Avoid using IE if possible: AusCERT

Avoid using IE if possible: AusCERT

Summary: Australia's Computer Emergency Response Team (AusCERT) has recommended organisations "consider using a web browser other than Internet Explorer until a patch becomes available" — an option that many large firms cannot seriously consider.

SHARE:
18

Australia's Computer Emergency Response Team (AusCERT) has recommended organisations "consider using a web browser other than Internet Explorer until a patch becomes available" — an option that many large firms cannot seriously consider.

"We needed a patch yesterday"
Graham Ingram, GM AusCERT
(Credit: AusCERT)

The zero-day flaw first reported last Thursday, which Microsoft later admitted affected all versions of Internet Explorer has prompted AusCERT to advise Australian organisations to "consider" using an alternative browser, which could include Opera, Mozilla Firefox, Google Chrome or Safari.

"What we've said is quite specific in our advisory — we've said that users should consider using an alternative browser — if that is possible," AusCERT's general manager Graham Ingram told ZDNet.com.au today.

AusCERT was cautious in its advice to use an alternative browser because it was aware many large organisations' desktops were "locked down". That is, configured to only allow approved applications to run, which in many cases means Internet Explorer is the only web browser option.

"There are a lot of companies that lock down [their computer] environment," said Ingram.

However, the reason that AusCERT went ahead with the advice was due to the importance of the web browser in modern desktops.

"There are a number of ways to mitigate to this, but the browser is one of the most fundamental pieces of software on the modern workstation," said Ingram.

"Having an unpatched browser is a massive problem. A zero-day unpatched IE is something that is not trivial and we needed a patch yesterday," Ingram stressed.

Other possible strategies included the drastic measure of turning off all web browsing, or creating a whitelist of websites that administrators considered safe from attacks that use specific exploit. Organisations should also update their antivirus, he said.

"But with the rise of legitimate sites being compromised there's no assurance that even safe sites haven't been compromised," he said.

Microsoft admits it has detected several hundred exploits for this vulnerability, however, the sites taking advantage of the flaw appear to be hosted on Chinese domains.

Microsoft yesterday did not know when a patch would be released. The next Patch Tuesday is scheduled for 13 January.

"IE is so widely spread and has so many platforms within it, developing a patch would be a Herculean task," Ingram added.

Topics: Security, Browser, AUSCERT

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • When did this get reported in main news?

    I would like to think this is an important enough story to have interrupted our regular broadcasting on TV since it impacts the WHOLE WORLD security!!!. I do not understand the level of damage to expect thru my home computer. I would like to see this issue on our mainpages like yahoo! With tips to prevent attackers from getting to all of us using windows - should we turn off our automatic updater?
    anonymous
  • IE has never been good anyway

    IE is such a crap ! Ask any web developer around if you know any...It's such a pain. Separate script developer has to design just to cater for IE needs. Other browsers are happy with the common designer lingos.

    For internet user, IE is slow, heavy, ugly, unreliable and now "security issue"
    anonymous
  • Internet Exploder hits again

    Seriously, when will corporations start caring about their security? The firewalls and proxies can not stop everything from coming through. Many organisations are still stuck with Internet Explorer 6 - a browser that has had nothing but security problems, not even to begin on the hassles it caused web developers.

    If organisations would care about their security, they would upgrade users to a decent browser already - whether it be Firefox, Opera, Safari, Chrome, [insert any other non-IE browsers].
    Dymos
  • Don't turn it off

    Don't turn off your Automatic Updates if you insist on using Internet Explorer - once Microsoft rolls out a fix for this exploit, it will be coming through Automatic Updates.

    In the meanwhile, why not try another browser, Firefox, Opera and Safari are excellent products.
    Dymos
  • get a grip

    You bunch of moron's. Read and understand what the exploit is. So my IE browser is vulnerable IF repeat IF, again for those of you a bit slow on the uptake IF you go to a dodgy site and download malicious code. So lets gets everybody to swap browsers this week and next week when the same run of the mill vulnerability that happens every week exploit comes out for firefox of safari lets get everyone to swap back. Yes come on some idiot please reply to this with some claim that other browser do not have vulnerabilities. Then lets just keep doing this. Oh and lets also work on the assumption that it is only vulnerabilities in browsers that expsoe you to droppers, trojans and dowloaders when you go to an infected website.

    Nothing like a good media beat up.
    anonymous
  • timing for reality check

    The following provides insight into 2008 most vulnerable applications
    http://www.bit9.com/news-events/press-release-details.php?id=102
    Guess what fan boys:
    -Firefox #1
    -Safari #5

    Explain why you would want to swap ?
    Maybe this is one of the reasons people use IE because it does not make the list.
    anonymous
  • @ Get a grip!

    Where do you get of calling people morons. Your the moron. If you had to face the destruction of user's HDD & OS installations caused by the use of IE (yes there are thousands still using 98X and IE V5 & 6) you wouldn't make such ignorant remarks.

    For what ever reason, the situation does exist!
    Users just do not have the technical expertise or don't even see the news reports. Not everyone gets ZDNet or sees the CERT reports.

    Any other browser would be better than IE, simply because they are not targeted to the same extent. Users would have a much better experience with any other browser.

    IE is slow, clunky & riddled with security problems. M$ can patch till the cows come home & it wont make one iota of difference.

    Web designers need to stop catering to the M$ monopoly. The IE browser doesn't even conform to the International specs!

    Please take your dodgy advice & shove it Mr Anonymous.
    anonymous
  • timing for reality check - MARKED AS SPAM BY AKISMET

    Do you work for M$? It might explain your inability to read more than a few lines of text at a time.

    The list, only includes apps that (and i quote) -

    • Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
    • The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

    The second criteria basically rules out any M$ apps, which CAN be updated, but generally aren't by any large organisations until they've undergone internal testing.

    The exploit is real and in the field, any responsible IT professional needs to deal with it as soon as possible - until M$ release a patch, removing Local Admin access appears to be the only reasonable mitigation plan.
    anonymous
  • validity/incentive of press releases.

    been there before:
    bit9's claim to fame:
    "Now at over 6 billion records, the Bit9 Global Software Registry is growing at a rate of up to 20 million files each day"
    ******************
    Before these rascals surfaced-- Queensland University commenced cyber-crime monitoring,along with Interpol, and the FBI--stated that NONE of these security propositions were technically correct:

    ie you pay for a service that protects you from viruses that have not been EVEN created--is too alice in wonderland.

    What these sods/ organisations/botcoms/banksand certain universities,as well as the system manufacturers failed to notify is that Microsoft products--which bit9 claim is lockdownable--instead--AS A FUNCTION OF OPERATION-- leave a galaxy of LISTENING PORTS.
    This has been FBI alerted since 2001.
    AUtomatic UPDATES--is exactly the same regards procedure and vunerability.

    ANY FORM that employs Javascript--also allows third-party ACCESS.

    The DOTCOM ideal of companies selling fresh air--seems REALLY where we might expect such persons as anonymous to be--rather than the more preferred COURTS OFLAW regards
    social fragrance.
    falk-larsen
  • Internet Exploder hits again

    Seriously do you work in the IT industry. Do you know how much testing is required to put in a new piece of software throughout a large company. EVERY application must be tested against it. Its not just a case of "hmmm here's a new product, lets use it".
    I cant believe how everyone always bags Microsoft about its products. Before bagging them learn how to write code yourself, put an application out there and see how long it takes for someone to find a vulnerability.
    anonymous
  • get a grip

    Here here Get a Grip Author
    And to everyone else Don't Believe the Hype
    anonymous
  • @ Get a grip!

    ummmm not sure about IE not conforming to International standards. A lot of applications would not work initially with IE7 due to Microsoft brining their products into line with 3W specs and of course poor design of the applications in the first place.
    anonymous
  • Get A Grip

    Look in response to the anonymous sender who started GET A GRIP, I agree to a degree. Now I use IE, Mozilla & Sea Monkey. I do have problems with IE Sometimes & most the time there all great but when it comes to malicious spyware and security threats as such, this is where the morons come in saying that IE is crap because if you download any spyware or crap off any Web browser you WILL get affected.
    anonymous
  • Comedy Gold Auscert!

    Subject line says it all. The 90's are now long gone.
    anonymous
  • firefox too have drawbacks!!!

    firefox has also got some serious drawback though not related to security. As a developer of web applications, I find that Firefox has some severe limitations as compared to IE. For example, when we try to navigate to another form from a web form, modify data there and try to come back to the original form with the modified data, firefox loses the instance of the form opened. Thereby we cannot automatically come back to the form with the modified data.
    anonymous
  • So Liam Step up

    So last night i received from stay smart on-line :
    Security update for Mozilla Firefox web browser and SeaMonkey application suite. - SSO-AD2008-026
    This is the services run by AusCERT for DBCDE.
    Hey Mr Ingram where is your advice on swapping from firefox.
    Where is the hype from everyone on lets not use Firefox ???

    Or is this different because it is not Microsoft.

    This is just a media beat all browser have bugs.

    Com on ZDNET run a story on this new exploit
    anonymous
  • Patch availability

    Perhaps the advice on "swapping from firefox" was not there because there was a patch already available.
    anonymous
  • Internet Exploder.

    Some of us out here, already know how to design & build industrial-strength code.

    24x7, for years at a time. Public-access systems. And, with zero known bugs at the end of a 7-year period of operation.

    But OTOH, we didn't build code that was vulnerable left, right & center to buffer overruns. Didn't build toy C++, using the vastly flawed coding techniques, shown by MS in *EVERY SINGLE F*%#'N MSDN EXAMPLE*.

    Now the patch-counts between browsers, are misleading as a basis for comparison. This is because MS perform 'bundling' and conceal a far higher number of vulnerabilities, in every fix they report.

    My professional assessment, last performed 3 or 4 months ago, was that virus attacks are almost irrelevant these days: browser attacks & drive-bys are now the major threat vector.

    Where currently many of these are nuisance-grade or advertising, with perhaps 3% malicious -- I expect an ongoing & rapid rampup, to 70% malicious or so, within 4 years.

    (Keystroke/ password loggers, banking & account attacks, personal data/ corporate secret harvesting, access obtained then passed to humans for further exploitation.)

    My assessment is that IE, is & will continue to be far less secure than available alternative browsers.
    By virtue of both 1) inferior engineering & quality focus and 2) mass-market target.

    IE was engineered to "bring the Web into the desktop". Remember ActiveX, Active Desktop, etc?
    These original design "ideas" represent the exact opposite of security consciousness. Right from the start, they got it wrong.
    anonymous