In case you missed it, things are not good right now for Microsoft. French and German governmental authorities are advising their citizens to switch from Internet Explorer to another browser for security reasons. What would you do if you’re selling a Microsoft (or any other company’s) product that requires Internet Explorer?
This is all linked to a McAfee report about the recent cyber assault on Google and around 20 other major technology companies. It specifically implicates a critical flaw in all versions of IE that allows hackers to “perform reconnaissance and gain complete control over the compromised system.”
The January 14 report begins by stating that it discovered a previously unknown vulnerability in Internet Explorer. Here’s McAfee’s explanation:
“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer. Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.”
As of today (January 19, 2010) McAfee’s home page is emblazoned with a large graphic: OPERATION AURORA “How to respond to the recent Microsoft Internet Explorer Vulnerability”. ‘Aurora’ was supposedly the code name used by the hackers.
January 15: The German Reaction. In a statement issued on January 15, the German Federal Office for Security in Information Technology (known as BSI) recommends that all Internet Explorer users switch to an alternative browser. According to the statement from BSI, even running Internet Explorer in “protected” mode is not enough to prevent a hacker from exploiting this security flaw.
January 15: The French Reaction. An advisory note headed Vulnérabilité dans Microsoft Internet Explorer from the French governmental agency CERTA (Centre d’Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique) issued a similar message. Roughly translated it says “Pending a patch from the publisher, CERT recommends using an alternative browser. CERT said it is also strongly advised to browse the Internet with a user account with limited rights and the disabling of interpretation of dynamic code (JavaScript, ActiveX, …). “
January 18: @Mashable, a highly influential blogger and Twitter exponent, posted a blog entitled “5 More reasons why IE6 Must Die”. Within 10 hours there were 1680 retweets, 495 diggs, and numerous derogatory comments.
January 19: The Microsoft Response: I’m not sure if this is the official line or not (I hope not) but, in an interview with Techradar, Microsoft’s UK security chief Cliff Evans plays down the impact, and says that moving to other browsers is more dangerous. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.” … “I’m not aware that the vulnerability exists in other products,” says Evans, “But those products may have other vulnerabilities.”
Oh dear.
Dealing with a PR disaster like this can be very tricky. So what would you do if you were a Microsoft sales person selling (say) Microsoft Live Meeting? Or what would you do if you were working for Webex?