You’ve probably heard that the German Government has issued a warning to all Germans not to use Internet Explorer after a security flaw had been revealed. The flaw was revealed following the recent hacking of Google.
The issue is running hot, not just on Twitter, and online media, but in the mainstream media too. Last night it made TV3 news. The BBC said:
The warning from the Federal Office for Information Security comes after Microsoft admitted Internet Explorer was the weak link in recent attacks on Google’s systems.
Microsoft rejected the warning, saying that the risk to users was low and that the browsers’ increased security setting would prevent any serious risk.
However, German authorities say that even this would not make Internet Explorer fully safe.
I’ve been a bit busy today, so haven’t managed to post til now. But hello? Is our government aware this is an issue?
As an MP, we have no choice about what browser we get to use in parliament, in our electorate offices and on our laptops.
I understand that most government departments have Internet Explorer as their standard browser and that for many, their employees have no choice about what browser they use.
What does this mean for the security of the New Zealand government’s information and systems?
What about the multitude of other NZers who use Internet Explorer at home or in the workplaces?
Given what’s happened, wouldn’t it be a good idea for the government to say something? Or don’t they know what a browser is?
You need to bear in mind that pretty well all computer operating systems and internet applications have a constant stream of security holes discovered and then patched (fixed).
I don’t see much point in the government getting hysterical each time a new hole is discovered.
A rather broader question: What are the reasons for not allowing each part of government to chose the o/s and other basic software that best fits their particular uses, styles, ,specialisms needs etc.?
I there just one central IT department that services all of government? Then I guess “no choice” might make sense (as long as it is also sensitive the specialisms as mentioned above, and therefore allows opting for other software). If each part of government has its own IT unit, then this “no choice” makes far less sense.
Oh FFS Clare, you are better than this, taking catty pot shots where ever you can find them against the govt is not a good look.
Who the heck is the German Fed Office for security in IT? Never heard of them. Almost as laughable as the media going to some sales bod in Dick Smith’s as the go to expert guy for some new virus.
As Thomas Beagle said, there are updates coming out on a almost daily basis for patches in all programs, and, those of us that actually work in IT are aware of this and patch accordingly. If we do not, bad things can happen, not the least, I get fired. I do not need the govt of any country to tell me how to do my job.
I hope this isn’t too conceptual but -like in biology- a monoculture means that a single defect can affect all of the population. The security risks of a forced monoculture of internet explorer is an issue that should be justified (perhaps against the maintenance costs of supporting multiple pieces of software).
@Thomas Beagle: that all software has bugs is a truism but be careful with that kind of statement because it could be misread as if you were saying that all software is the same; as if there weren’t good practices and bad practices.
Security is more about the preventative approach to containing future bugs, speed of fixing bugs, speed of upgrading the software population to the latest version, etc.
I work for a multinational here in NZ where the desktop is tightly controlled by a central IT office somewhere in the USA. We use Internet Explorer 6.0 mainly because a critical app has been written for IE 6 and they know is works under IE 6. Pity really, but as I want to keep my job, I ain’t fighting it….
As an MP, we have no choice about what browser we get to use in parliament, in our electorate offices and on our laptops.
I understand that most government departments have Internet Explorer as their standard browser and that for many, their employees have no choice about what browser they use.
I suspect this is because, despite the protestations of the rebelious, IE is a perfectly acceptable product to 95% of the web browsing community. Adding more software options just adds to the complexity of fixing and maintaing them for IT departments.
What does this mean for the security of the New Zealand government’s information and systems?
This is likely to be part of a much bigger security risk; users are stupid.
I’m confident no malicious virus will ever do as much damage as the terminally stupid. The last two organisations that I’ve worked for have had to, for example, disable the USB ports on everyones PCs. Because some tool ignorantly brings in a datastick with a virus that infects the entire network.
Like they say; If you build it, they will be dumb.
First thing I do when I get a new computer is download and install Firefox and Safari. I can hardly get IE to open, the old dinosaur.
I don’t see why Microsoft doesn’t just scrap it. If people are just using it to download better browsers, that’s quite a clue.
Actually, I enjoy getting reports about MS being a “weak link,” because that is just one more nail in the coffin.
Post #1 Jan 18
Andrew, how many computors do you go thru?
Firefox is just lovely
IE has been the weak link in Windows security since 3.02. There’s more than one reason I stopped using it and the fact that it’s a massive security hole is one of them.
Its been a donkey for awhile.
Actually, it’s only perfectly acceptable to the terminally stupid due to it being a massive security hole. This has been remarked upon around the world for the last 10+ years so there’s no excuse about not knowing that IE is a pig.
And the only reason why that would be is because MS doesn’t stick to the international standards. IE came with the OS and didn’t have to be installed which made it cheaper to only support IE compatible websites.
Basically, the only reasons why people still use IE is due to either cheap business managers or terminal stupidity (obviously, the cheap business managers are also terminally stupid).
@Conor
Only get new ones when old ones irreparably break, which happens rarely. One PC, one laptop.
A friend forwarded me an email saying that France has now joined Germany in telling people to move away from Internet Explorer.
“Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers [...] Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch.”
The issue is with IE6 and windows XP, not the generic IE brand. Using later IE browsers, 7 and 8 together with later versions of windows, vista and win7 lessen and eliminate this current threat.
Clare, for you it would be Parliamentary Services I think who dictate your Standard Operating Environment including what apps you have installed. They will have the requisite firewalls at the outer perimeter of the network that would have anti-virus and intrusion prevention services running. On your own computer you should have corporate antivirus software, and probably (I’m guessing you have a laptop) a software firewall (which may be Windows firewall). As long as you follow the instructions then your firewall and antivirus software should remain up to date and keep you protected even against IE security flaws.
You should remember there is a team of skilled IT professionals who have designed the network to be secure, and if they have set IE as your standard browser then that is the policy and it is what you should use. Otherwise use your personal laptop/PC outside of the network and do what you want with it.
To answer those questions though:
What does this mean for the security of the New Zealand government’s information and systems?
It means nothing as they are behind firewall appliances. Wellington has huge numbers of IT professionals working either directly for government departments or for companies who contract to government departments.
What about the multitude of other NZers who use Internet Explorer at home or in the workplaces?
At home they should have decent AV software and run regular updates. At work they should have corporate AV and firewalls, with regular patching and updates. It’s not like nobody has told them this in the last 15 or so years. Along with ‘make a backup’.
Given what’s happened, wouldn’t it be a good idea for the government to say something? Or don’t they know what a browser is?
Who exactly should say something? John Key? Should he make a speech to the nation “Everybody, it’s important that you install good anti-virus software, turn on automatic updates and windows firewall, and keep a backup of your stuff. You can use firefox if you want, I’m pretty relaxed about that”
Frankly you seem to think those thousands of IT workers that support government IT systems are just paid to come in and update their facebook status?
I really find this post insulting to real IT professionals (which you clearly are not).
@LabRat “What does this mean for the security of the New Zealand government’s information and systems? It means nothing as they are behind firewall appliances.”
Nonsense. Remember that back in 2007 New Zealand was, according to our secret service, hacked by the Chinese Government using Internet Explorer bugs despite us having firewall appliances: http://j.mp/6xvdlU From the names here there are many real IT professionals who agree with Clare.
More to the point Security is about layers of good practice and defenses, not about a single point of failure being excused by another. You even imply this by talking about the layers of security that computers should have, so please be consistent and don’t be an apologist for a weak link in the chain as if all browser problems can be mitigated by firewall appliances.
It’s bigger than just Internet Explorer 6 on Windows XP. According to Microsoft the following software is affected: “IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are all at risk.”
(source: http://j.mp/82DUwB )
That’s a majority of users of Internet Explorer, and that’s why governments are issuing advice to move away from this software.
@ Clare:
“As an MP, we have no choice about what browser we get to use in parliament, in our electorate offices and on our laptops.”
Not actually the case – while PS’s system has IE as its only default browser, you can get Firefox (and others I’m sure) if you want by either downloading and installing it yourself or by talking to PS IT – it should just take one easy phonecall.
A former staffer, I had it running on the PS system long before it was given an unofficial ok (it helped to have sympathetic IT techies). While it later became an acceptable option, they obviously haven’t yet made it available as a default option, or even told you that you could ask for it.
IE is a horrible browser in my mind which has always lent itself to viruses. Hence I have stuck to firefox.
However a significant part of the reason why IE is insecure is because everyone uses it. This means there are hundreds of thousands deliberately trying to find flaws in it which they then leak through their hacker networks.
Despite not all browsers being equal when it comes to flaws in them this is not always going to be the key determinant in their security. A browser version will be used for several years after being released and this gives people ample time to make holes in it regardless of how secure it is to start with. If any other browser becomes common it immediately also becomes a security risk as people start writing viruses and scripts for it.
The only way to be truly secure is to use your own private browsers as a few of my friends in the UK started doing. But this of course requires technical experience to make it secure which even most IT companies are lacking. It would be phenomenally expensive.
The best thing for the government to do is simply make sure whatever browser it chooses to use it updates it to the latest version with all the security patches up to date. Add to this a firewall, a virus scanner and forced virus scans of every file loaded before the computer runs it and it should be fine. Any files that need to be kept fully secure shouldn’t even be on computers that have access to the internet.
@Matthew “From the names here there are many real IT professionals who agree with Clare.” I don’t see any Matthew, can you point them out to me?
@Clare: do you know who GCSB and CCIP are?
Without commenting on the political or IT management issues raised by Clare in this post I am happy to see some attention being given to the question of on-line safety and security.
Debates about which web browser is ‘best’ are fascinating but with respect they miss the point on security. All software has vulnerabilities. If you doubt me take a look at the NZCERT site or at the Security Bulletin reports of the Australian Computer Emergency Response Team. Threats and vulnerabilities exist across the product, vendor and application spectrum. Interestingly most of the bulletins involve vulnerabilities across multiple products – proprietary and open source.
Perhaps the biggest and most intractable vulnerability is the interaction between the software and humans. Despite warnings from governments and private industry, individuals will still click on links in emails from people they don’t know. Removing human error from the computer system is almost impossible so better security will always require commitment and resources for continual, 24/7 professional vigilance and user education.
By the way what is too often forgotten at times like this is that attacks on software are usually just a means to an end. IE6 was only just one piece of software that was apparently attacked to get at Google Gmail users in China. By all means think about the how but don’t forget the why of internet attacks.
Finally I can confirm that Microsoft will release an update for the vulnerability that was identified in this case as soon as it has been tested and confirmed. It will be released outside of our normal security release cycle.
Kevin Ackhurst
Managing Director
Microsoft New Zealand
Thanks Kevin, it’s great that you are participating in this discussion and reflects a healthy attitude to some of the current debates.
My issue was mainly about good information and advice being provided to people who read and hear discussions about software they are using but don’t know the implications for themselves.
As you will have noted there are various perspectives on this issue, but leaving aside the immediate security issues, the debates are about the changing nature of the software, the need for ongoing scrutiny of security and the ability of the public sector to make choices about the software they use.
@Kevin,
Thanks for entering the fray. Your response is more or less exactly what I would have expected – patronising and misleading, indirectly apologist and casting vague aspersions (without providing evidence) at the quality of non-Microsoft products. Your assertions are baseless, and your tone disingenuous.
Yes, all software contains bugs. As Matthew Holloway stated, your response implies that MS IE is no more prone to major security vulnerabilities than other browsers. This is nonsense.
Even if the other browsers were far lower quality in construction (this is highly doubtful – they almost certainly exceed MS’s own software quality thanks to open source peer review and the quality of the engineers developing them) there are more secure *by design*. They are *not* integrated into the core of Windows.
Because it is intertwined with the core of Windows, IE inherently poses a larger threat. MS IE currently (and many times previously) offers guaranteed security exploit of all MS Windows computers running it.
The NZ government can reduce its security liability by restricting the use of IE6-8, and using any one of the following free non-Microsoft browsers: Firefox, Safari or Google Chrome. Opera, although not free software, is available free of cost.
All of those non-Microsoft browsers are not subject to the vulnerabilities warned about by the German, French, and Australian government security boards. They also have desirable traits of allowing NZ’s politicians and public servants to comply with the open web standards that the government requires and which MS browsers do not support acceptably (e.g. SVG, HTML5, etc.). Moreover they do not offer direct access to the core of Windows.
Disabling IE on any computer is a win-win. Government of NZ – switch to something other than Microsoft IE – there is no downside.
Actually, @Kevin, I’d be interested to see your rebuttal for this:
http://limulus.wordpress.com/2010/01/20/microsoft-lies-to-your-face-about-browser-security/
Looks like – if the above report is to be believed – that IE6, 7, and 8 are demonstrably less secure right now than, er, any other browser that exists with regard to developer responsiveness to identified vulnerabilities. And that doesn’t even take into consideration the fundamentally insecure design decision to intertwine IE around the innards of Windows.
Yes, all software has vulnerabilities – but it just so happens that the ones in IE6-8 are catastrophic. Mr. Ackhurst, I admire your pluck, but your attempt at damage control was not compelling.
Dave
@David Lane
…they almost certainly exceed MS’s own software quality thanks to open source peer review and the quality of the engineers developing them..
Why keep perpetuating this same fallacy, re “peer review” implying that by many eyes being involved in OSS projects makes them more secure
Only this week at LCA2010 http://www.lca2010.org.nz/ here in WLG NZ, a presenter stated the vast majority of registered OSS projects (I believe he said over 95%) have 1 moderator (or less), 1 developer (probably same person) and 0 (zero) testers… where is the many eyes, the high quality peer review?
Having said that, clearly Mozilla and Safari aren’t in that bucket, and are excellent products (and are in use in some Govt agencies!)
However let’s not try to kid everyone that there aren’t sec vulnerabilities in those products either http://www.mozilla.org/security/known-vulnerabilities/ and http://www.pcworld.com/businesscenter/article/160974/safaris_security_reputation_takes_a_beating.html the same advisory comes from these vendors as well – Keep your browser updated (patched).
This should be an issue about public awareness, not what brand of browser to use
keep antivirus and operating systems patched whatever you use, running something other than IE doesn’t keep you safe in itself, in fact implying that is downright irresponsible.
@TalkGeek
Thanks for your response. You do, however, contradict yourself. First you assert that being open source doesn’t enhance likely security (many eye, etc.). You say I’m perpetuating a fallacy… then you say Mozilla and Safari “clearly aren’t in that bucket”. What’s that mean. That they’re the exceptions to the “fallacy”. Doesn’t that make my point?
The issue at hand here isn’t whether or not non-IE browsers have security vulnerabilities. They do. They also are
a) not part of the core of the OS, and
b) when found vulnerable, are fixed relatively rapidly.
A vulnerability in, say, Firefox, is like a paper cut – annoying but not life threatening for the machine on which it runs… A vulnerability in IE6-8, however, is like a slash to the jugular.
I know whose bugs I’d rather risk, and I don’t think the widespread advice being offered is irresponsible at all.
Dave
Everyone,
I would just remind everyone that an update is now available for this vunlerability and customers should update as soon as they are able:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
Regards,
Mark
Microsoft knew of exploit since September but took too long to patch it,
http://threatpost.com/en_us/blogs/microsoft-knew-ie-zero-day-flaw-september-012110