The German government in January 2013 advised computer users not to run Internet Explorer and run an alternative browser instead, because of a critical zero-day security flaw.
The advice, which came in the form of an official statement from the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI) says that the as yet unpatched vulnerability is likely to be the same one blamed for the “Operation Aurora” hacker attacks on Google and other US companies last week.
The BSI advisory claims that although Microsoft’s advice to run Internet Explorer in ‘protected mode’ and disable Active Scripting makes it more difficult for hackers to attack, it does not completely prevent them.
Here is a rough translation (courtesy of Google Translate) of the BSI statement:
Critical vulnerability in Internet Explorer
BSI recommends the temporary use of an alternative browser
In Internet Explorer there exists a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted webpage into a Windows computer, in order to infiltrate and control computers. The past week has become known in the Hacker Attack on Google and other U.S. companies has probably exploited the vulnerability.
Affected are the versions 6, 7, and 8 of Internet Explorer on Windows XP, Vista and Windows 7. Microsoft has published a security advisory, in which it discusses ways of minimizing risk and is already working on a patch for the security hole. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.
Although running Internet Explorer in "protected mode" as well as disabling Acitve Scripting does make it more difficult to attack, it can not completely prevented. Therefore, the BSI recommends that users switch to an alternative browser while waiting for Microsoft's patch.
Once the vulnerability has been closed, the BSI on its warning and information service BÃ¼rger-CERT also informed. Keep informed about the Civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via E-mail.
The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse.
At that point the hackers could effectively grab control of your computer, with the potential of stealing company secrets, personal information or using it to spread spam or other attacks. The problem is that right now Microsoft doesn’t have a patch to fix their software.
Of course, the German government’s advice that internet users should switch to alternative browsers is unlikely to well received at Microsoft, and pressure is sure to grow on the company to release an “out-of-band” patch to resolve the security flaw as soon as possible.
With Google pointing the finger of blame for the attacks at China, it’s perhaps not surprising that the German government should be keen to ensure that its own computers (whether they be in government or industry) are not next in the firing line of hackers.
Alternative internet browsers such as Firefox, Safari and Opera have all suffered from security vulnerabilities in the past, of course.
You can read SophosLabs’s write-up on the Microsoft security flaw here, as well as further commentary by principal virus researcher Vanja Svajcer.
With all this talk about state-sponsored cyber-spying originating from China clearly spooking the German authorities, it’s perhaps a little ironic that the Germans themselves were accused of using the internet and malware to spy on another country a couple of years ago.