France has joined Germany in warning its citizens against using Internet Explorer after the discovery of a security flaw in the browser that enabled the malicious attack against Google.
CERTA, the government agency for cybersecurity in France, issued a warning saying: “Pending a patch from the publisher, CERTA recommends using an alternative browser,” such as Firefox or Google’s Chrome.
While Microsoft stated in a security advisory issued 14 January that the only Internet Explorer software not affected by the Zero-Day exploit was IE 5.0 Service Pack 4 for Windows 2000, the company has now told BBC News that IE8 is the “most secure browser on the market” and people should upgrade.
The company is downplaying the effect on users. “Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time,” said director of Microsoft Security Response Center Mike Reavey in a post on the group’s blog.
In a follow-up post, General Manager, Trustworthy Computing Security, George Stathakopoulos affirmed this message. “In terms of the threat landscape, we are only seeing very limited number of targeted attacks against a small subset of corporations. The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6,” he said.
He continued, “We remain vigilant about this threat evolving and want to be sure our customers take appropriate action to protect themselves. That is why we continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible to benefit from the improved security protections it offers.”
However, Graham Cluley of security firm Sophos told BBC News that although currently the only affected version was IE6, this could change, since details of the exploit are now available online, making it easier for hackers to alter the code to target the other versions.
“Microsoft themselves admit there is a vulnerability, even in IE8,” Cluley told BBC News. However, he added on his blog, “My advice is to only switch from Internet Explorer if you really know what you are doing with the browser you’re swapping to. Otherwise it might be a case of ‘better the devil you know’. Every browser has its security issues, so switching may remove this current risk but could expose you to another.”
Meanwhile, Microsoft is working on a patch for the problem, with no timeframe for when the patch will be ready. The UK government told BBC News that it will also be issuing a warning against using Internet Explorer.