John Phillips
Author: John Phillips (Ocean Computing Solutions)
Recently there have been reports in the media relating to a bug in Internet Explorer which was allegedly exploited by the government of a large communist state to spy on dissidents. Many media outlets went as far as to say don’t use Internet Explorer at all, use something else, like Mozilla Firefox (http://www.mozilla.org).
This kind of story makes great news. It has everything, a potentially deadly computer security threat (especially if you are deemed to be a dissident in a country where capital punishment is not uncommon), espionage, and radical advice that we should all stop using the most popular browser on the web.
Unfortunately, there are a few problems with this. Starting at the beginning, the vulnerability concerned, while an extremely serious remote code execution flaw*, only exists in Internet Explorer 6. IE6 shipped with Windows XP, and has since had two major version updates. We are now at Internet Explorer version 8. Anyone who has automatic updates enabled on their computer would have this most recent version, and would not be put at risk by this particular security threat.
The spying allegation came from Google, who allege the Chinese government implemented a sophisticated exploit with the purpose of obtaining logon details to Gmail accounts operated by persons of interest to said government. Google have been so incensed by the actions of Beijing that they are now claiming they will stop censoring search results for users in China (an operational requirement imposed upon the Google China operation (www.google.cn) by the Chinese government). The Chinese government could well prevent Google from operating in China if this goes ahead – serious stuff.
Now that the vulnerability is known, it is only a matter of time before other unscrupulous parties will look to create their own versions of this exploit in order to obtain passwords to internet bank accounts, credit card numbers and the like.
The bottom line is the media likes sensational stories, and this fits the bill. It’s good to see the media taking an interest in computer security, it’s a pity this wasn’t reported in a more considered way. Perhaps it’s because scary headlines sell newspapers, maybe because the journalists involved didn’t have sufficient understanding of the content on which they were reporting. This would have been an excellent opportunity to encourage people to use the automatic updating functionality within Microsoft Windows to keep their software up to date, to install anti-virus software, use a firewall, and generally be careful on the internet. And that is my recommendation to you.
To turn on Automatic Updates, follow the steps in this article: http://www.microsoft.com/security/updates/mu.aspx. If you are running a business with more than a couple of computers, having an IT professional examine your network and make sure it is as far as possible free of security vulnerabilities is essential.
Ocean Computing Solutions can help Canberra based businesses in this way. If you have five or more computers, you can take the first step for free. Just visit our web site and sign up for a free Network Problem Prevention Audit, normally valued at $497. This comes at no cost to you and with no obligation to do or buy anything. At the end of the audit, you will get a written report detailing our findings and recommendations.
* A remote code execution vulnerability is a software flaw which allows an attacker to arbitrarily run software of his/her choosing on a remote computer via the internet, probably without the knowledge of the computers owner. This effectively means the attacker has remote control over the compromised system.
Anyone can Google this and read about it themselves.
“The German and French governments recommended that all Internet Explorer* users should switch to an alternative browser.”
*: Of any version, even 8.x
Internet Explorer 6.x does not support features that *improve* performance & security as well as modern browsers, so much so Google are phasing out support for it in March 2010 (about time).
Why switch?
– Security (I won’t go into this, it’s just too obvious)
– (Basically it’s better than being sued for not securing your clients data in ways best described as negligent).
– Productivity, Alternative browsers perform on average 10 to 14 times faster on the same computer hardware.
– Yes that is a +900% to +1300% improvement in performance, within Web Applications and Web Sites, on well configured systems and/or networks. Without upgrading your existing fleet of computers!
Suggested Alternative Browsers:
(1) Firefox 3.6 is a great choice, and for those who are not willing to give Mozilla a shot (over 310 thousand Australians last time I checked), I would heartily suggest they switch to (2) Opera 10.x or later.
Why Opera?
– It’s Secure, and Performs amazingly.
– It has extremely useful featues under the hood and still works as a simple every day browser.
– It’s easy to learn!, the extra security is transparent.
– It wins on selection panels, Nokia use it on their phones, it has been around (as a product) longer than Firefox has (maybe not Mozilla though).
Thanks for your comments Scott. As you have pointed out, a range of alternative browsers are out there, but in a business environment, switching might not be a trivial task. This article outlines some of the concerns (http://www.sophos.com/blogs/gc/g/2010/01/18/french-government-advise-users-stop-internet-explorer/). Interestingly, a poll on the linked article suggests that most people think they should stop using IE.
The key point I wanted to get across though, is that out of all of this (the Google.cn saga), we have missed a golden opportunity to educate computers users about steps they can take to protect themselves, opting instead for sensationalist “the sky is falling” type reporting. And that’s a shame.
Yeah but it’s not a problem until it has a solution, as they say.
Problem: The sky is falling.
Solution: Use Opera.
– Businesses that have websites *NEED* those websites to be usable on mobile phones, etc. Testing with Opera helps with this.
– Any browser that fails the ACID tests is bad.
– ASP and ASP.NET are not tied to Internet Explorer.
– There are (still?) no real-world examples of websites or Intranets that ‘only’ work with Internet Explorer, in fact quite the opposite, there are sites that work fine with everything ‘except’ Internet Explorer (eg: In March 2010 Google is joining this club, as they pull archaic ‘work around code’ required to support IE 6.x, and concentrate on ‘something new’).
So once all the propaganda has settled down, with any luck news sites (that are not sponsored by Microsoft) may publish articles indicating that large, successful, companies undergowing growth such as Blackberry, Nokia, and other mobile device vendors use Opera, and frankly “it is the BSD of browsers with a GUI that could almost put Apple to shame”.
Anyway: It’s not that people don’t know how to use Opera or Firefox, ***it’s more that they don’t know how to use Internet Explorer***. So they really should just switch to something secure that doesn’t ‘burden the user’ with security policies (that the software should take care of) and slow performance that hampers productivity.
The web browser should be secure & intuitive, not clunky.
ie: http://www.opera.com/link/
I can change PC’s, laptop’s, etc and my ‘session’ ‘persists’. (I can do this in Firefox 3.6 too, it just requires 3rd party addons).