Civil servants to stick with IE despite zero-day flaw

Security experts have questioned the government's decision not to direct civil servants to use an alternative browser until Microsoft patches a flaw

The UK government will not direct its departments to switch away from Internet Explorer, despite a zero-day flaw in the browser that has sparked warnings from Germany and France.

Most of the UK's tens of thousands of civil servants, including those in Whitehall, use Internet Explorer. The Microsoft web browser suffers from a widely publicised vulnerability that underpinned attacks against Google by hackers in China, and has led the French and German governments to advise citizens against using the software until Microsoft issues a patch.

However, government departments are not being advised to move to a rival browser as there is no evidence it would make a difference to security, a Cabinet Office spokesperson said on Tuesday.

"Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them," the spokesperson told ZDNet UK. "There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats."

Microsoft said on Wednesday that it will issue an out-of-cycle patch for the browser vulnerability, but did not give a timeframe. The company has acknowledged that exploit code for the flaw is circulating publicly, but said the attack targets IE6. It has urged people to upgrade to IE8, which has higher protections.

A series of parliamentary questions by MP Tom Watson in 2009 established the extent of IE use in central government. The Department for Work and Pensions (DWP), the Department of Health (DoH) and the Department for Business, Innovation and Skills (BIS) are among the government departments that use IE6 on all desktop and laptop computers. The Home Office is in the process of upgrading from IE6 to IE7.

On Tuesday, the DWP said it is aware of the browser flaw but plans no changes to its use of IE6. "The department, along with our suppliers, is monitoring the situation and will continue to do so," a spokesperson for the DWP said. "Our existing defences are robust, and we do not intend to issue any special instructions to staff at this stage."

The Ministry of Justice (MoJ), which uses IE7 in its upper echelons, is in part relying on its restriction of admin rights to protect its systems.

"We are aware of the Microsoft Security Bulletin which describes this vulnerability and how to address it," a ministry spokesperson said. "MoJ networks are configured to prevent such vulnerabilities being exploited. In addition, the vulnerability is most easily exploited by users with administrative privileges. MoJ users do not have such privileges."

However, security experts questioned the government's approach. Given the situation, civil servants should not use the browser on the internet, according to Chris Wysopal, chief technology officer for security company Veracode.

"There is no question that governments are under the same type of spear-phishing attacks Google was attacked with," said Wysopal. "IE6 should absolutely not be used by government employees to browse non-government websites. Exploits are public, and [the flaw] is being actively exploited."

Ross Anderson, professor of security engineering at Cambridge University, said the government should encourage the use of other browser software by its departments. He pointed out that citizens often had no choice but to use IE on public-sector websites. "The whole thing's a complete mess," said Anderson. "Many government websites won't interact with Firefox or alternatives — you have to use Microsoft if you want to interact with the government."

If the government did urge its departments to switch to a browser such as Firefox or Chrome, that sudden change could cause support problems within government departments, pointed out Graham Cluley, a senior technology consultant at security firm Sophos.

However, the government should at least tell its employees to upgrade their IE software, he said. "There are concerns these hacking attacks are being sponsored by the Chinese," said Cluley. "It would make sense to run up-to-date browser versions to mitigate espionage concerns."