UK Government Rejects IE Boycott

The British government has decided not to deter computer users from using Microsoft’s Internet Explorer, despite both the German and French governments issuing warnings over the security of the web browser.

Last week Microsoft admitted that a flaw in Internet Explorer had enabled hackers to break into the Gmail accounts of human rights activists in China. The attack resulted in Google reconsidering its policy of co-operating with the Chinese government, and threatening to pull out of the country all together.

Security specialist McAfee found that one of the malware samples involved in the attack exploited a zero-day vulnerability, making the browser vulnerable on all of Microsoft’s operating systems, including Windows 7. “Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system,” said McAfee CTO George Kurtz in a blog post. “The attacker can now identify high-value targets and start to siphon off valuable data from the company.”

Last week the German Federal Office for Security in Information Technology (BSI) advised its citizens to avoid Inernet Explorer, and France yesterday issued an advisory to computer users, recommending that they switch to a different web browser such as Firefox or Chrome.

However, Microsoft CEO Steve Ballmer has played down the problem, suggesting that such cyber-attacks are a matter of course on the modern web. “Every large institution is being hacked,” Ballmer told the Financial Times. “I don’t think it’s a fundamental change in the security environment on the Internet.”

Microsoft has advised people who were still using Internet Explorer version 6 to upgrade to version 8, and has issued its own security advisory. However Cliff Evans, head of Security and Privacy at Microsoft UK, told the Telegraph that there was no cause for panic. “The quantity of exploits which have occurred been minimal and very targeted,” he said. “The general public do not need to worry and we have not yet had a case in the UK.”

Some commentators are even starting to question whether the hack was down to an IE vulnerability at all. “To execute an attack this sophisticated, it likely occurred as a result of spear phishing Google employees to gain access to Google users’ credentials,” commented Amichai Shulman, CTO of security firm Imperva. “A hacker would have to jump through many hoops inside an internal network. This requires network – not browser – vulnerabilities so that the attacker can communicate with malware inside Google’s internal network.”

Yesterday it was even reported that Google is investigating whether some of its own staff are behind the security breach that prompted its confrontation with the Chinese Government. Sources who are familiar with the situation, told Reuters that the attack, which targeted people who have access to specific parts of Google networks, may have been facilitated by people working in Google China’s office. Google has not commented on the rumour.

The UK government is directing concerned IE users to getsafeonline.org, which now contains a advisory for the IE vulnerability. However, the advisory only notes the vulnerability and has no advice on how to fix the issue, or any suggestion of working around the problem by installing an alternative browser.

Earlier this month it was reported that government was promoting Microsoft’s proprietary software on its Online Basics website – an independent education project designed to enable more UK adults to get online – despite arguing for greater adoption of open source in the past.

Microsoft’s IE browser has a checkered history with European authorities – the company has only just settled a dispute with the European Commission over the bundling of the browser with the Windows operating system.

Overall, Internet Explorer has been steadily losing market share, particularly against the Firefox browser, partly because of the perception that IE is more prone to security lapses. However, in August 2009, a security test by NSS labs actually rated IE as the most secure browser.