Earlier this week, authorities across the globe were rushing to advise users to minimise or stop their use of Internet Explorer. Now that the flaw that prompted those warnings has been patched, should they take back their warnings?
"Don't use Internet Explorer, unless it is absolutely, absolutely necessary, and then, still use the Secure Mode," the Netherlands' technology cops advised the country's Twitter users on Wednesday.
The Dutch police's Team High Tech Crime (THTC) probably didn't make friends at Microsoft by trashing its browser on Twitter, especially since the tweet encouraged users to switch to Opera, Firefox, Safari, and Chrome as "safer alternatives".
Critical security flaw
THTC's warning came after security company FireEye uncovered a critical security flaw in the browser last week. The vulnerability could allow remote code execution in the event users inadvertently visited an attack website, and the bug already being exploited, the company said.
"FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks," FireEye wrote in a blogpost. "The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.
"Threat actors are actively using this exploit in an ongoing campaign which we have named 'Operation Clandestine Fox'. We believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available."
Microsoft officially confirmed the vulnerability shortly afterwards, but claimed it was being used in "limited, targeted attacks". It issued a fix for the flaw on Thursday, including for XP versions of the browser.
Time to take back the warnings?
Following the disclosure of the vulnerability, various national IT security authorities — including the US, UK and Australian CERTs and their German and Swedish counterparts — issued warnings alerting consumers to the risks of using Internet Explorer, and possible preventive measures that could be taken, such as downloading Microsoft's Enhanced Mitigation Experience Toolkit (EMET), or switching to an alternative browser.
While the Dutch police also chose to advise users to ditch Internet Explorer altogether, such a move may be over the top, according to the Dutch National Cyber Security Centre (NCSC).
Although the NCSC noted that the threat is only to Internet Explorer as this point, the agency said earlier this week it did believe that installing a different browser was the solution.
"Of course it is possible to install alternative browsers, such as Chrome or Firefox, but then you're essentially fighting symptoms. Our advice is to try and avoid visiting websites you don't know and / or trust and to refrain from clicking hyperlinks in emails you receive," it said.
In addition, the NCSC warned that users who still have Windows XP installed should no longer hesitate and migrate to a later version of Windows as soon as possible since "it is only a matter of time before another part of Windows XP will be rendered vulnerable".
Since a patch has been made available for the flaw, the THTC said whether it considers IE safe to use, but did release the following statement on the NCSC's website: "Microsoft has issued an update, fixing a vulnerability in Internet Explorer. The NCSC recommends installing this update as soon as possible, to eliminate any security threats concerning the use of Internet Explorer.
"Even though Microsoft has ended support for Windows XP on April 8th 2014, the company still decided to release an update for this operating system as well, as an exception. However, those who still use Windows XP, run a great risk of facing another vulnerable part of Windows XP in time. Therefore, with regard to Windows XP, the advice of the NCSC remains to switch to another operating system that is still receiving report."
The US and UK CERTs have also given qualified support to the browser following the release of the patch: after previously advising users to consider using alternative browsers, they're now just recommending users apply the fix Microsoft provided.
Echoing their US counterparts, the UK-CERT said: "It is recommended that users and administrators review Microsoft Security Bulletin and apply the necessary updates as soon as possible."