Government takes action on IE zero-day flaw

The government is urging employees to update to IE8, relying on the upgrade and its extra security measures to protect systems from a zero-day attack

The government has issued an alert to civil servants, advising them how to mitigate the risk of a widely publicised flaw in Internet Explorer.

The Cabinet Office on Wednesday urged government departments to use workarounds outlined in a Microsoft advisory on the flaw, as there is no patch available. The software maker is telling customers using IE6 and IE7 to update to the more robust IE8 amid recommendations from security organisations that users switch to another browser until the problem is fixed.

The government has told departments: "By all means upgrade, but changing browsers may not reduce vulnerability," according to a Cabinet Office spokesman.

While tens of thousands of government machines run IE, security mechanisms such as firewalls and intrusion detection systems on government computers provide adequate defence, the spokesman added.

"A government user, operating on government systems, such as the GSi (Government Secure Intranet), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks," he said.

In addition, civil service staff have been told to visit the government security website Get Safe Online, which has advice about the zero-day flaw.

The Cabinet Office acts as the distribution point for security advice aimed at the government from agencies such as GCHQ and CPNI (Centre for the Protection of National Infrastructure).

The UK government on Tuesday said it did not have plans to advise its employees to switch browsers, in contrast to the French and German governments. Instead, it is taking similar tack to its Australian counterpart, which warned its users of the issue on 15 January, saying people should upgrade or use workarounds.

Microsoft has promised an out-of-band patch for the invalid pointer reference issue in Internet Explorer. The flaw, which was exploited by Chinese hacks against Google, has had major repercussions in Google's relationship with the Chinese authorities.