IE zero day: Money v tubes? Choose one

Summary:In light of the unpatched IE zero day, AusCERT has cautiously advised organisations to "consider" using an alternative browser; or even kill browsing altogether. For organisations with locked down computers, is it time to support two browsers?

In light of the unpatched IE zero day, AusCERT has cautiously advised organisations to "consider" using an alternative browser; or even kill browsing altogether. For organisations with locked down computers, is it time to support two browsers?

I had a funny discussion yesterday with AusCERT's general manager Graham Ingram.

He was being coy about the advice they'd given — "consider using another browser until a patch has been issued" — which, from a home user's perspective seemed pretty sensible but for a major corporation might be impractical or simply impossible.

Every version of IE is exposed, and as Stephan Chenette, manager of Websense's US research division told ZDNet.com.au last week when it thought only IE7 was affected, this flaw is "critical" because it can be exploited with virtually no user interaction — the victim need only navigate to a website that has been armed with the exploit code.

Highlighting just how critical this flaw is, Microsoft last night announced it would issue an "out of band" patch tomorrow — a rare event which, according to AusCERT's Ingram, would have been a "Herculean" feat even for Microsoft.

As I was editing this blog one last time before pushing it live, Microsoft Australia sent an email to ZDNet.com.au advising that the patch will be ready by 5am tomorrow, 18 December. In fact, it's so spooked by this it's hosting a special webcast tomorrow at 8am for Australian eastern states.

Although zero days like this don't happen every day, we can be fairly sure it is only a matter of when, not if, there will be another. So a quick fix would be to immediately switch to an alternative browser such as Firefox, Opera, Chrome or Safari. If you like IE come back to it when Microsoft has released a patch.

But it's a different game for high security organisations like government agencies, banks etc. which in many cases "lock down" computers, usually with some cocktail of Microsoft software and inevitably IE in the mix.

So I was thinking then, why not, for the locked down environment, support two browsers? Stupid idea? Maybe.

IBRS security analyst James Turner thought supporting two browsers was silly and costly. He suggested "organisations question whether everyone actually needs web access".

AusCERT's Ingram agreed that if concern over this flaw was great enough, organisations should simply kill browsing altogether. But can you imagine seven whole tubeless days?

So how important is the web for business? I would say it's pretty darn vital as the majority of workers legitimately access the web to help them do their jobs. Even classically non-work services like YouTube or Twitter have become useful tools in some industries.

So how are you dealing with this issue? Do you support more than one browser? Does everyone in your organisation need internet access? Will you be patching tomorrow?

Topics: Browser

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.