IE zero day: Money v tubes? Choose one

IE zero day: Money v tubes? Choose one

Summary: In light of the unpatched IE zero day, AusCERT has cautiously advised organisations to "consider" using an alternative browser; or even kill browsing altogether. For organisations with locked down computers, is it time to support two browsers?

SHARE:
TOPICS: Browser
7

In light of the unpatched IE zero day, AusCERT has cautiously advised organisations to "consider" using an alternative browser; or even kill browsing altogether. For organisations with locked down computers, is it time to support two browsers?

I had a funny discussion yesterday with AusCERT's general manager Graham Ingram.

He was being coy about the advice they'd given — "consider using another browser until a patch has been issued" — which, from a home user's perspective seemed pretty sensible but for a major corporation might be impractical or simply impossible.

Every version of IE is exposed, and as Stephan Chenette, manager of Websense's US research division told ZDNet.com.au last week when it thought only IE7 was affected, this flaw is "critical" because it can be exploited with virtually no user interaction — the victim need only navigate to a website that has been armed with the exploit code.

Highlighting just how critical this flaw is, Microsoft last night announced it would issue an "out of band" patch tomorrow — a rare event which, according to AusCERT's Ingram, would have been a "Herculean" feat even for Microsoft.

As I was editing this blog one last time before pushing it live, Microsoft Australia sent an email to ZDNet.com.au advising that the patch will be ready by 5am tomorrow, 18 December. In fact, it's so spooked by this it's hosting a special webcast tomorrow at 8am for Australian eastern states.

Although zero days like this don't happen every day, we can be fairly sure it is only a matter of when, not if, there will be another. So a quick fix would be to immediately switch to an alternative browser such as Firefox, Opera, Chrome or Safari. If you like IE come back to it when Microsoft has released a patch.

But it's a different game for high security organisations like government agencies, banks etc. which in many cases "lock down" computers, usually with some cocktail of Microsoft software and inevitably IE in the mix.

So I was thinking then, why not, for the locked down environment, support two browsers? Stupid idea? Maybe.

IBRS security analyst James Turner thought supporting two browsers was silly and costly. He suggested "organisations question whether everyone actually needs web access".

AusCERT's Ingram agreed that if concern over this flaw was great enough, organisations should simply kill browsing altogether. But can you imagine seven whole tubeless days?

So how important is the web for business? I would say it's pretty darn vital as the majority of workers legitimately access the web to help them do their jobs. Even classically non-work services like YouTube or Twitter have become useful tools in some industries.

So how are you dealing with this issue? Do you support more than one browser? Does everyone in your organisation need internet access? Will you be patching tomorrow?

Topic: Browser

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Firefox FTW

    Our organisation although small (8 pcs) relies on IE and also completely dependent on Microsoft software of course.

    Personally I'm implementing a change to Firefox on all our systems regardless of the current problems. As it's Microsoft there will be more problems later as well!
    anonymous
  • No Change

    We have IE but, apart from some website formatting issues (works on IE, doesn't work elsewhere), aren't dependant on it functionally. However, we certainly won't be changing, because:

    * Users are familiar with IE
    * IE is easy to deploy (already part of Windows)
    * IE is easy to control (GPO with IE Admin Toolkit)
    * IE is easy to patch (WSUS)
    * IE is easy to upgrade (GPO, WSUS)
    * Patches for IE are available for versions 6, 7 and 8 (so you don't have to upgrade to get patches)
    * Patches are released in a timely manner, and are professionally developed and tested
    * All of the above is via free, existing and flexible tools

    Other browsers don't offer all of the above, and so on balance are more work for us to have on the network.

    Our patch cycle can happen within 1 day (between release and full deployment) if it needs to be, so patching will occur soon enough. Yes, we will be unprotected for a few days, but you can't have everything.

    If a 0 day exploit for Firefox was released, how long before a patch is available? And then how long to get that patch deployed?
    anonymous
  • NSA ? deems IE Risky

    Was there some US Gov Agency, NSA or like that which specifically designated IE as a security risk and was not to be used? A few years ago this was
    anonymous
  • So what now ?

    Provided by Stay Smart on-line service operated by AusCERT for DBCDE. Issued Wednesday 17th.
    Security update for Mozilla Firefox web browser and SeaMonkey application suite. - SSO-AD2008-026

    Where is the hype ???

    Quick everybody lets stop using Firefox.

    Or even better lets not use browsers because we will have to keep changing every week.

    What a beat up over nothing.

    Liam I will give you credit that you have instigated the debate. Should the question now be we need 3 browsers on every machine
    anonymous
  • Alternate way of browsing

    Why not run virtual machines specifically setup for browsing etc?
    anonymous
  • Pif..

    Patch was out for FF within 24 hours, deployed automatically to browsers.

    As for integrating FF into corporate environments, we have over 50k users at my work and have had no problems integrating firefox.

    * Users are familiar with IE
    FF operates the same way, I have yet to find a user that had a problem with the change. More users had problems from IE 6 to IE7.

    * IE is easy to deploy (already part of Windows)
    Pif.. this is a very weak excuse in a managed environment.
    * IE is easy to control (GPO with IE Admin Toolkit)
    about:config

    * IE is easy to patch (WSUS)
    FF is automatically patched, and they will allow local caching of patches for internal update servers.

    * IE is easy to upgrade (GPO, WSUS)
    FF automatically deploys upgrades

    * Patches for IE are available for versions 6, 7 and 8 (so you don't have to upgrade to get patches)
    Only for IE would this even be a factor.

    * Patches are released in a timely manner, and are professionally developed and tested
    So are FF patches, and historically MS patches are more likely to create further problems to be patched.

    * All of the above is via free, existing and flexible tools
    Everything regarding FF is free, using existing and flexible tools that you can modify the code for yourself if you wish.
    anonymous
  • beat up?

    well, I think for most large organisations - which is the target audience for this site - IE is the standard. That's why it is important to discuss. Also, the browser is an important piece of software these days, isn't it?

    Besides, I really wanted to see how security proffessionals were reacting to the flaw and AusCERT's advice.

    And there is actually alot of media hype when FF has a flaw anyway.

    But thanks for your comment.
    anonymous