One of the biggest losers of China's alleged cyber assault on Google and other tech companies is Microsoft, a bystander whose Internet Explorer browser was central to the attack. (Catch up on the breach here, here and here.) As a result, Germany and France are urging citizens to switch browsers until Microsoft fixes the vulnerability. To make matters worse, the code is now public and hackers have already begun exploiting it. So why is using Internet Explorer 6 so bad?
The Chinese allegedly homed in on a weakness in the way Microsoft's browser handles Java Script, a ubiquitous Web programming language. Microsoft published a description of the vulnerability last week. After Germany issued its warning against using the browser, a Microsoft spokesman told The London Telegraph "there is no threat to the general user, consequently we do not support this warning." But George Kurtz, Chief Technology Officer at computer security firm McAfee, disagreed in a Friday blog post: "The now public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems."
- An Overblown Reaction? Not all governments are united against the browser. Australia's computer emergency response team's Web site calls the threat overblown, according to the Sydney Morning Herald, and the British government has said it would not issue a similar warning, although it is keeping an eye on things, the BBC reports. Zane Jarvis, the senior information security analyst for the Australian group, told the newspaper that while all versions of the browser are vulnerable to the exploit, Internet Explorer 8 and updated versions of Windows Vista have built-in protections against letting it run. According to several tracking services, Internet Explorer 6 is used by anywhere from 11 to 14 percent of global surfers. Still, Graham Cluley of security firm Sophos warned the BBC that, with the code now publicly available, hackers could alter it to exploit newer versions of Internet Explorer.
- Conflicted Responses. Microsoft has said it's working on a fix, but has given no timeline on when it can be expected. It could be as late as February 9, the next Microsoft-scheduled monthly patch update. AusCERT -- Australia's government team -- issued a detailed description of how to prevent the exploit and downloads and searches of competing browsers Opera and Firefox spiked last week. But, Cluley told The Wall Street Journal, "chucking out your browser and going to another one, especially if you're a business, isn't an easy option." And, in a statement, Microsoft said "it is important to note that all software has vulnerabilities and switching browsers in an attempt to protect against these highly publicized but currently limited attacks can inadvertently create some false sense of security."