wraggster
January 18th, 2010, 21:06
France has echoed calls by the German government for web users to find an alternative to Microsoft's Internet Explorer (IE) to protect security.
Certa, a government agency that oversees cyber threats, warned against using all versions of the web browser.
Germany warned users on Friday after malicious code - implicated in attacks on Google - was published online.
But Microsoft told BBC News that IE8 was the "most secure browser on the market" and people should upgrade.
Cliff Evans, head of security and privacy, said that so far the firm had only seen malicious code that targeted the older version of its browser, IE6.
"The risk is minimal," he said.
For a web user to be affected, he said, they would have to be using IE6 and visit a compromised website.
"There are very few of them out there," he told BBC News.
However, if this did occur, a PC could become infected with a "trojan horse", allowing a hacker to take control of the computer and potentially steal sensitive information.
'Sophisticated attack'
Although the vulnerability has so far been exploited only in IE6, security researchers warned that could soon change.
"Microsoft themselves admit there is a vulnerability, even in IE8," said Graham Cluley of security firm Sophos.
This terrible piece of PR for Microsoft comes just as the IE browser which had almost total control of the market starts to come under pressure...
Rory Cellan-Jones, BBC technology correspondent
Has China helped Google in the browser wars?
Mr Cluley said that because details of the exploit were now available online, hackers could soon change the code to target other versions of the browser.
He warned web users to be careful about clicking on links in unsolicited e-mails and advised all web users to upgrade their browser to the latest version, no matter which software they used.
The advice follows revelations that a "targeted and sophisticated" attack on Google exploited the vulnerability.
Google said last week that an attack on its corporate network had targeted the e-mail accounts of human rights activists.
The attack led Google to announce that it might withdraw from China, after it revealed that the attacks had probably originated in the country.
Following the news, Germany's Federal Office for Information Security issued a warning against all versions of Internet Explorer and recommended that users switch to an alternative such as Firefox or Google's Chrome.
The French agency Certa issued a similar warning.
"Pending a patch from the publisher, Certa recommends using an alternative browser," it said.
The UK government had said that it would not issue a similar warning. However, it said the Centre for the Protection of National Infrastructure (CPNI)was "monitoring the situation" and would "publish further advice if the risks change".
Patch path
But Mr Evans said that calls to change browsers were "not very helpful".
"If you look at other browsers, it's likely they will have other vulnerabilities," he said.
The vulnerability was found to be used in an attack on Google
He pointed to a report by security firm NSS Labs reportedly showing that IE8 provided better security against phishing and malware than other browsers.
"We feel strongly that IE8 is most secure browser on the market," Mr Evans said.
His advice was echoed by Mr Cluley.
"Switching away will get away from this particular problem," he told BBC News. "But all browsers have security flaws."
Mr Cluley said that switching away from IE could create other problems, particularly for companies.
"Some web-based applications may not work at all if you're not using Internet Explorer."
Microsoft is currently working on a patch for the problem, but a spokesperson said it could not commit to a timeframe.
The firm traditionally releases a security update once a month - the next scheduled patch will be ready on 9 February.
http://news.bbc.co.uk/1/hi/technology/8465038.stm
Certa, a government agency that oversees cyber threats, warned against using all versions of the web browser.
Germany warned users on Friday after malicious code - implicated in attacks on Google - was published online.
But Microsoft told BBC News that IE8 was the "most secure browser on the market" and people should upgrade.
Cliff Evans, head of security and privacy, said that so far the firm had only seen malicious code that targeted the older version of its browser, IE6.
"The risk is minimal," he said.
For a web user to be affected, he said, they would have to be using IE6 and visit a compromised website.
"There are very few of them out there," he told BBC News.
However, if this did occur, a PC could become infected with a "trojan horse", allowing a hacker to take control of the computer and potentially steal sensitive information.
'Sophisticated attack'
Although the vulnerability has so far been exploited only in IE6, security researchers warned that could soon change.
"Microsoft themselves admit there is a vulnerability, even in IE8," said Graham Cluley of security firm Sophos.
This terrible piece of PR for Microsoft comes just as the IE browser which had almost total control of the market starts to come under pressure...
Rory Cellan-Jones, BBC technology correspondent
Has China helped Google in the browser wars?
Mr Cluley said that because details of the exploit were now available online, hackers could soon change the code to target other versions of the browser.
He warned web users to be careful about clicking on links in unsolicited e-mails and advised all web users to upgrade their browser to the latest version, no matter which software they used.
The advice follows revelations that a "targeted and sophisticated" attack on Google exploited the vulnerability.
Google said last week that an attack on its corporate network had targeted the e-mail accounts of human rights activists.
The attack led Google to announce that it might withdraw from China, after it revealed that the attacks had probably originated in the country.
Following the news, Germany's Federal Office for Information Security issued a warning against all versions of Internet Explorer and recommended that users switch to an alternative such as Firefox or Google's Chrome.
The French agency Certa issued a similar warning.
"Pending a patch from the publisher, Certa recommends using an alternative browser," it said.
The UK government had said that it would not issue a similar warning. However, it said the Centre for the Protection of National Infrastructure (CPNI)was "monitoring the situation" and would "publish further advice if the risks change".
Patch path
But Mr Evans said that calls to change browsers were "not very helpful".
"If you look at other browsers, it's likely they will have other vulnerabilities," he said.
The vulnerability was found to be used in an attack on Google
He pointed to a report by security firm NSS Labs reportedly showing that IE8 provided better security against phishing and malware than other browsers.
"We feel strongly that IE8 is most secure browser on the market," Mr Evans said.
His advice was echoed by Mr Cluley.
"Switching away will get away from this particular problem," he told BBC News. "But all browsers have security flaws."
Mr Cluley said that switching away from IE could create other problems, particularly for companies.
"Some web-based applications may not work at all if you're not using Internet Explorer."
Microsoft is currently working on a patch for the problem, but a spokesperson said it could not commit to a timeframe.
The firm traditionally releases a security update once a month - the next scheduled patch will be ready on 9 February.
http://news.bbc.co.uk/1/hi/technology/8465038.stm