rolling.
The SmartCompany comment section is members-only content. Please subscribe to leave a comment.
The SmartCompany comment section is members-only content. Please login to leave a comment.