Avoid using IE if possible: AusCERT

Australia's Computer Emergency Response Team (AusCERT) has recommended organisations "consider using a web browser other than Internet Explorer until a patch becomes available" — an option that many large firms cannot seriously consider.

"We needed a patch yesterday"
Graham Ingram, GM AusCERT
(Credit: AusCERT)

The zero-day flaw first reported last Thursday, which Microsoft later admitted affected all versions of Internet Explorer has prompted AusCERT to advise Australian organisations to "consider" using an alternative browser, which could include Opera, Mozilla Firefox, Google Chrome or Safari.

"What we've said is quite specific in our advisory — we've said that users should consider using an alternative browser — if that is possible," AusCERT's general manager Graham Ingram told ZDNet.com.au today.

AusCERT was cautious in its advice to use an alternative browser because it was aware many large organisations' desktops were "locked down". That is, configured to only allow approved applications to run, which in many cases means Internet Explorer is the only web browser option.

"There are a lot of companies that lock down [their computer] environment," said Ingram.

However, the reason that AusCERT went ahead with the advice was due to the importance of the web browser in modern desktops.

"There are a number of ways to mitigate to this, but the browser is one of the most fundamental pieces of software on the modern workstation," said Ingram.

"Having an unpatched browser is a massive problem. A zero-day unpatched IE is something that is not trivial and we needed a patch yesterday," Ingram stressed.

Other possible strategies included the drastic measure of turning off all web browsing, or creating a whitelist of websites that administrators considered safe from attacks that use specific exploit. Organisations should also update their antivirus, he said.

"But with the rise of legitimate sites being compromised there's no assurance that even safe sites haven't been compromised," he said.

Microsoft admits it has detected several hundred exploits for this vulnerability, however, the sites taking advantage of the flaw appear to be hosted on Chinese domains.

Microsoft yesterday did not know when a patch would be released. The next Patch Tuesday is scheduled for 13 January.

"IE is so widely spread and has so many platforms within it, developing a patch would be a Herculean task," Ingram added.

• Related stories

• Alerts

Add your opinion

When did this get reported in main news? Bewildered -- 17/12/08

I would like to think this is an important enough story to have interrupted our regular broadcasting on TV since it impacts the WHOLE WORLD security!!!. I do not understand the level of damage to expect thru my home computer. I would like to see this issue on our mainpages like yahoo! With tips to prevent attackers from getting to all of us using windows - should we turn off our automatic updater?

• Reply to comment
• Reply to story
• Report offensive content

IE has never been good anyway Anonymous -- 17/12/08 (in reply to #320119237)

IE is such a crap ! Ask any web developer around if you know any...It's such a pain. Separate script developer has to design just to cater for IE needs. Other browsers are happy with the common designer lingos.

For internet user, IE is slow, heavy, ugly, unreliable and now "security issue"

• Reply to comment
• Report offensive content

Don't turn it off John Van Der Loo -- 17/12/08 (in reply to #320119237)

Don't turn off your Automatic Updates if you insist on using Internet Explorer - once Microsoft rolls out a fix for this exploit, it will be coming through Automatic Updates.

In the meanwhile, why not try another browser, Firefox, Opera and Safari are excellent products.

• Reply to comment
• Report offensive content

Internet Exploder hits again John Van Der Loo -- 17/12/08

Seriously, when will corporations start caring about their security? The firewalls and proxies can not stop everything from coming through. Many organisations are still stuck with Internet Explorer 6 - a browser that has had nothing but security problems, not even to begin on the hassles it caused web developers.

If organisations would care about their security, they would upgrade users to a decent browser already - whether it be Firefox, Opera, Safari, Chrome, [insert any other non-IE browsers].

• Reply to comment
• Reply to story
• Report offensive content

Internet Exploder hits again Mark Anderson -- 17/12/08 (in reply to #320119244)

Seriously do you work in the IT industry. Do you know how much testing is required to put in a new piece of software throughout a large company. EVERY application must be tested against it. Its not just a case of "hmmm here's a new product, lets use it".
I cant believe how everyone always bags Microsoft about its products. Before bagging them learn how to write code yourself, put an application out there and see how long it takes for someone to find a vulnerability.

• Reply to comment
• Report offensive content

Internet Exploder. Thomas W -- 05/01/09 (in reply to #320119336)

Some of us out here, already know how to design & build industrial-strength code.

24x7, for years at a time. Public-access systems. And, with zero known bugs at the end of a 7-year period of operation.

But OTOH, we didn't build code that was vulnerable left, right & center to buffer overruns. Didn't build toy C++, using the vastly flawed coding techniques, shown by MS in *EVERY SINGLE F*%#'N MSDN EXAMPLE*.

Now the patch-counts between browsers, are misleading as a basis for comparison. This is because MS perform 'bundling' and conceal a far higher number of vulnerabilities, in every fix they report.

My professional assessment, last performed 3 or 4 months ago, was that virus attacks are almost irrelevant these days: browser attacks & drive-bys are now the major threat vector.

Where currently many of these are nuisance-grade or advertising, with perhaps 3% malicious -- I expect an ongoing & rapid rampup, to 70% malicious or so, within 4 years.

(Keystroke/ password loggers, banking & account attacks, personal data/ corporate secret harvesting, access obtained then passed to humans for further exploitation.)

My assessment is that IE, is & will continue to be far less secure than available alternative browsers.
By virtue of both 1) inferior engineering & quality focus and 2) mass-market target.

IE was engineered to "bring the Web into the desktop". Remember ActiveX, Active Desktop, etc?
These original design "ideas" represent the exact opposite of security consciousness. Right from the start, they got it wrong.

• Reply to comment
• Report offensive content

firefox too have drawbacks!!! Anonymous -- 18/12/08 (in reply to #320119244)

firefox has also got some serious drawback though not related to security. As a developer of web applications, I find that Firefox has some severe limitations as compared to IE. For example, when we try to navigate to another form from a web form, modify data there and try to come back to the original form with the modified data, firefox loses the instance of the form opened. Thereby we cannot automatically come back to the form with the modified data.

• Reply to comment
• Report offensive content

get a grip Anonymous -- 17/12/08

You bunch of moron's. Read and understand what the exploit is. So my IE browser is vulnerable IF repeat IF, again for those of you a bit slow on the uptake IF you go to a dodgy site and download malicious code. So lets gets everybody to swap browsers this week and next week when the same run of the mill vulnerability that happens every week exploit comes out for firefox of safari lets get everyone to swap back. Yes come on some idiot please reply to this with some claim that other browser do not have vulnerabilities. Then lets just keep doing this. Oh and lets also work on the assumption that it is only vulnerabilities in browsers that expsoe you to droppers, trojans and dowloaders when you go to an infected website.

Nothing like a good media beat up.

• Reply to comment
• Reply to story
• Report offensive content

@ Get a grip! Keith Styles -- 17/12/08 (in reply to #320119273)

Where do you get of calling people morons. Your the moron. If you had to face the destruction of user's HDD & OS installations caused by the use of IE (yes there are thousands still using 98X and IE V5 & 6) you wouldn't make such ignorant remarks.

For what ever reason, the situation does exist!
Users just do not have the technical expertise or don't even see the news reports. Not everyone gets ZDNet or sees the CERT reports.

Any other browser would be better than IE, simply because they are not targeted to the same extent. Users would have a much better experience with any other browser.

IE is slow, clunky & riddled with security problems. M$ can patch till the cows come home & it wont make one iota of difference.

Web designers need to stop catering to the M$ monopoly. The IE browser doesn't even conform to the International specs!

Please take your dodgy advice & shove it Mr Anonymous.

• Reply to comment
• Report offensive content

@ Get a grip! Mark Anderson -- 17/12/08 (in reply to #320119283)

ummmm not sure about IE not conforming to International standards. A lot of applications would not work initially with IE7 due to Microsoft brining their products into line with 3W specs and of course poor design of the applications in the first place.

• Reply to comment
• Report offensive content

get a grip Anonymous -- 17/12/08 (in reply to #320119273)

Here here Get a Grip Author
And to everyone else Don't Believe the Hype

• Reply to comment
• Report offensive content

Get A Grip Liam -- 17/12/08 (in reply to #320119338)

Look in response to the anonymous sender who started GET A GRIP, I agree to a degree. Now I use IE, Mozilla & Sea Monkey. I do have problems with IE Sometimes & most the time there all great but when it comes to malicious spyware and security threats as such, this is where the morons come in saying that IE is crap because if you download any spyware or crap off any Web browser you WILL get affected.

• Reply to comment
• Report offensive content

So Liam Step up Anonymous -- 18/12/08 (in reply to #320119356)

So last night i received from stay smart on-line :
Security update for Mozilla Firefox web browser and SeaMonkey application suite. - SSO-AD2008-026
This is the services run by AusCERT for DBCDE.
Hey Mr Ingram where is your advice on swapping from firefox.
Where is the hype from everyone on lets not use Firefox ???

Or is this different because it is not Microsoft.

This is just a media beat all browser have bugs.

Com on ZDNET run a story on this new exploit

• Reply to comment
• Report offensive content

Patch availability Anonymous -- 18/12/08 (in reply to #320119401)

Perhaps the advice on "swapping from firefox" was not there because there was a patch already available.

• Reply to comment
• Report offensive content

timing for reality check Anonymous -- 17/12/08

The following provides insight into 2008 most vulnerable applications
http://www.bit9.com/news-events/press-release-details.php?id=102
Guess what fan boys:
-Firefox #1
-Safari #5

Explain why you would want to swap ?
Maybe this is one of the reasons people use IE because it does not make the list.

• Reply to comment
• Reply to story
• Report offensive content

timing for reality check - MARKED AS SPAM BY AKISMET Anonymous -- 17/12/08 (in reply to #320119281)

Do you work for M$? It might explain your inability to read more than a few lines of text at a time.

The list, only includes apps that (and i quote) -

• Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
• The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

The second criteria basically rules out any M$ apps, which CAN be updated, but generally aren't by any large organisations until they've undergone internal testing.

The exploit is real and in the field, any responsible IT professional needs to deal with it as soon as possible - until M$ release a patch, removing Local Admin access appears to be the only reasonable mitigation plan.

• Reply to comment
• Report offensive content

validity/incentive of press releases. Anonymous -- 17/12/08 (in reply to #320119281)

been there before:
bit9's claim to fame:
"Now at over 6 billion records, the Bit9 Global Software Registry is growing at a rate of up to 20 million files each day"
******************
Before these rascals surfaced-- Queensland University commenced cyber-crime monitoring,along with Interpol, and the FBI--stated that NONE of these security propositions were technically correct:

ie you pay for a service that protects you from viruses that have not been EVEN created--is too alice in wonderland.

What these sods/ organisations/botcoms/banksand certain universities,as well as the system manufacturers failed to notify is that Microsoft products--which bit9 claim is lockdownable--instead--AS A FUNCTION OF OPERATION-- leave a galaxy of LISTENING PORTS.
This has been FBI alerted since 2001.
AUtomatic UPDATES--is exactly the same regards procedure and vunerability.

ANY FORM that employs Javascript--also allows third-party ACCESS.

The DOTCOM ideal of companies selling fresh air--seems REALLY where we might expect such persons as anonymous to be--rather than the more preferred COURTS OFLAW regards
social fragrance.

• Reply to comment
• Report offensive content

Comedy Gold Auscert! Anonymous -- 17/12/08

Subject line says it all. The 90's are now long gone.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials