Stay Calm Over Internet Explorer Security

The attacks on Google Mail which led to its threat to pull out of China have turned into one of the most rapidly changing stories I can remember, taking in world politics, government censorship and freedom, while a discussion about the underlying risks has bounced between flaws in Adobe and Microsoft products. But are people over-reacting?

It all started when someone attempted to hack Google Mail accounts, apparently in a bid to expose human rights activists in China. That prompted Google to threaten to pull out of a controversial deal whereby it has provided censored search results to the approval of the Chinese government.

Security vendor McAfee said the hacks had taken place through a previously-unknown zero-day vulnerability in Microsoft Internet Explorer, which allows an attacker to download malware to the victim’s system.

But Google has said the attack probably happened through its Chinese office, where one would not expect IE to be the browser of choice, and Google is apparently investigating whether the whole thing might involve Google insiders.

Microsoft has played down the problem, of course. While such a denial should be received sceptically, as just the kind of thing Microsoft would say, we find ourselves thinking that the reaction against IE has been rather swift.

There have been zero-day vulnerabilities in IE before, and they will come up again. Is this one different simply because a major government has – allegedly – been exploiting it?

Germany has advised users to leave IE, and France followed quickly. The UK has failed to join in the moves to boycott IE

So does the UK have some sort of misplaced loyalty to Microsoft? Certainly the UK government gives the company too easy a ride in public sector procurement and promotion – for instance, last week Microsoft was advertised on a UK Government page promoting a course in online basics course, which really should be vendor neutral.

But in this instance, I think that it would be wrong to give users advice that will make them think online security is ever as simple as switching form one browser to another. Any browser can be a source of insecurity if it is not used carefullly.

It is much more important to have the right security settings than the right Internet browser. Internet Explorer may be subject to more attacks than other browsers,  but version 8 does a better job of helping users use the right levels of security, and has been rated highly in tests.

We applaud the UK government’s decision to avoid the knee-jerk reaction, and hope that the media attention to this issue will encourage all users to behave more securely – whatever browser they use.