NHS Staff Told To Abandon IE6

The Department of Health is advising NHS organisations to abandon Internet Explorer 6, despite the government’s decision to ignore security warnings about the browser

The Department of Health (DH) has issued a bulletin to NHS staff, recommending that any organisation still using Internet Explorer 6 should upgrade to Internet Explorer 7. The advice is based on concerns about the security of IE6, following the discovery of a vulnerability that can be exploited to run malicious code on various versions of Windows.

The flaw in question is the same one that reportedly enabled hackers to break into the Gmail accounts of human rights activists in China. The attack resulted in Google reconsidering its policy of co-operating with the Chinese government, and threatening to pull out of the country all together.

The DH bulletin also advises organisations that choose to continue using IE6 to apply the security update patch issued by Microsoft in January. Where the update is incompatible with existing applications, the DH recommends applying one of the mitigating actions from the Microsoft security advisory instead.

“Exploitation of this vulnerability could allow for complete compromise of the affected system,” the DH warned in the bulletin. “This could allow an attacker to download and install further malware/spyware on to the computer, add user accounts to the computer, steal sensitive data held locally and centrally and so forth.

“It is also possible that exploiting this vulnerability could allow for the compromised computer to be used as a ‘staging point’ for further attacks against other computer systems including those outside of the organisation. If an organisation has systems compromised via this vulnerability, there may be consequential reputational damage, especially if sensitive data is affected or the compromised system is used to attack other systems,” it added.

Google also announced at the end of last week that it would phase out its support for IE6 and other older web browsers for its Google Docs and Google Sites applications. However, the company cited application speed, not security, as the main reason for the decision. “The web continues to evolve at lightning speed, and using an up-to-date browser enables you to use the very latest web apps,” wrote Google Apps senior product manager Rajen Sheth in a blog post.

Meanwhile, the British government is sticking by its decision not to deter computer users from using Microsoft’s Internet Explorer, despite both the German and French governments issuing warnings over the security of the web browser. During a scheduled discussion in the House of Lords about the public sector’s use of IE6, Lord West of Spithead explained that “Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them.”

lordwest.jpg

“We take Internet security very seriously and we have worked with Microsoft and other suppliers over many years to understand the security of the products used by HMG, including Internet Explorer,” West added. “There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats.”