Internet Explorer security threat 'overblown'

Computer security officials believe France and Germany are jumping the gun in advising citizens to ditch Microsoft's Internet Explorer.

The advisories, from Germany's Federal Office for Information Security and France's Government-owned Certa cyber threat agency, said all versions of IE were vulnerable to attack and people should switch to Firefox or Google's Chrome.

They came after it was revealed that recent sophisticated cyber attacks on Google and 20 other businesses exploited a previously unknown flaw in Microsoft's web browser.

The code needed to exploit the hole was published online over the weekend, leading to fears that regular consumers could be at risk of having their computers infected with nasty viruses. Microsoft has yet to issue a patch.

But Australia's computer emergency response team, AusCERT, which compiles the cyber threat alerts for the Government's Stay Smart Online website, says the threat has been overblown.

Although Microsoft has yet to issue a patch to fix the issue, AusCERT has published instructions allowing people to greatly reduce their risk of being attacked by changing settings and installing a temporary fix .

"It doesn't remove the problem. It just stops the exploit from working properly," AusCERT senior information security analyst Zane Jarvis said.

"IE 6, 7 and 8 are all vulnerable to the exploit but those customers running IE8 have built-in protections, which is called data execution prevention, and it's also on by default in Vista Service Pack 1 and later."

On the Australian government's Stay Smart Online website, AusCERT says those who do not wish to install the "temporary fixes" should "consider using an alternate web browser until an update becomes available".

Paul Ducklin, head of technology at computer security firm Sophos, said abandoning IE might give people some security, but "it would be security through obscurity".

"Your chosen replacement browser might itself turn out to contain a vulnerability. Then what? Are you going to switch again?" he said.

The attack on Google targeted the Gmail accounts of human rights activists. It led Google to announce that it might withdraw from China, from which it said the attacks originated.

Google is now investigating whether one or more employees might have helped facilitate the attack, Reuters reported.

Jarvis said that, in order to be affected by the security flaw, users would need to visit a compromised website. This was echoed in a report released by McAfee this week.

"What would happen is you'd visit a website, some malware would be installed on your computer using the exploit and run silently," Jarvis said.

"And then that would start stealing your login details to your banking websites and your email account, which is likely what happened with the Google Gmail issue."

Microsoft has recommended that people switch to Internet Explorer 8 or, if using Internet Explorer 6, adjust security settings to "high".

However, Jarvis said the IE6 "fix" was not good enough as setting security to high disables Javascript, which most websites now depend on.

- © Fairfax NZ News