France Jumps On IE Boycott Bandwagon

The French government has jumped on the Internet Explorer boycott bandwagon and issued an advisory to computer users, recommending that they switch to a different web browser such as Firefox or Chrome. The news follows a similar move by the German government at the end of last week, when a warning was issued by the German Federal Office for Security in Information Technology (BSI) over the security issues surrounding Internet Explorer.

The alert was first raised when security vendor McAfee announced last week that the repeated efforts to access the Gmail accounts of Chinese activists, which prompted Google’s threat to leave China, exploited a zero-day security flaw in Microsoft’s Internet Explorer browser. McAfee revealed little about the flaw, stating only that its investigation showed that IE is vulnerable on all of Microsoft’s operating systems, including Windows 7.

Commenting on the news, Graham Cluley, security expert from anti-virus specialist Sophos explained that the vulnerability in IE allowed for a Trojan Horse attack to be initiated against the user’s PC. “The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse,” he stated on his blog.

The attack code, which targets the Internet Explorer vulnerability, has already appeared on mailing lists and has been published on at least one website. McAfee CTO George Kurtz warned “The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability … This attack is especially deadly on older systems that are running [Windows] XP and Internet Explorer 6.”

However, Microsoft CEO Steve Ballmer has played down the problem, suggesting that such cyber-attacks are a matter of course on the modern web. “Every large institution is being hacked,” Ballmer told the Financial Times. “I don’t think it’s a fundamental change in the security environment on the Internet.”

Sophos’s Cluley also warned that computer users should only use a different web browser if they are confident they know what they’re doing. “My advice is to only switch from Internet Explorer if you really know what you are doing with the browser you’re swapping to,” Cluley told the Telegraph. “Otherwise it might be a case of ‘better the devil you know’. Every browser has its security issues, so switching may remove this current risk but could expose you to another.”

In an official statement, Microsoft said “We recommend that all customers immediately upgrade to Internet Explorer 8. Customers should also consider applying the workarounds and mitigations provided in our Security Advisory such as putting Internet zone security settings to High … We will continue to work with Google, industry leaders and the appropriate authorities to investigate this situation.”

Updates to this issue will be provided via the Microsoft Security Response Centre Blog at http://blogs.technet.com/msrc/