Microsoft's Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser.
With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft's browser, and although the vulnerability has only been used against IE6, the company has not ruled out that something similar could be used against the later versions.
With Microsoft not prepared to give details of how soon a fix will be released, and advising people to leave the appalling IE6 and its successor for the latest version – IE8 – Microsoft's UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option.
Less secure
"The net effect of switching [from IE] is that you will end up on less secure browser," insisted Evans.
"The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.
"There are broader risks and issues with other browsers."
Not representing
Evans believes that the coverage attached to the problem – which was namechecked by Google as it changed its China policy – is "not representing the situation".
"If you were to ask me 'what's the most secure browser?' I would say Internet Explorer 8 – we're talking about a single vulnerability," he added.
"The reality of the risk is minimal, even if you have IE6; you would have to go to a website running the exploit."
PR disaster
The whole Google IE flaw issue is clearly a PR disaster for Microsoft, with Evans conceding that this particular problem is not likely to afflict IE's rivals.
"I'm not aware that the vulnerability exists in other products," says Evans, "But those products may have other vulnerabilities."
Asked directly when a fix would be ready, Evans states that the rollout might or might not be before the normal upgrade cycle, but has no further details.
"We are working to provide an update to the vulnerability. We are not seeing any attacks on IE8."
In the meantime, the company will be hoping that the knee-jerk reaction of France and Germany is not mirrored elsewhere.
Your comments (14) Click to add a new comment
tech89
January 24th 2010
14. Also, Internet Explorer exhibits the same sandbox approach as chrome does and utilises separate processes for each tab.
IE8 is pretty secure, all other versions of IE are not though.
Plug-ins such as flash which are not standardized are what cause problems for browser security. They can be caused to create buffer overflows which can allow executable code to be executed from the memory by hackers. Flash unfortunately needs read/write permissions and poses a serious problem. To counteract this problem chrome makes each plug-in a process which only interacts with the renderer which only has low level permissions (i.e. only compute, not read/write).
I would be more worried about the exploitation of popular and insecure plug-ins such as Flash than a vector in IE.
The majority of hackers like an easy way in and Flash is easier to exploit than a vector in IE.
Alert a moderator
tech89
January 24th 2010
13. For people who are genuinely interested in how google chrome is made to be very secure, then I 100% recommend this web page article:
http://arstechnica.com/security/news/2008/09/chrome-antics-did-google-reverse-engineer.ars
An insight in to the software and how it is very secure partly because google has managed to reverse engineer a bit of windows, excellent for users of chrome.
Read the web page article link before any response to this comment. It makes you think.
For those who want a summarised version read Chrome article on wikipedia (it's all referenced with links to prove it correct).
Sandboxing, separate processes, data execution prevention, mandatory and discretionary access control.
Chrome is secure because google have gone to great lengths to reverse engineer bits of windows to make the browser as secure as possible.
There are still a few flaws, but they are discovered quickly and kept quiet until a fix is issued and users are protected. This denies any hacker the public knowledge of the flaw until the flaw is fixed, which is good for the user.
Passwords stored by the password manager are kept very secure. Read this article:
http://www.switchonthecode.com/tutorials/how-google-chrome-stores-passwords
I hope anyone with an ounce of interest in software and browser security will visit the links mentioned in this comment.
Alert a moderator
1fastbullet
January 19th 2010
12. @gavmeister:
Go on foolishly believing that Chrome is so much more secure than other web browsers while Goofle follows you around with its nose up your butt.
If Goffle Chrome is so damn trustworthy, why do you suppsoe SRWare found it prudent to create the Iron browser you are apparently unaware of? The Iron browser is exactly a clone of Chrome, but with one major exception: It has removed Goofle's ability to shadow and record your every move.
Anything remotely connected to Goofle is going to track you. Tracking you and using your personal information is how Goffle survives. (Have you failed to notice its "targeted advertising" when you use it?) This is why people who value personal privacy and do not appreciate Goofle's invasion of same use the Iron browser and the Scroogle.org search engine (in place of Goffle search). Scrooogle uses the same search function as Goofle, but, once again, has removed Goffle's ability to collect your browsing and search habits.
Gee, I wonder how the name "Scroogle" was decided upon.
Alert a moderator
dave007
January 19th 2010
11. Speaking as a web developer I can safely say it's the worst program ever made, if theres ever an issue in developing a site its with internet explorer. Just think about this, this browser never keeps up with new features in display of CSS and the implementations they do make are never the best, this is where we can see how the browser works and its terrible when compared to any other, what does this mean for networking and security?
It also relies on Windows update for fixes.. what if this is turned off as it is for many users?
IMHO Microsoft should just ditch Internet Explorer, it wants to be part of the "browser wars" but doesn't seem to want to build the best browser as can be seen from display technology.
Alert a moderator
serendipity
January 19th 2010
10. @gavmeister
Nobody who was computer literate would ever claim that one browser was a million times better than another. It's completely meaningless and frankly its just troll speak...
Alert a moderator
tech89
January 19th 2010
9. Flash is the big problem. More and more incidents of malware trying to install itself from legitimate adverts on legitimate websites. We should be worried about adobe flash and pdf before we get panicky about IE.
Alert a moderator
gavmeister
January 19th 2010
8. hmmm yeah really believable corporate drivel from MS. nice one. unfortunately the non-computer literate masses will believe this, only "power users" can detect the drivelly shouting of Ballmer's "team" for what it is. interesting they don't mention Chrome. That'll be because it is a million times safer, faster and better than either IE or Firefox. "hmmm nobody mention it, hopefully people won't notice/remember".
Alert a moderator
nia
January 19th 2010
7. ********* = *********
Alert a moderator
nia
January 19th 2010
6. I really like this...
IE is the ********* product ever made , a totally discount developed browser with one serious flaw after thee other...
Alert a moderator
serendipity
January 18th 2010
5. @mobius
Nice to see an informed comment. Makes a nice change from usual dross churned out by the anti MS brigade.
Alert a moderator
tech89
January 18th 2010
4. Microsoft should abandon IE. Microsoft should concentrate on ways to stop keyloggers from running on windows. They do more damage to people than a slightly dodgy browser.
All browsers have some security issues, but in the end it depends on how sharp the person using the browser is. It's silly decisions in opening up a bad email or visiting a dodgy website that gets most people in trouble.
Alert a moderator
mobius
January 18th 2010
3. @healeydave conformance is not synonymous with better though. Also just because something officially conforms it doesn't mean that it actually necessarily works with another conforming product. Don't get too hung up about the ins and outs of HTML ratification.
Also it depends on what you mean by "HTML standards"; HTML 4.01, XHTML 1, HTML 5, CSS 1, 2 or 3 etc etc. I don't think I've ever come across any web page or site that conforms to all the W3C standards (except maybe the acidtest itself) and all of the browsers still hold onto deprecated tags etc and don't fully implement the upcoming standards.
Alert a moderator
healeydave
January 18th 2010
2. Hahahaha, Typical Microsoft, What else would you expect the head of security at Microsoft to say!!
Expect a siginificant increase in "Save our ***" pubilicity from the Microsoft spin doctors in the next few weeks as IE's market share has a healthy erosion going on at the moment.
I am one of those that is enjoying this, not because its anti Microsoft or anything but because there are far too many LAZY companies out there whose website conform to "IE standards" rather than what they should be doing and conforming to the official Internet HTML standards!!
Hopefully this might kick their IT departments right up the backside and make them move with the times.
Alert a moderator
richmurrills
January 18th 2010
1. "If you were to ask me 'what's the most secure browser?' I would say Internet Explorer 8 – we're talking about a single vulnerability," he added.
That's the funniest thing I've read in ages. :D
Alert a moderator
Tell us what you think
You need to Log in or register to post comments