German cybersecurity agency prods users to ditch IE
'Too early to panic,' says security pro of German suggestion to switch browsers until Microsoft patches IE zero-day
Computerworld - Germany's cybersecurity agency on Monday urged users to drop Internet Explorer (IE) and switch to a rival, like Chrome or Firefox, until Microsoft patches a new critical bug in its browser.
In an alert released Monday, Germany's Federal Office for Information Security, known by its German initials of BSI for "Bundesamt fuer Sicherheit in der Informationstechnik," noted that the unpatched vulnerability is already being exploited by hackers, and that "the attack code is freely available on the Internet."
BSI then advised users to stop running IE for now.
"The BSI recommends all users of Internet Explorer use an alternative browser ... until [Microsoft] has released a security update," the watchdog agency said.
"I think it's a bit too early to panic," said Andrew Storms, director of security operations at nCircle Security, when asked to comment on BSI's advice. "Granted, if the attacks escalate and the patch takes too long [to arrive] for comfort, then making the switch to another browser, at least temporarily, is a simple way to mitigate the threat."
According to Microsoft, IE6, IE7, IE8 and IE9 running on Windows XP, Vista and Windows 7 all contain the remote code execution vulnerability. IE10, the browser bundled with Windows 8, is free of the bug, however.
In a security advisory released late Monday, Microsoft offered customers several temporary workarounds to protect IE against attacks now circulating. One of the workarounds, said Microsoft, is to deploy EMET 3.0 (Enhanced Mitigation Experience Toolkit), a utility unsuitable for most consumers.
Microsoft has promised to patch the vulnerability, but has declined to set a timetable. Some security experts believe the company is hustling to craft and test a so-called "out-of-band," or emergency, update that will be delivered before Oct. 9, the next regularly-scheduled Patch Tuesday.
Hackers have been exploiting the bug for an unknown length of time.
Other national computer security agencies, including US-CERT (United States Computer Emergency Readiness Team) and France's CERTA (Centre d'Expertise Gouvernemental de Reponse et de Traitement des Attaques informatiques), did not ape BSI's advice.
BSI has been quick to pull the trigger on browser-switching advice in the past.
In January 2010, BSI and several other countries' security organizations urged users to dump IE and run a rival while Microsoft worked on a patch.
The underlying IE vulnerability in that incident had been exploited by hackers to break into the corporate network of Google and other major Western companies. Google alleged that the attacks were launched by Chinese attackers.
Some security professionals, however, have suggested the same browser switch that BSI counseled. HD Moore, chief security officer at Rapid7, and the creator of the Metasploit penetration testing toolkit, advocated that strategy on Monday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts