France, Germany Say Stop Using Internet Explorer 6

IT security organizations for both countries on Friday cited the attacks against Google and 33 other organizations as the reason.
December's "Operation Aurora" cyber attack from China, which Google disclosed last week, has prompted French and German information security organizations to recommend against the use of Internet Explorer 6, at least until a patch is released to address the vulnerability.

The attack, which resulted in the loss of intellectual property belonging to Google and perhaps to other companies, leveraged an Internet Explorer vulnerability.

Mike Reavy, Microsoft's director of security response, said on Thursday that the Internet Explorer flaw was "one of several attack mechanisms that were used."

The warning comes at a bad time for Microsoft, which has been hoping that Windows 7 adoption will reverse Internet Explorer's ongoing loss of market share. According to NetApplications, Internet Explorer's global market share declined 11 out of 12 months in 2009.

France's CERTA and Germany's BSI each cite Internet Explorer 6, 7, and 8 in their warnings and also advise that users disable JavaScript, a recommendation sometimes put forth by US-CERT after significant browser vulnerabilities are revealed. Disabling JavaScript can hinder the operation of many Web sites, or render them inaccessible.

Asked about the French and German recommendations, a Microsoft spokesperson provided the following statement: "In regards to the recent Internet Explorer vulnerability, we have not seen successful attacks on Internet Explorer 8. As such, Microsoft continues to recommend customers upgrade to Internet Explorer 8 to benefit from its improved security protections."

The company also said that it had not seen successful attacks on Internet Explorer 7. But it warned that there have been reports of proof-of-concept code that exploits the vulnerability in Internet Explorer 7 on Windows XP and Vista. Microsoft said it was investigating these claims.

McAfee on Friday said that it had seen exploit code published on mailing lists and at least one Web site.

Websense, a computer security company, on Monday confirmed the Internet Explorer 7 is vulnerable in its default configuration while Internet Explorer 8 is not. Due to the fact that the vulnerability can be used in a drive-by download attack -- an attack triggered by visiting a malicious Web site or opening a specially-crafted e-mail message -- the company predicts that it will be exploited on a large scale.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer