Microsoft Corp. (NASDAQ:MSFT) has yet to patch a vulnerability in some versions of Internet Explorer that allow remote code execution, but not every corporation could easily change browsers, industry experts say.
Last weekend, the German Federal Office for Information (BSI) Security warned users against using versions 6, 7 and 8 of the browser until Microsoft patched the vulnerability referred to Microsoft in advisory 979352, the remote execution security hole believed to be connected to recent attacks on search engine Google Inc. (NASDAQ:GOOG)
Then the French Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique has issued its own warning to the same effect.
The security hole is also known as Operation Aurora.
The question of whether enterprise users should avoid Internet explorer depends on the size and complexity of the business, says James Quin, senior research analyst at Info-Tech Research Group of London, Ont.
“If the business is small enough or technologically sophisticated enough that it can easily manage the browser switch, then it should probably consider doing so,” Quin wrote in an e-mail to Network World Canada. “If not, it should ensure every other known vulnerability is patched, get anti-malware solutions fully updated and vigilantly watch its network traffic for anything that looks suspicious."
It isn’t easy for everyone to switch browsers, said Craig Schmugar, threat researcher for McAfee Inc. (NYSE:MFE) of Santa Clara, Calif.
“Internet explorer is heavily used,” he said. “There are applications written for it. Not everyone can switch browsers on a dime.”
But he did not say the French and German governments are offering bad advice, noting the Firefox browser, developed by the open source Mozilla project, does have vulnerabilities.
“The odds of (Firefox users) being attacked are less by virtue of the fact that the hackers are after the masses,” Schmugar said in an interview. “They go after Windows because it’s used by more people.”
The Canadian government hasn’t been vocal on this issue yet.
The Communications Security Establishment (CSE) describes itself as “the Government's repository for expertise in protecting sensitive information and ensuring the security of IT products, systems and networks.”
CSE referred a question about Internet Explorer security to Public Safety Canada, which said it is “working” on the query.
Public Safety Canada includes the Canadian Cyber Incident Response Centre.