You’d think the news that Chinese hackers used a vulnerability in Microsoft’s Internet Explorer (IE) to attack Google would be a PR disaster for both companies. Surprisingly, the two stand to benefit from the whole affair.
The recently-discovered invalid pointer reference bug found in IE6, IE7 and IE8 that was used against Google is being seen as so grave that it’s prompted the governments of France and Germany to warn their citizens not to use IE at all.
The recommendation of our European chums is to use some other browser — any other browser — instead of IE. (You may think that most people would take any computer security warning from the French, German or any other government with a healthy dose of skepticism, and while that may be true, it’s not exactly a security endorsement, is it?) The most obvious browser to switch to is Mozilla Firefox, IE’s main competitor and an excellent browser — although one not without its own security problems from time to time. “Switching away will get away from this particular problem,” Graham Cluley, a senior technology consultant at Sophos pointed out yesterday. “But all browsers have security flaws.”
Quite right. But just as bank robbers rob banks because that’s where the money is, hackers attack IE because that’s where the users are. The problem with Firefox is that it’s becoming too successful: It has about a 25 percent share of the browser market (although this is small compared to the 66 percent share enjoyed by all versions of IE combined.) Pretty soon it will have enough users for it to be worthwhile attacking more often — especially if every Jean-Pierre and Fritz migrates to it en masse
Today, Chrome has only a sub-5-percent market share, and there’s no doubt Google would love to see mass adoption. In no small part that’s because the browser’s tuned to work well with its cloud-based services, making a migration from a Microsoft-centric world to a Google-centric world (as we discussed last week), a much smaller step for those that use it. Far from being a PR disaster, getting hacked via the IE bug could be the best thing that ever happened to Google.
Did Google put the Chinese up to the hacking job precisely so that many IE users would flock to Chrome? That’s taking things a bit far. Besides, France and Germany’s advice is questionable at best — especially when applied to enterprises. That’s because the most vulnerable version of IE is IE6, running on Windows XP. The best bet for any enterprise still running IE6 is to upgrade to IE8 (which has been made more secure by design and which can be made immune to the vulnerability), rather than to switch to Firefox or Chrome. After all, the only good reason for any enterprise to still be running IE6 is for compatibility reasons. Moving to IE8 will likely lead to fewer complications than moving to a different browser altogether.
It turns out that a combination of Windows 7 and IE8 is the most secure combination of Microsoft products when it comes to facing this particular vulnerability, thanks to features like IE Protected Mode and on-by-default Data Execution Protection. (As an interesting side-note, Windows 2000 and IE5 is also immune.) So the upshot of all this is that while consumers — especially European ones — may flee from IE and head for Chrome, there might well also be an accelerated takeup of Windows 7 and IE8 from enterprises looking for extra security. If that happens, Microsoft will become more entrenched in the enterprise than ever.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979
Microsoft rivals gain after Europe browser warning
Warnings by the German and French governments about the vulnerability of Microsoft’s Internet Explorer 6 in the wake of the serious China-based cyberattacks disclosed last week by Google appear to be boosting the uptake of rival browsers across Europe.
However, computer security experts described the Microsoft software flaws as routine and not particularly serious, and called the official warnings in Europe an overreaction.
The spotlight that has been thrown on weakness in its software as a result of the China attacks comes at a critical time for Microsoft, which has been hoping that the release of its Windows 7 operating system would reverse Internet Explorer’s loss of market share.
Internet Explorer is still the leading browser in Europe, with 45 per cent market share, but Mozilla Firefox is a close second at 40 per cent. This compares with a 56 per cent market share worldwide, according to StatCounter, a web analytics company. In markets such as Germany and Austria, Firefox has become the market leader, with IE in second place.
The German and French governments have both warned citizens not to use Internet Explorer, at least until a security patch is released to fix a vulnerability in the software. Concerns were raised after security experts pointed to a flaw in Internet Explorer code as a key vulnerability that had contributed to the cyberattacks on Google and 33 other companies.
There was a huge spike in the number of searches for Firefox in Germany at the end of last week, according to the Google Trends website, which allows users to track internet behaviour. There was also a sharp rise in searches for Firefox in Switzerland and Austria, and more modest increases in Italy, the Netherlands, Spain, Portugal and the UK.
Microsoft said last week that Internet Explorer had been one of several mechanisms used in the attack. Microsoft itself was recommending that customers switch to Internet Explorer 8, a newer version of the browser. Microsoft said it had not seen any successful attacks on IE8.
Andrew Storms, director of security for nCircle, a web security provider, described the warnings from France and Germany as “a disproportionate response” that reflected general paranoia in the wake of Google’s disclosure.
“Microsoft is an American company, Firefox is developed internationally – it’s convenient to kick them over this one,” said Dan Kaminsky, a US-based security expert.
The disclosure of the browser flaw was routine and not materially different from “thousands” of weaknesses found each year in browsers and software “plug-ins” that extend their capabilities, he added.
Internet Explorer has been under intense scrutiny in Europe. Microsoft recently settled a case with the European Commission over tying the browser to its dominant Windows operating system. In December, Brussels agreed a deal in which the company will offer Windows users a choice of a dozen browsers. Microsoft will continue to be under close monitoring by Brussels to ensure that this system works.
Microsoft is trying hard to improve its relations with European policymakers, however. On Tuesday it announced that it would make data from internet searches anonymous after six months, in line with recommendations by the Commission.
The Article 29 Working Party, a group of European data protection officials that advises Brussels on its privacy policies, had recommended nearly two years ago that user data collected by search engine companies be deleted after six months. Although Microsoft is responding slowly to the request, it will look compliant compared with Google, which keeps search data for nine months.