In the wake of the attack on Google from sources unknown within China, the German government issued a warning that advised Web users to pick a new browser and drop Internet Explorer. Adding to this, France issued similar warnings. This knee-jerk reaction is expected, given that Microsoft admitted flaws in their code helped move the Google attack along, but does using a different browser really help?
Switching browsers does nothing to limit the attack surface when you get down to it. While flaws in Internet Explorer can be used to deliver malicious payloads, and this happens all too often, simply telling an entire nation of users to switch browsers does no good.
“The German government appears to be taking a knee-jerk reaction to reports that hackers have been exploiting an IE security weakness, but the problem is that, even if users switch to another Web browser, they are still likely to encounter similar potential security problems,” said Mickey Boodaei, Trusteer's CEO.
Microsoft has issued statements which downplay the attacks as a whole, but mention that Internet Explorer 6, 7 and 8 are vulnerable. They are still working on a fix, and despite code being published in Metasploit and other places online, attacks are limited.
The notion that a flaw in Internet Explorer led to an attack on a company isn’t reason enough to drop the browser used by the majority of Internet users the world over. Such attacks happen all the time. Remember, this is only a major issue, because it is political and involves not only China, but Google, Yahoo, and many other Silicon Alley giants.
While we here at The Tech Herald are certainly critical of Microsoft when it comes to security, we still give credit where credit is due, and the security advancements of Internet Explorer over the years are worth mentioning.
However, those mitigating factors, such as DEP, as mentioned in the security advisory for the ZeroDay software giant’s browser, that keep users of Internet Explorer 7 and 8 safe, must be used before they can work. While Internet Explorer 8 uses DEP by default, it has to be enabled on Internet Explorer 7.
Another issue this governmental warning to leave Internet Explorer has brought up is that Google uses Microsoft’s browser, and that there are still organizations out there using older versions of it as well. While those notes are spun to promote and even confirm the idea that it is a risk to use Internet Explorer, they leave out the reason why the range of versions would exist in the first place.
First, Google uses Internet Explorer more than likely for testing. They have too, since the majority of their user base runs the browser. Not to mention, Google is a Web focused business, and they have to ensure that their services work on a cross-platform basis. For this reason alone, it shouldn’t surprise anyone that Google would use all three existing versions of Microsoft’s code, as well as that of Apple, Opera, Mozilla, and their own browser.
Assume that the attack on Google came from Opera instead. Would there be a push to dump this browser? In any case, the more surfaces you introduce to the network, the larger the window of attack. Using several browsers for example, offers several areas of exploitation; Google knows this and sees it as an acceptable risk.
When it comes to other organizations, their reasons for using the older versions of the browser are the same, so is the risk. For a company who develops applications or Web services for clients, they have to ensure that the code they produce will run on all browsers.
The only systems that should only be running the latest code are those used at home and in some small businesses. However, even then that is easier said than done. So the best bet is a layered defense. Since the entire scope of the Google attack is still unknown, there is no way to tell where the security layers failed.
Home users and SMBs should worry more about patching and keeping existing protections, such as anti-Virus and network layer defenses, current. While this will not stop a ZeroDay attack, it will help prevent most payloads from working.
One issue that seems overlooked in all of the hype surrounding Google’s problems is that Internet Explorer was just one piece of the puzzle. The Malware that was delivered caused the real issues, as did the delivery method, which while unknown, is more than likely related to a targeted social engineering attack.
Layered defenses, including behavioral scanning and detection, which most home users and SMBs enjoy no matter what security solution they are using, offer the most surface coverage. The idea is not to protect everything, but to protect as much as you can within reason.
While there are alternative browsers, PDF readers, and applications from the mainstream, they are just as vulnerable at the end of the day to an attacker who is dedicated and has the resources to target a company or system.
So if you want to leave Internet Explorer behind and use Opera, Firefox, or Safari, feel free. Just remember to use layered defenses, and that a new browser does not ensure total security.