|
IE too vulnerable to be used? |
|
|
In the last couple of days both German and French bodies have recommended against the use of Microsoft’s Internet Explorer at least temporarily until further patches are found to fix one of its current vulnerabilities. The vulnerability in question has been used in recent days to attack companies including Google.
The following are the specific comments made by these institutions:
The following was a notice given by the German Federal Office for Information Security (https://www.bsi.bund.de/cln_183/ContentBSI/presse/Pressemitteilungen/Sicherheitsluecke_IE_150110.html):
“ImInternet Explorer existiert eine bisher unbekannte kritische Sicherheitslücke. Die Schwachstelle ermöglicht Angreifern, über eine manipulierte Webseite Schadcode in einen Windows-Rechner zu schleusen und zu starten. Der in der vergangenen Woche bekannt gewordene Hacker-Angriff auf Google und weitere US-Unternehmen hat vermutlich diese Sicherheitslücke ausgenutzt.
Betroffen sind die Versionen 6, 7 und 8 des Internet Explorer auf den Windows-Systemen XP, Vista und Windows 7. Microsoft hat ein Security Advisory herausgegeben, in dem es Möglichkeiten der Risikominimierung beschreibt und arbeitet bereits an einem Patch, um die Sicherheitslücke zu schließen. Das BSI erwartet, dass diese Schwachstelle in kurzer Zeit für Angriffe im Internet eingesetzt wird.
Das Ausführen des Internet Explorer im „geschützen Modus“ sowie das Abschalten von Acitve Scripting erschwert zwar die Angriffe, kann sie jedoch nicht vollständig verhindern. Deshalb empfiehlt das BSI, bis zum Vorliegen eine Patches von Microsoft auf einen alternativen Browser umzusteigen.
Sobald die Sicherheitslücke geschlossen ist, wird das BSI über seinen Warn- und Informationsdienst Bürger-CERT darüber informieren. Über das Bürger-CERT informiert und warnt das BSI Bürger sowie kleine und mittelständische Unternehmen vor Viren, Würmern und Sicherheitslücken in Computeranwendungen. Die Experten des BSI analysieren rund um die Uhr die Sicherheitslage im Internet und verschicken bei Handlungsbedarf Warnmeldungen und Sicherheitshinweise per E-Mail.”
And for those who don’t speak German a best translation:
“In Internet Explorer, there is a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted Web page into a Windows computer to infiltrate and set up. The last week became known hacker attack on Google and other U.S. companies has probably exploited the vulnerability.
Affected are the versions 6, 7 a.m. to 8 p.m. Internet Explorer on Windows systems XP, Vista and Windows 7 Microsoft has released a security advisory in which it discusses ways of minimizing risk and is already working on a patch to close the security gap. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.
Running the Internet Explorer in "protected mode" as well as disabling scripting Acitve Although more difficult to attack, but it can not completely prevented. Therefore, the BSI recommends to switch to the existence of a patch from Microsoft to an alternative browser.
Once the vulnerability has been closed, the BSI will provide information on its warning and information about public-CERT. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via e-mail.”
And from the French Center of Expertise Government Response and Treatment of computer attacks (CERTA, http://www.certa.ssi.gouv.fr/site/CERTA-2010-ALE-001/index.html):
“Dans l'attente d'un correctif de l'éditeur, Le CERTA recommande l'utilisation d'un navigateur alternatif. Le CERTA rappelle également qu'il est fortement conseillé de naviguer sur l'Internet avec un compte utilisateur aux droits limités et la désactivation de l'interprétation de code dynamique (JavaScript, ActiveX, ...). De plus, l'activation du DEP (Data Execution Prevention) peut limiter l'impact de cette vulnérabilité.”
And in English:
“Pending a patch from the publisher, CERT recommends using an alternative browser. CERT said it is also strongly advised to browse the Internet with a user account with limited rights and the disabling of interpretation of dynamic code (JavaScript, ActiveX, ...). Moreover, activation of the DEP (Data Execution Prevention) may limit the impact of this vulnerability.”
My question out of this is what makes this vulnerability any more special than any other one? Is this one somehow different from the vulnerabilities found in other Internet based applications? Or is this something of a jab back at Microsoft for the numerous headaches they have given these organizations? I am not saying that I am a great IE lover or frankly use it at all most of the time but the recommendation of simply not using the browser seems like a bit of a jab considering these types of attacks happen to other browsers as well.
The other problem of this of course is the application of the warning. Even if an organization wanted to simply tell everyone to stop using IE when it has been used for everything up to a certain point is quite absurd. It would be better for these companies to invest in an infrastructure which allows them the ability to block this type of attack by watching for its characteristics as many services provide.
-sean
Only registered users can write comments.
Please login or register. |
