The German Government’s Federal Office for Information Security has officially advised (English translation) web users to find an alternative to Microsoft Internet Explorer. The statement comes after it was revealed that IE was one of the primary causes of the recent Chinese attacks on Google GMail and other systems.
Microsoft has released information about the problem which affects IE6, IE7 and IE8 on all versions of Windows (only IE5.01 on Windows 2000 is not affected):
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Software security firm Sophos has rated the threat level as “high” and warns that ways to exploit IE’s security have been posted on the internet. The flaw allows hackers to install a Trojan, gain control of the infected PC and potentially steal the user’s passwords.
Thomas Baumgaertner, Microsoft’s Germany spokesman, said that while they were aware of the Government’s warning, they did not agree with it:
These were not attacks against general users or consumers. There is no threat to the general user, consequently we do not support this warning.
The company has advised users to install the latest browser and use a high security zone. However, the German statement concludes:
Running the Internet Explorer in protected mode and disabling scripting makes an attack more difficult but it can not completely prevented. Therefore, the BSI recommends using an alternative browser until Microsoft release a patch.
Microsoft are working to the flaw and may issue a fix before the next scheduled update on 9 February.
If you’re reading this article on SitePoint, moviedl, you probably aren’t using IE: more than 75% of our visitors use alternative browsers. Whilst no browser is 100% secure, this has become a high-profile story which could affect IE’s market share. Google’s Chrome browser will certainly benefit … perhaps that’s another reason Google were so eager to publicize the GMail attack?
Are you or your company using IE? Would this flaw persuade you to switch browsers?
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
