In a statement issued last 4 days (January 16, 2010), the German Federal Office for Security in Information Technology (known as BSI) recommends that all Internet Explorer users switch to an alternative browser. They may resume using Explorer after a fix is issued by Microsoft for a critical vulnerability that has been implicated in the Chinese cyberattack against Google.
If you missed it, McAffee released on January 15, 2010: a report outlining details of the cyber assault on Google and around 20 other major technology companies. It specifically implicates a critical flaw in all versions of IE that allows hackers to “perform reconnaissance and gain complete control over the compromised system.” Microsoft has responded that it is developing an update to the vulnerability.
According to the statement from BSI, even running Internet Explorer in “protected” mode is not enough to prevent a hacker from exploiting this security flaw.
IE, while the world’s most popular browser, has been steadily losing marketshare over perceptions that it is slower and less secure than rival browsers, especially Firefox. This incident won’t help.
The full statement, translated via Google, is below:
Translated Statement from Germany
“In Internet Explorer, there is a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted Web page into a Windows computer to infiltrate and set up. The last week became known hacker attack on Google and other U.S. companies has probably exploited the vulnerability.Affected are the versions 6, 7 to 8 Internet Explorer on Windows systems XP, Vista and Windows 7 Microsoft has released a security advisory in which it discusses ways of minimizing risk and is already working on a patch to close the security gap. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.Running the Internet Explorer in ‘protected mode’ as well as disabling scripting Acitve Although more difficult to attack, but it can not completely prevented. Therefore, the BSI recommends to switch to the existence of a patch from Microsoft to an alternative browser.Once the vulnerability has been closed, the BSI will provide information on its warning and information about public-CERT. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via e-mail.”
Source : ERM Blog