The German government's Bundesamt für Sicherheit in der Informationstechnik (BSI) (or in English, the Federal Office for Information Security) is reported to have told German citizens to avoid all versions of Microsoft Internet Explorer (IE) until security flaws that are suspected to allowing Google and other companies in China to be successfully hacked are fixed.
McAfee said last Thursday that a security flaw in the way Internet Explorer handles Java script was to blame for the attack. Early reports had blamed another Adobe PDF problem, but that claim was later retracted.
Microsoft, as expected, cried foul and said such a warning was over the top. The London Telegraph quotes a Microsoft spokesperson as saying that, "These were not attacks against general users or consumers...There is no threat to the general user, consequently we do not support this warning."
Microsoft says the attacks can be thwarted by setting IE's security setting to high, and that a fix is being created.
While setting IE's security setting to high limits functionality and access to some websites, this is probably the only way to go if one wants to continue to use the browser. Active scripting needs to be turned off as well.
However, as the BSI points out, while this can make an attack more difficult, it won't fully prevent them.
McAfee gives some guidance on what to do here.
With the IE attack code out in public now, it means that this mode of attack will likely be very common, and hang around like Conficker, which is still active and causing trouble.
BTW, when I tried to get to the BSI site, it was very, very slow. I wonder if the site is under a DOS attack since making its recommendation to avoid IE.
UPDATE:
The BBC is reporting today (Monday, 18 January) that the French government's security agency CERTA has issued the same warning as BSI to French citizens about using Microsoft IE.
Microsoft responded by telling the BBC that it was IE6 that was the real problem and that users need to upgrade to IE8.
The British government also told the BBC that it was not going to issue a similar warning - yet - while the Australian government's AusCERT thinks the Germans and French have gone overboard, says a story in Tuesday's morning Sydney Morning Herald. AusCERT gives a detailed analysis of the IE problem here.
Looks like a security mavens' cat fight is emerging, which, of course, will only likely confuse IE users about its security to no end.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
