French Government advises people to stop using IE

Following in the footsteps of Germany last week, France is now advising its population to use an alternative browser pending a patch for an Internet Explorer vulnerability.

The French Computer Emergency Response Team (CERT) published an advisory on Friday January 15 stating "pending a patch from the publisher, CERT recommends using an alternative browser." In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only being exploited on Internet Explorer 6 currently. The flaw exists in IE 7 and 8 but at the moment there is only exploit code available for IE 6.

Last week the German Federal Office for Security in Information Technology (BSI) issued a similary advisory urging its population to stop using IE. According to the BSI the flaw will, put simply, "perform reconnaissance and gain complete control over the compromised system." The BSI noted that even running Internet Explorer in Protected Mode isn't enough to stop the flaw. Microsoft issued further insight into the vulnerability this morning in a company blog posting. The software giant confirmed the exploit is only effective against Internet Explorer 6.

Google said, in a blog posting on January 12, that in mid-December, they, along with a number of other large companies in the Internet, finance, technology, media and chemical sectors, were targeted in a sophisticated cyber-attack. This attack on their infrastructure originated in China, using Internet Explorer 6, and resulted in the theft of intellectual property. Due to this attack, and the background behind it, Google is now taking a second look at their operations in China, particularly Google.cn, where they currently offer censored search results as part of an agreement with China's government. Microsoft admitted last week that Internet Explorer 6 was one of the vectors used in the targeted and sophisticated attacks.

Poll

Will you stop using IE?

Report a problem with article
Previous Story

Google helps people find Haiti survivors with person finder

Next Story

AT&T announces new unlimited calling plans, challenges Verizon

49 Comments

Commenting is disabled on this article.

So, you would have Microsoft trade away the biggest advantage they have (backward compatibility)? Didn't Vista (and the whacking thereof) teach you anything (even though the issue in Vista's case was largely mythological, rather than real)?

_dandy_ said,
So...the French have surrendered to Firefox?

A large number of the French government agencies have ditched Microsoft and moved to Linux & Open Source software and they've not been shy about making this known. It's a shame that they didn't give factual advice to their citizens though.

_dandy_ said,
So...the French have surrendered to Firefox?

Why not? They surrender to everybody else, don't they?? :)

Edited by robertwnielsen, Jan 18 2010, 9:08pm :

Retarded advisory. The rules for safe browsing haven't changed in more than five years.

1) Don't click links in email.
2) Don't click "You're infected! Run a scan" pop ups. Ever.

It's amazing how safe browsing becomes when you follow these two simple rules.

"In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6."

Takes ignorance to a whole new level, doesn't it?

C_Guy said,
"In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6."

Takes ignorance to a whole new level, doesn't it?

You are wrong. PR said it affects only IE6. Microsoft admitted it affects all versions of IE
in the second post regarding this zero-day hole.

C_Guy said,
"In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6."

Takes ignorance to a whole new level, doesn't it?

The Article read,
The flaw exists in IE 7 and 8 but at the moment there is only exploit code available for IE 6
So Microsoft are being overly specific when they applied the word only in "only exploitable", as that is only referring to presently known ways to exploit the vulnerability, which is also in IE 7 and 8.

Edited by shhac, Jan 18 2010, 6:29pm : Can't bold?

Joe USer said,
Out of the box, IE8 is the most secure browser for Windows, by far. I expected better from CERT.

+1

Edited by DaViD_BRaNDoN, Jan 18 2010, 2:04pm :

Joe USer said,
Out of the box, IE8 is the most secure browser for Windows, by far.

I expected better from CERT.

Ie8 support ActiveX :Yes.
then it is not more secure.

Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Anyways, current browsers are really secures and their vulnerabilities are caused (mostly) by external components (such activex), let's say Adobe Flash, Adobe Acrobat and Apple Quicktime.

Edited by Brony, Jan 18 2010, 3:02pm :

Magallanes said,
Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Wouldn't that reasoning make every browser "insecure", if the user clicks through every message?

Magallanes said,

Ie8 support ActiveX :Yes.
then it is not more secure.

Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Anyways, current browsers are really secures and their vulnerabilities are caused (mostly) by external components (such activex), let's say Adobe Flash, Adobe Acrobat and Apple Quicktime.

how does does that make activex a security risk? activex is very needed in corporate enviroments, your security risk can simply be called dumb people.

Magallanes said,

Ie8 support ActiveX :Yes.
then it is not more secure.

Let's say, ie8 support some kind of activex protection and "ask before install" but most users are dumb and answer "yes" for almost every single confirmation message.

Anyways, current browsers are really secures and their vulnerabilities are caused (mostly) by external components (such activex), let's say Adobe Flash, Adobe Acrobat and Apple Quicktime.

despite what you may have heard back in 1990 something, ective x is not by default a security hole.

in fact by your logic firefox is a bigger security risk since ie runs in protected mode by default,. any firefox install could have a much worse "gentleman virus" installed through an XPI file offered form a website than a default IE with active x

Joe USer said,
Out of the box, IE8 is the most secure browser for Windows, by far.

I expected better from CERT.


Huh?! IE 6 + 7 + 8 are all vulnerable to this attack, except if ran with DEP protection as in the Windows 7 default configuration. What mistake do you think DEP has done? Suggesting people to switch to browsers without an open security hole is bad advice to you?

It doesn't matter if IE 8 is the most secure version of IE for Windows, it should be, everyone expect it to be, anything else would be craziness, but this doesn't matter if it's also a majority browser with open, and now also well-known, security holes. You can't honestly think CERT should have suggested people to stay on a vulnerable IE version?! They're a security agency ffs.

Edited by Northgrove, Jan 18 2010, 4:09pm :

Beastage said,

how does does that make activex a security risk? activex is very needed in corporate enviroments, your security risk can simply be called dumb people.


Dumb people assisted by binary plugins. :p

Beastage said,

how does does that make activex a security risk? activex is very needed in corporate enviroments, your security risk can simply be called dumb people.

ActiveX is the biggest hole in the world and CERT adviced ages ago, and still advice to stay away as far as possible from using activeX.

Jugalator said,

You can't honestly think CERT should have suggested people to stay on a vulnerable IE version?! They're a security agency ffs.

You're right, an overreaction is apparently what's needed. When you get through one layer of security and are stopped dead by the second, then your security is broken, right?

It's called layers of protection, it works really well. If you break IE, then you have to break DEP, then you have to break protected mode, then you have to elevate to administrator.

I maintain what I originally said.

Wow.. tough break for Microsoft. I can't imagine what type of impact it would have on Microsoft's browser market share if the United States government issued a similar advisory statement.

Majesticmerc said,
What makes them think that other browsers aren't just as vulnerable? Security through obscurity and all that jazz.

I was wondering that also. Must be a government full of Firefox fanboys! The warning is WAY, WAY overstated and the warning is very misleading also.

Pretty stupid of their governments telling people this like they did, when it ONLY effects IE6.

I mean, we ALL know how vulnerable Firefox is and has been to so many exploits also.

Edited by cork1958, Jan 18 2010, 2:56pm :

Majesticmerc said,
What makes them think that other browsers aren't just as vulnerable? Security through obscurity and all that jazz.

Firefox isn't obscure though, it's climbing towards a third of the market in Europe.

Yeah like the people who is still using IE6 will know how to use another browser, I mean they are still living with an outdated one its unlikely that they even understand that advise....just try to ask plain normal people (not nerds like us) what kind of OS or Browser are using so don't kid ourselves that they will know about versions and other options. Just same old governments cat fights over political and economical matters, and the people believe that they area actually concerned about web safety.

Jugalator said,
Firefox isn't obscure though, it's climbing towards a third of the market in Europe.

True, but to that end, Firefox has been shown to be vulnerable to exploits in the past too (not browser bashing, as a FF user I'd love nothing more than to have everyone using it, but thats beside the point). IMO it seems quite unfair to tar IE8 with the same brush as IE6. I mean IE8 is a [i]vastly[/i] different browser to IE6, and its even been stated that IE8 is immune to this issue (although still affected). From what has been seen of IE8 so far, its just as secure as the alternatives.

Jugalator said,

Firefox isn't obscure though, it's climbing towards a third of the market in Europe.

It's climbing to a third in the entire world, not just Europe. In some countries in Europe it have over half of the market already. Europeans don't have the strange attachment to Microsoft that Americans do.

Last i checked france was not the whole of europe.

Im not sure why they would do that if the report is correct.

It seems just a little over the top to tell a whole nation to stop using IE.

Deacon Brown said,
Last i checked france was not the whole of europe.

It's already the second country after Germany that got smart enough to recommend its people to scrap IE.
More countries will probably follow this up, and that's a very positive development.

Edited by Lord Ba'al, Jan 18 2010, 10:08pm :

Lord Ba'al said,

It's already the second country after Germany that got smart enough to recommend its people to scrap IE.
More countries will probably follow this up, and that's a very positive development.

The advisory recognizes reality - as long as IE leads in marketshare, it's going to be a target. The problem *I* have with the advisory is that it smacks of appeasement and paying extortion money.

Deacon Brown said,
Oh Dear Oh Dear

That is not good for M$

M$? the 90s called... etc.

Cause businesses will give up IE because the government advises them...