German Cybersecurity Agency Encourages Users to Ditch IE

By Gregg Keizer, 21-Sep-2012

'Too early to panic,' says security pro of German suggestion to switch browsers until Microsoft patches IE zero-day.

Germany's cybersecurity agency urged users to drop Internet Explorer (IE) and switch to a rival, like Chrome or Firefox, until Microsoft patches a new critical bug in its browser.

In an alert released Monday, Germany's Federal Office for Information Security, known by its German initials of BSI for "Bundesamt fuer Sicherheit in der Informationstechnik," noted that the unpatched vulnerability is already being exploited by hackers, and that "the attack code is freely available on the Internet."

BSI then advised users to stop running IE for now.

"The BSI recommends all users of Internet Explorer use an alternative browser ... until [Microsoft] has released a security update," the watchdog agency said.

"I think it's a bit too early to panic," said Andrew Storms, director of security operations at nCircle Security, when asked to comment on BSI's advice. "Granted, if the attacks escalate and the patch takes too long [to arrive] for comfort, then making the switch to another browser, at least temporarily, is a simple way to mitigate the threat."

According to Microsoft, IE6, IE7, IE8 and IE9 running on Windows XP, Vista and Windows 7 all contain the remote code execution vulnerability. IE10, the browser bundled with Windows 8, is free of the bug, however.

In a security advisory released late Monday, Microsoft offered customers several temporary workarounds to protect IE against attacks now circulating. One of the workarounds, said Microsoft, is to deploy EMET 3.0 (Exploit Mitigation Experience Toolkit), a utility unsuitable for most consumers.

Microsoft has promised to patch the vulnerability, but has declined to set a timetable. Some security experts believe the company is hustling to craft and test a so-called "out-of-band," or emergency, update that will be delivered before Oct. 9, the next regularly-scheduled Patch Tuesday.

Hackers have been exploiting the bug for an unknown length of time.

Other national computer security agencies, including US-CERT (United States Computer Emergency Readiness Team) and France's CERTA (Centre d'Expertise Gouvernemental de Reponse et de Traitement des Attaques informatiques), did not ape BSI's advice.

Instead, US-CERT and CERTA each recommended that users take Microsoft's advice, and rely on EMET (Exploit Mitigation Experience Toolkit) and various settings changes to protect themselves.

BSI has been quick to pull the trigger on browser-switching advice in the past.

In January 2010, BSI and several other countries' security organizations urged users to dump IE and run a rival while Microsoft worked on a patch.

The underlying IE vulnerability in that incident had been exploited by hackers to break into the corporate network of Google and other major Western companies. Google alleged that the attacks were launched by Chinese attackers.

Some security professionals, however, have suggested the same browser switch that BSI counseled. HD Moore, chief security officer at Rapid7, and the creator of the Metasploit penetration testing toolkit, advocated that strategy on Monday.

Source: Computerworld (US)


  • AMD may Build ExactTrak Data-zapping into its Chips, to Compete with Intel vPro

    AMD said Thursday that it signed a deal with ExactTrak to embed the security company's technology inside its microprocessors. While no new products accompanied the announcement, the deal leaves open the possibility that AMD-based PCs could be remotely zapped--yes, literally--by users or network administrators.

  • Intel to Close $15 bn (about Rs 90,000 crore) Deal to buy Altera

    California based global tech giant, Intel, is set to close a deal to buy fellow chip maker Altera Corp. for about $54 (about Rs 3,480) per share, 15 percent more than Altera’s closing share price on Thursday, $47 (about Rs 2,620).

  • Server Sales Bolstered by Cloud Expansions

    Server vendors recorded the strongest shipment growth in over four years for the first quarter, mainly driven by continued investments in the hyperscale server infrastructures that power public and private clouds.

  • Salesforce Doubles Down on Big Data with New Analytics Tool

    All the data "lakes" in the world won't amount to much if you can't figure out what they mean for your business. With that in mind, Salesforce on Thursday unveiled Salesforce Wave for Big Data, a new tool designed to help business users make sense of their information stores using the Salesforce Analytics Cloud.

More news »