French, German governments warn against IE
The German and French governments have advised citizens to avoid using Internet Explorer until Microsoft patches a zero-day flaw that was used by hackers to access Google systems.
Microsoft confirmed last week that the IE flaw was used in cyberattacks on Google's infrastructure — which included an attempt to access the Gmail accounts of Chinese human-rights activists — and on a number of other US companies.
Attack code exploiting the invalid pointer reference flaw has been published on mailing lists and on at least one website, security company McAfee said in a blog post on Friday.
The German Federal Office for Information Security (BSI) said on Friday that users should switch to another browser until Microsoft addresses the problem, which is rated 'critical'. It also advised people not to rely on workarounds suggested by Microsoft.
"Running Internet Explorer in protected mode and disabling Active Scripting will make computers more difficult to compromise, but cannot completely prevent an attack," the cybersecurity agency said in a press statement. "Therefore, the BSI recommends switching to an alternative browser until Microsoft issues a patch."
The BSI said people should drop their use of versions 6, 7 and 8 of IE on computers running XP, Vista or Windows 7.
French government body Certa also warned people on Friday not to use Internet Explorer until Microsoft issues a security fix.
"Pending a patch from the publisher, Certa recommends using an alternative browser," said Certa, part of the French cybersecurity agency Anssi, in an advisory.
Certa strongly advised people to surf using a browser with limited rights, and with JavaScript and ActiveX disabled.
Microsoft acknowledged on Sunday that exploit code had been seen in the wild. Noting that the code targeted IE6, the company issued a supplementary advisory urging people to use IE8, which has higher protections.
"Customers using Internet Explorer 8 are not affected by currently known attacks and exploits due to the improved security protections in IE8," Microsoft said in a statement. "To help protect our customers, we recommend that all customers immediately upgrade to Internet Explorer 8."