The German government is clearly taking the latest critical security problem in Internet Explorer seriously, publicly urging all users to stop browsing the web with the Microsoft product until a patch is available.
The German government’s Federal Office for Information Security (BSI) has published an advisory, telling Internet Explorer users to switch to alternative browsers until a patch is released for a zero day vulnerability that emerged over the weekend.
Here’s a translation of the German advisory, courtesy of Google Translate:
The Federal Office for Information Security (BSI) has Internet users indicate a previously unrecognized, critical vulnerability in Microsoft Internet Explorer browser. Affected IT systems, the Internet Explorer in versions 7 or 8 under the operating system Microsoft Windows XP, as well as in versions 8 and 9 use on Microsoft Windows 7. The vulnerability is being exploited in targeted attacks. Moreover, the attack code is also freely available on the Internet, and therefore have a fast wide-area utilization. To exploit the vulnerability, it is sufficient to attract Internet users to a malicious web site. When viewing this website can then be executed with the privileges of the user by exploiting the weakness of arbitrary code on the affected system.
A security update of the manufacturer is currently unavailable. Therefore, the BSI recommends all users of Internet Explorer to use as long as an alternative browser for Internet use, until the manufacturer has released a security update is available. The BSI is a solution with regard to the closure of the vulnerability in conjunction with Microsoft. Once the vulnerability has been closed, the BSI will inform you.
So far, Microsoft has only been able to offer a temporary workaround for the problem – which is unlikely to prove popular with most internet users.
Of course, what’s bad news for Microsoft Internet Explorer is good news for competitors such as Google Chrome, Mozilla Firefox and Safari. But users would be wise not to be fall into the mistake of thinking that any web browser is bug-free.. you could be jumping from one buggy browser to another product which suffers from other security problems.
As concern continues to mount about the unpatched security problem, which could result in innocent users’ Windows computers becoming silently infected by malware just by visiting a hacked or boobytrapped website, there will be much pressure for Microsoft to release an out-of-cycle patch.
Sure enough, Microsoft’s security team has just announced that it hopes to have a fix available in the next few days:
However, once again it’s Internet Explorer that is making the security headlines for the wrong reasons. The product has seen its market share diminish in the last couple of years as Chrome, in particular, has risen in popularity.
There’s always the risk that some of the users who follow the German government’s advice and switch browsers, may not return when a patch is finally provided.
(Customers should note that Sophos products protect against the vulnerability detecting attempts to exploit it as Exp/20124969-A – however, we would still recommend that IE users apply the security patch as soon as it is released by Microsoft).
More details about the vulnerability, and workarounds, can be found on Microsoft’s website.