French Government advises people to stop using IE

Following in the footsteps of Germany last week, France is now advising its population to use an alternative browser pending a patch for an Internet Explorer vulnerability.

The French Computer Emergency Response Team (CERT) published an advisory on Friday January 15 stating "pending a patch from the publisher, CERT recommends using an alternative browser." In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only being exploited on Internet Explorer 6 currently. The flaw exists in IE 7 and 8 but at the moment there is only exploit code available for IE 6.

Last week the German Federal Office for Security in Information Technology (BSI) issued a similary advisory urging its population to stop using IE. According to the BSI the flaw will, put simply, "perform reconnaissance and gain complete control over the compromised system." The BSI noted that even running Internet Explorer in Protected Mode isn't enough to stop the flaw. Microsoft issued further insight into the vulnerability this morning in a company blog posting. The software giant confirmed the exploit is only effective against Internet Explorer 6.

Google said, in a blog posting on January 12, that in mid-December, they, along with a number of other large companies in the Internet, finance, technology, media and chemical sectors, were targeted in a sophisticated cyber-attack. This attack on their infrastructure originated in China, using Internet Explorer 6, and resulted in the theft of intellectual property. Due to this attack, and the background behind it, Google is now taking a second look at their operations in China, particularly Google.cn, where they currently offer censored search results as part of an agreement with China's government. Microsoft admitted last week that Internet Explorer 6 was one of the vectors used in the targeted and sophisticated attacks.

Poll

Will you stop using IE?

Report a problem with article
Previous Story

Google helps people find Haiti survivors with person finder

Next Story

AT&T announces new unlimited calling plans, challenges Verizon

49 Comments

View more comments

Joe USer said,
Out of the box, IE8 is the most secure browser for Windows, by far. I expected better from CERT.

+1

Edited by DaViD_BRaNDoN, Jan 18 2010, 2:04pm :

Joe USer said,
Out of the box, IE8 is the most secure browser for Windows, by far.

I expected better from CERT.

Ie8 support ActiveX :Yes.
then it is not more secure.

Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Anyways, current browsers are really secures and their vulnerabilities are caused (mostly) by external components (such activex), let's say Adobe Flash, Adobe Acrobat and Apple Quicktime.

Edited by Brony, Jan 18 2010, 3:02pm :

Magallanes said,
Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Wouldn't that reasoning make every browser "insecure", if the user clicks through every message?

Magallanes said,

Ie8 support ActiveX :Yes.
then it is not more secure.

Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Anyways, current browsers are really secures and their vulnerabilities are caused (mostly) by external components (such activex), let's say Adobe Flash, Adobe Acrobat and Apple Quicktime.

how does does that make activex a security risk? activex is very needed in corporate enviroments, your security risk can simply be called dumb people.

Magallanes said,

Ie8 support ActiveX :Yes.
then it is not more secure.

Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Anyways, current browsers are really secures and their vulnerabilities are caused (mostly) by external components (such activex), let's say Adobe Flash, Adobe Acrobat and Apple Quicktime.

despite what you may have heard back in 1990 something, ective x is not by default a security hole.

in fact by your logic firefox is a bigger security risk since ie runs in protected mode by default,. any firefox install could have a much worse "gentleman virus" installed through an XPI file offered form a website than a default IE with active x

Joe USer said,
Out of the box, IE8 is the most secure browser for Windows, by far.

I expected better from CERT.


Huh?! IE 6 + 7 + 8 are all vulnerable to this attack, except if ran with DEP protection as in the Windows 7 default configuration. What mistake do you think DEP has done? Suggesting people to switch to browsers without an open security hole is bad advice to you?

It doesn't matter if IE 8 is the most secure version of IE for Windows, it should be, everyone expect it to be, anything else would be craziness, but this doesn't matter if it's also a majority browser with open, and now also well-known, security holes. You can't honestly think CERT should have suggested people to stay on a vulnerable IE version?! They're a security agency ffs.

Edited by Northgrove, Jan 18 2010, 4:09pm :

Beastage said,

how does does that make activex a security risk? activex is very needed in corporate enviroments, your security risk can simply be called dumb people.


Dumb people assisted by binary plugins. :p

Beastage said,

how does does that make activex a security risk? activex is very needed in corporate enviroments, your security risk can simply be called dumb people.

ActiveX is the biggest hole in the world and CERT adviced ages ago, and still advice to stay away as far as possible from using activeX.

Jugalator said,

You can't honestly think CERT should have suggested people to stay on a vulnerable IE version?! They're a security agency ffs.

You're right, an overreaction is apparently what's needed. When you get through one layer of security and are stopped dead by the second, then your security is broken, right?

It's called layers of protection, it works really well. If you break IE, then you have to break DEP, then you have to break protected mode, then you have to elevate to administrator.

I maintain what I originally said.

Frank Fontaine said,
Voted no. As an Opera user, I already know the very limited range of sites I actually need to visit in IE8 are safe, besides I feel pretty well protected by ASLR and DEP

Both ASLR and DEP have holes the size of Canada.

"In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6."

Takes ignorance to a whole new level, doesn't it?

C_Guy said,
"In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6."

Takes ignorance to a whole new level, doesn't it?

You are wrong. PR said it affects only IE6. Microsoft admitted it affects all versions of IE
in the second post regarding this zero-day hole.

C_Guy said,
"In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6."

Takes ignorance to a whole new level, doesn't it?

The Article read,
The flaw exists in IE 7 and 8 but at the moment there is only exploit code available for IE 6
So Microsoft are being overly specific when they applied the word only in "only exploitable", as that is only referring to presently known ways to exploit the vulnerability, which is also in IE 7 and 8.

Edited by shhac, Jan 18 2010, 6:29pm : Can't bold?

Retarded advisory. The rules for safe browsing haven't changed in more than five years.

1) Don't click links in email.
2) Don't click "You're infected! Run a scan" pop ups. Ever.

It's amazing how safe browsing becomes when you follow these two simple rules.

_dandy_ said,
So...the French have surrendered to Firefox?

A large number of the French government agencies have ditched Microsoft and moved to Linux & Open Source software and they've not been shy about making this known. It's a shame that they didn't give factual advice to their citizens though.

_dandy_ said,
So...the French have surrendered to Firefox?

Why not? They surrender to everybody else, don't they?? :)

Edited by robertwnielsen, Jan 18 2010, 9:08pm :

ilev said,
It's Microsoft's fault.The company is deformed and so are their products.
Did you see a compatibly mode in Netscape , Firefox, Safari, Chrome ? NO.
Did you see a compatibly mode in OSX, Ubuntu... NO.
To keep these deformations Microsoft needs the compatibility mode.

When you go over the security patches you find holes from 20 years back, like the this month's patch that affects from win2000 to win7 (actually it's from win95)

And if Microsoft followed that pattern, it would hemmorhage users even worse than it did with Vista (which got whacked for lack of backward compatibility with XP, especially in terms of drivers and niche plug-ins; even though most standard XP drivers and plug-ins worked fine in transition from XP to Vista, even going from XP32 to Vista x64).

Again, this smacks of blackmail/extortion/appeasement. And what does that usually get you in the end?

So, you would have Microsoft trade away the biggest advantage they have (backward compatibility)? Didn't Vista (and the whacking thereof) teach you anything (even though the issue in Vista's case was largely mythological, rather than real)?

Commenting is disabled on this article.