France and Germany have already told their citizens to avoid Microsoft's Internet Explorer because of a critical hole in the browser, so what does the British government think? The problem emerged late last week and both governments reacted with a simple warning - use another browser until this is fixed. Three days later and …
I don't think it's the job of government to say which internet browser people should or shouldn't use. Businesses can assess their own risks surely and individuals can make up their own mind.
Perhaps for business users, but since most local and central government employees still use IE6, they should at least be telling agencies to upgrade to IE8.
There is a good case for the government deciding which internet browser the government should use.
And a reasonable case for them not using that one!
If you have to have IE for intranet, fine - just use another browser when surfing the wilderness. How hard can it be? For myself, I never touch the stuff.
Those of you still wedded to MS can always un-install IE . . . . . .oh dear.
I know it's the governments duty to "defend the realm", but I believe this responsibility stops short of telling its citizens which web browser to use.
They aren't called the nanny state for nothing.
But, hey, it makes perfect sense. They are obliged to remain silent for telling people not to use MSIE would be akin to giving useful advice. That can't be allowed to happen.
What we need ...
Is a proactive and effective capability to respond to cyber attacks.
IE is more secure than Firefox these days. So when selecting your alternative browser, make sure it's actually a step UP from internet explorer, not a step DOWN....
Define "more secure"
because I think your statement is pure bollocks. For a start you aren't referencing versions, so you are effectively claiming that IE6 is more secure that Ff 3.5, which is laughable. Even assuming you are talking about IE8, "more secure" is a completely subjective concept, given that security depends on architecture, deployed platform, scripting, usage, speed to fix problems, etc. etc.
IE is a perfectly secure browser on a machine which is not connected to a network - I'll give you that.
So define "more secure", and stop just regurgitating marketing-speak.
...and where did you pick that from? Or did you confuse bug count with security?
And that you have to determine which bugs affect security and what the severity of that effect is.
And don't forget that FF/Moz publicly declare bugs and MS does not.
In fact, just using different browsers (Konqueror, Safari, Chrome, Opera etc) will reduce the possibility of an attack being successful as it is much harder to have an attack that can hit multiple nodes in a heterogeneous environment. So long as intranet applications are coded to the standards then it will not matter what browser an end-user may have.
If, however, you have been a moron and spec'd/coded to some proprietary format; then you deserve everything you get.
And being government departments they will get pwned, and pwned hard. Just like last time(s).
Given that I tend to agree with your sentiments,
> "more secure" is a completely subjective concept
seems to imply that the OP's opinion is just as valid as yours.
Re: Just remember
Hmm, while I'd agree that the IE team have made good progress in security, I think (and others seem to say the same) that FF is easy to 'secure' with AdBlock+, NoScript, etc, and the resulting browser is therefore 'better' than IE8 (even with the kind of securing that Joe/Jane Public can do). So I for one would like to hear what metrics you use for those claims of IE's superiority.
I'm also curious as to why, having pimped IE, you feel it necessary to put a URL for Opera in there.
As to the main story - yes, I too keep coming across folks with IE6, where their IT dept has prevented them going to something a little less archaeological. Personally, I can't see any problem with the government issuing an advice along the lines of "if you're using a pre-v8 version of IE at home then you really should upgrade" ... whether that is to IE8 or FF3.x I leave to others to argue.
I assume that the Dept of BIS will have to wait until TDL has done some more schmoozing and been told what to think. So expect a bulletin along the lines of "Using any other browser than IE8 will cause the banks to lose all your money [again!] and your children to be made homeless and destitute." ;-)
"In fact, just using different browsers (Konqueror, Safari, Chrome, Opera etc) will reduce the possibility of an attack being successful"
Statistics would say otherwise. More browsers means more chance of getting attacked. For if there is a hack that exploits a weakness in Opera and you're using Chrome, not a problem. But if you are using Chrome at that point, could well be a problem.
You only need to have one successful attack to make all the other effort worthless. So, indeed, pick your browser carefully.
You appear to say Microsoft does not publically declare bugs like this is a good thing. Firstly the bugs declared are the KNOWN bugs; and secondly this problem partially affected IE8 (crashed but was not compromised) and goes back forever, except for one specific version of IE5. It might be worth wondering "was this known about?" and if it could have been fixed in the intervening years (IE6 hails from 2001!).
Right so the vulnerability only occurs in older versions of the browser running on an old version of the OS. Upgrading your OS costs money, but upgrading your browser costs nothing.
So it would make more sense to advise users to upgrade to IE8 than it would to change browsers. It would certainly make more sense. The majority of computer users would be terrified by the idea of changing broswers, but an upgrade would frighten them less. It's also easier to give instructions to upgrade to IE8. Go to this URL, click this link. The problem with giving instructions to install a new browser is that governments will have to give instructions for every alternative browser in order to avoid claims of bias. Probably in a random order as well.
In this case Microsoft are actually victims of their own touchy feely-ness. You don't see Mozilla supporting old versions of their browser, Microsoft continue to support IE7 and IE6 and it creates problems for them. Of course if they did a Mozilla end refused to support old versions of the browser their detractors would be down on them like a ton of bricks.
Rock - Microsoft - Hard place.
All versions of Browser and OS still vulnerable...
"Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable"
If you read on, DEP, protected mode, restricted zones only help they do not complete prevent the exploit.
Fail, because its affects 3 browsers and 7 versions of their operating systems.
their own fault
It is Microsoft's own fault that people are stuck with IE6. They did intentionally build a non standard browser and companies that relied on it for their own applications have gotten stuck with it.
IE8 as well
Actually IE8 is vulnerable as well, even on Windows 7; http://rss.slashdot.org/~r/Slashdot/slashdot/~3/6n0U6p854o8/Microsoft-Says-Upgrade-To-IE8-Even-Though-Its-Vulnerable
dumb wins again
If people had /listened/ when we told them that IE was not standard compliant, and they should stick to Opera or nutscrape/italian cheese, all the clever clogs in industry would not have written code that only runs on IE
Re: dumb wins again
Bob, you and the rest of your gang need to learn from (ironically,) marketing people. If you want people to take you seriously and actually listen to you, things to avoid are calling them dumb/Joe Sixpack/<insert FF fan insult here> and gloating when these sorts of things happen. They'll just write you off as an arrogant tosser and disregard you. It's not a difficult idea to get your head around. Since one of the arguments that you guys use is how hijacked computers cause problems for you Internet High IQ guys, you'd be doing yourself a favour by taking a more mature approach. Not that you'll listen, of course. Because nobody who hates IE can ever see they're doing something wrong, much less admit it and try something else. Still, I suppose your relatives who know nothing about computers and have been "migrated" by you and some IT managers are impressed. Not much use when supplying references to back up your rants though, huh?
I think the French and German governments are setting a very dangerous precedent in issuing this warning. What happens if, at some time in the future, a lot of users get their PCs pwned because of a security hole in their chosen browser? They blame the government because they didn't warn them. And why stop at browsers, surely the same applies to all computer software?
Before they know it those governments will have to set up full blown IT security advisory bodies in order to avoid getting sued by every computer user who gets their machine pwned.
Dangerous precedent. Eh?
So saying that there is a problem now is dangerous because there might be a different problem in the future?
Perhaps this is why neither governments have said "use FF" (for example) but have said use an alternative.
Dangerous precedent already exists
So, you mean that the campaigns against AIDS, SARS, swine-A-H1N1-flu or the dangers of drunk driving mean that I can sue the gub'mint if I fall down the stairs and break my ankle?
I don't understand why this post has received thumbs up. Neither government has told its people what to use (exact quote in French "Le CERTA recommande l'utilisation d'un navigateur alternatif."), it has only told them what NOT to use. Given that the software is both vulnerable and as-yet-unfixed _and_ the attack code has been released, it makes sense for the governments to attempt to avoid a potential widescale crisis. Such a thing might never happen, but then again it just might. The orginal attack seemed to me to be very targetted. Now with the method known, the next round of attacks could be irresponsible idiots doing it "for a laugh" or personal vendettas, or whatever screwed up reason sounds vaguely convincing to their inner moppet.
French security alert here: http://www.certa.ssi.gouv.fr/site/CERTA-2010-ALE-001/index.html
Upgrading from IE6? I wish!!
I really wish corporations WOULD upgrade from IE6 then we wouldn't have to support the bastard anymore. However some organisations have company policies that mandate IE6 as they have old web apps that only work on IE6 ffs!! I really really wish we could stop supporting IE6...
The truth is...
The UK government is technically incompetent. I have always suspected this when government contracts are constantly awarded to fuck up merchants like EDS and BT, topped by the NHS £13 billion fiasco.
I suspect the German and French ministers in charge of technology is more IT savvy, or at least listen to their support teams while the technophobic UK population has an equally technophobic minister in charge who does not know his bit from his byte. Hence the silence - when in doubt, keep mouth shut and hope it all goes away.
Proof the British public are technophobes? Look at the queues at filling stations - the pay-at-pump queue is nearly always empty while the pay-at-kiosk queues are through the door. Same for the M6 Toll booths - you can always zoom through pay-by-card lanes!
As for responding to cyber attacks, we'll just have to rely on the Americans, won't we?
"Proof the British public are technophobes? Look at the queues at filling stations - the pay-at-pump queue is nearly always empty while the pay-at-kiosk queues are through the door."
Sorry, didn't realise the petrol pump could dispense chewing gum ... :-)
I suppose that ...
... technically it is true. I think at least some ministers have degrees and maybe even doctorates but whether in computer science or some other IT related discipline is unknown to me.
However! (there always is a However! yes?) Governments (in the UK that scope covers local, regional, national and UK levels) tend to outsource advice from consultants, interested parties, QUANGOs, ... focus groups, ... with the job of government really being governance related and the job of effecting or making policy manifest being the job of contracted parties.
The civil service feature highly in sense that they tend to be the ones preparing the reports, information, shortlisting options and contractors. Basically the background details are prepared by employees and not by elected representatives. Elected representatives then act on (or should act on) current information provided to them and add a dash of party politics into the decision reaching process.
It's a point of order really.
Basis: Government signs the cheques based on decisions made by a process of decision reaching?
Even worse than I thought
So if by having a strong lobby of these "consultation" groups, such said groups could in fact run or go a long way to running the country? Therefore if some Evil Empire populated these said groups with infiltrators... the consequences are unthinkable!
No wonder we are in the mess that we are in. What's worse than a weak government? An ignorant government. Time to emigrate. This country has had it.
HMG says "No!"
Because they use it to spy on you all.
So Cameron WAS right?
Since the Labour government has involved itself in almost every aspect of life in Britain, except *maybe* the bedroom, and given their proclamation they are spending BIG pounds on defending 'cycberspace' by IGNORING such a vulnerability as this - given that MS claims 60%+ of browser use - it proves that Cameron was right.
Labour is all talk and no action.
Germany and France are demonstrating responsibility.Obviously Microsoft doesn't give a pile of camel sh*t about it's products, so long as they make money.
...will just airbrush problems out of existence I suppose.
I yearn for the days when politicians had to regularly stand in front of a cynical crowd and give a meaningful and congruent series of sentences over a time period of longer than 15 seconds. The days when an orator had to persuade by having command of the subject and the wits to construct arguments on the fly, or else suffer the 'Glasgow Empire' effect.
Sorry, I tried to insert the word 'Cameron' in the paragraph above, but it just wouldn't stay there. Brown and all the others likewise.
Open-Source is Inherently More Secure than Closed-Source
The government should recommend open-source software due to the fact that it is inherently more secure than closed-source alternatives.
The security of MS Windows and Internet Explorer is entirely dependant on Microsoft keeping the source code ("blueprints") secret and reacting quickly to fix holes that are discovered and exploitable. Yet still, months or years after the software is released and in widespread mission-critical use by business and government, security holes will be discovered by poking the software from the outside, even without knowing the internal details.
Whereas the source code of open-source operating systems and browsers is released for anyone to see. The "blueprints" are published and viewable by the world. Thousands of developers around the globe can study the internal details of the software. Thousands of eyes are looking for and communicating any potential security implications in the design or implementation.
Most of the "security vulnerabilities" reported and fixed in Firefox were discovered by looking at the source code and most had no actual exploit/attack vector. Compare that with IE where all of the security vulnerabilities were discovered from the outside and have current real exploit mechanisms and are actively being used in attacks.
Open-source is the only way forward. Propitiatory closed-source software will always be dangerous.
Same old theory
care to point out the evidence for such statements about firefox bugs being mainly found from looking at the code?
It's not just Government departments that are stuck in the dark days of IE6.
In the NHS trust I work for, the clinical staff are stuck with IE6 in order to maintain compatibility with third party developed web based applications. It'll take those companies pulling their digit out of their posteriors in order to update these clinical applications for us to rollout a browser version update to all machines. As usual it's all down to money, so it'll take more than just the Government advising us not to use IE6 in order to resolve the problem, especially as the trust I work is millions in debt. It needs a good old fashioned injection of money and I can't see that miraculously appearing so close to an election.
mystery to me
... that the NHS allowed them to write non-standards-compliant code and still paid them, and is even dreaming of paying them again to put it right. It should take all its previous suppliers to court if they won't do now what they should have done then - and FOC.
Re: mystery to me
Of course, if the app is doing what it should and the requirements didn't specify running on other browsers/versions or standards compliance, your argument for legal action is pretty naive.
Stiff upper lip...
and damn the viruses and keyloggers.
a glass of gear?
Eh, MarkOne? You sound suspiciously like a Microsoft shills with that unqualified and meaningless scattergun assertion.
Quote "Internet Explorer is the default browser on government computers."
Unsurprising as well. But let us hope they at least run IE8 and that browser, OS and apps are kept fully patched. Let us also hope that staff are given basic security instruction. Little chance of any of that though - for some reason the civil service still doesn't seem to 'get' IT.
Do you really think HMG would tell you how to secure your PC against government sponsored intrusion?
After all, there's part 3 of RIPA to consider. Having our PCs insecure would help save the planet by cutting down on the warrants required....
Its not the governments job
To tell us what web browser to use,
Bearing in mind their appalling track record with security they dont care anyway.
...but they should tell their own staff...
Since (and I quote):
"Internet Explorer is the default browser on government computers."
it would surely be incumbent on a competent government department to advise its own to be as secure as possible?
I recognise of course that the expression "competent government" is rather an oxymoron, but I am trying to be as generous as I can. We have essentially the same difficulty Down Under - such animals are as rare here as the Bunyip.
my innernet browser ...
.. just advised me to replace the current government for fears that it is not very secure!
Do I clixz YES or NO or REMIND ME LATER ?
Re: Dangerous Precendent
Personally I don't see it as being an issue. They've made an suggestion to users, it's up to them to follow it.
Obligatory car analogy: While driving I come across an "Accident ahead" sign just before a blind corner, can I assume that every blind corner I will come across in the future is guaranteed to be accident free by the police? Unfortunately, the majority of this country probably think this way: it really shows how the UK have turned into the "slow learners" of Europe.
In this case, I'd assume the Government doesn't want to insult their best friends in industry.
Cheaper than a CD or Memory Stick
Not the mention the train fare. Now the government can distribute sensitive information in a much cheaper manner than ever before.
People should not be afraid of their governments. Governments should be afraid of their people.
Many years ago the internet was a joy.
Now many fear to tread, why because we all fear chaos.
The internet has now become chaotic. It is out of control.
What does this mean?
It means that now we have given the powers that be the right to enforce control.
We have given up our right to privacy. The powers that be will say that they are making the internet audit-able for our own safety. Every transaction, every packet of data will have to be validated and verified to ensure security.
We have lost our freedom and now there is no way to get it back.
The whole planet now suffers from this invasion of our privacy, they use these security issues as an excuse to undermine our rights.
Remember V for Vendetta 2005
People should not be afraid of their governments. Governments should be afraid of their people.
As with everything with all UK governments, they won't do anything until there's a major fubar and they have to take action due to public demand.
Standard fare, why bother to preempt problems and disasters when you can get a gold star for handling the obvious fallout after the fact.
I'm in no way a Microsoft shill. Their practices are disgraceful and if they were any other company, illegal (they are untouchable these days). I also broadly support Open Source, however I don't believe that open source makes a more secure browser, as it works both ways, that is only true if you have outsiders reading and fixing code, the reality is, you don't have too many people doing that, you have far more hackers reading the code for exploits.
The only secure browser is Opera, a fine example of closed source development. It's has a exceptional track record of security, it's also blisteringly fast, standard complaint and does all the useful Firefox extensions (AdBlock, GreaseMonkey, Bookmark sync) out the box, without needing extensions that compromise security and/or bloat the system.
Lastly, I wonder where Windows7 Browser Choice Update is? Probably a bad time to release it. I suspect Microsoft had to pay some more backhanders to the EU to delay it for the dust to settle...
If you ARE stuck with IE6
If you ARE stuck with IE6 for this legendary stupid-application compatibility requirement, I dunno if you can install IE8 alongside it - and you're liable to be hit anyway. But you can install Firefox, or Opera, or anything else that isn't Internet Explorer underneath - which a lot of "browser" brand names are - and use IE for Stupid-Thing and any non-Microsoft post-9/11 browser for all your other HTML-rendering needs.
Then again, is there scope for an "IE6 Is Stupid But Do It That Way Anyway" Mode in Firefox?
Wikipedia says: "Internet Explorer 5.0, 5.5, 6.0, and 7.0 (Experimental) have also been unofficially ported to the Linux operating system from the project IEs4Linux." Can you do anything useful from that? Say, run Linux on Windows, in a sandbox, and IE6 in a cage inside that?
Or, install a Windows 7 version with support for the Windows XP sandbox and IE6 locked down... uh oh. What this is for, is getting people to buy Windows 7.
Re: If you ARE stuck with IE6
"But you can install Firefox, or Opera, or anything else that isn't Internet Explorer underneath - which a lot of "browser" brand names are - and use IE for Stupid-Thing and any non-Microsoft post-9/11 browser for all your other HTML-rendering needs."
A reasonable suggestion. Are you new here?