Sophos Cloud Optix
The German government is clearly taking the latest critical security problem in Internet Explorer seriously, publicly urging all users to stop browsing the web with the Microsoft product until a patch is available.
The German government’s Federal Office for Information Security (BSI) has published an advisory, telling Internet Explorer users to switch to alternative browsers until a patch is released for a zero day vulnerability that emerged over the weekend.
Here’s a translation of the German advisory, courtesy of Google Translate:
The Federal Office for Information Security (BSI) has Internet users indicate a previously unrecognized, critical vulnerability in Microsoft Internet Explorer browser. Affected IT systems, the Internet Explorer in versions 7 or 8 under the operating system Microsoft Windows XP, as well as in versions 8 and 9 use on Microsoft Windows 7. The vulnerability is being exploited in targeted attacks. Moreover, the attack code is also freely available on the Internet, and therefore have a fast wide-area utilization. To exploit the vulnerability, it is sufficient to attract Internet users to a malicious web site. When viewing this website can then be executed with the privileges of the user by exploiting the weakness of arbitrary code on the affected system.
A security update of the manufacturer is currently unavailable. Therefore, the BSI recommends all users of Internet Explorer to use as long as an alternative browser for Internet use, until the manufacturer has released a security update is available. The BSI is a solution with regard to the closure of the vulnerability in conjunction with Microsoft. Once the vulnerability has been closed, the BSI will inform you.
So far, Microsoft has only been able to offer a temporary workaround for the problem – which is unlikely to prove popular with most internet users.
Of course, what’s bad news for Microsoft Internet Explorer is good news for competitors such as Google Chrome, Mozilla Firefox and Safari. But users would be wise not to be fall into the mistake of thinking that any web browser is bug-free.. you could be jumping from one buggy browser to another product which suffers from other security problems.
As concern continues to mount about the unpatched security problem, which could result in innocent users’ Windows computers becoming silently infected by malware just by visiting a hacked or boobytrapped website, there will be much pressure for Microsoft to release an out-of-cycle patch.
Sure enough, Microsoft’s security team has just announced that it hopes to have a fix available in the next few days:
However, once again it’s Internet Explorer that is making the security headlines for the wrong reasons. The product has seen its market share diminish in the last couple of years as Chrome, in particular, has risen in popularity.
There’s always the risk that some of the users who follow the German government’s advice and switch browsers, may not return when a patch is finally provided.
(Customers should note that Sophos products protect against the vulnerability detecting attempts to exploit it as Exp/20124969-A – however, we would still recommend that IE users apply the security patch as soon as it is released by Microsoft).
More details about the vulnerability, and workarounds, can be found on Microsoft’s website.
Over reaction much? I'm sure if Chrome have a major vulnerability they will say stop using Chrome?
My bank, Westpac, the third biggest in this country has an extended set of internet features including linking to other bank's accounts. But you have to use IE to access these features. Any version from version 6 up.
Change your bank.
Any bank that tells you use IE is not taking its online security seriously, given its appalling track record.
good job on the german government
Hey, this isn't a good job, they only fear that the attack code crashes their Bundestrojaner.
Wouldn’t disabling flash also stop the download? while it’s an IE bug it need’s flash to launch it does it not?
Should it be a source of concern that a company like Sophos has to rely on Google Translate? I would have hoped that a few German speakers would be within the skill set of a major computer security company. Ditto Russian, Chinese, etc. Who says all threats will be in American?
Of course Sophos has German speakers, and – in fact – a significant workforce in Germany.
But I’m based in the UK, and wrote the article at 10:57 pm local time. Hope you understand if I wasn’t able/willing to go the extra mile at that time of night.
(And anyway, the Google translation is pretty good)
For the record, I get by in English English, can speak a smattering of French and Spanish, and am fully fluent in Dolphin.
Many moms use IE, so all you have to do is setup Sandboxie and replace any shortcut with an Internet Explorer Sandboxed link and they won't even realize they are safe from exploits until they close the browser and their cookies all get erased. I have done this for my mom, because disabling scripting just pissed her off.
If our Local Government were told not to use IE then effectively the whole business function would come to a standstill. Vulnerable children wouldn't be looked accounted for, old people wouldn't get their much needed support and meals, libraries wouldn't be able to provide most of their services…. the list goes on. The majority of business critical web apps used only support IE. And yes, they have been tested with other browsers but to no avail. Whilst IE is seen as the black sheep of the browser family, it is extremely important for a lot of businesses.
Is this not why Defence in Depth is so important? If one layer fails then other layers protect.
At 22.57 you should have been in bed Graham.
We all would have believed you if you had put the essence into a TweetLine.
Great job being done by all, carry on men, and don’t mention the …. .
who gave him the award ? himself ?