January 19, 2010

I had just finished opening an account at the local bank late last week when I happened to catch a glimpse of the bank manager’s computer screen: He had about 20 Web browser windows open, and it was hard to ignore the fact that he was using Internet Explorer 6 to surf the Web.

For more than a second I paused, and considered asking for my deposit back.

“Whoa,” I said. “Are you really still using IE6?”

“Yeah,” the guy grinned sheepishly, shaking his head. “We’re supposed to get new computers soon, but I dunno, that’s been a long time coming.”

“Wow. That’s nuts,” I said. “You’ve heard about this latest attack on IE, right?”

I might as well have asked him about the airspeed velocity of an African Swallow. Dude just shook his head, and so did I.

Well, you can’t really blame the poor guy for not knowing. Just hours before, Microsoft Chief Executive Steve Ballmer looked a bit like a deer in headlights when, standing in front of the White House in a planned CNBC interview on how the Obama administration is looking to use technology to streamline its operations, he was suddenly asked about a report just released from McAfee effectively blaming a slew of recent cyber break-ins at Google, Adobe and more than 30 top other Silicon Valley firms on a previously unknown flaw in IE.

“Cyber attacks and occasional vulnerabilities are a way of life,” Ballmer said. “If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet.”

Microsoft has of course since acknowledged that a critical, unpatched security flaw indeed exists and is being exploited in targeted attacks. The software giant says it has only observed the now-public exploit code working against IE6, and that IE users should upgrade to the latest version IE8, which Microsoft says is much better insulated from the current batch of exploits.

Redmond typically releases software updates on the second Tuesday of each month (a.k.a. “Patch Tuesday), but the company said in this case customers may not have to wait until Feb. 9 for a patch for this security hole. Microsoft is eager to assure everyone that the attacks observed so far are only successful against IE6, and that in any event they have not been widespread.

Meanwhile, researchers continue to test that claim. Researcher Dino Dai Zovi Tweeted Monday that he had modified the existing exploit so that it worked on IE7, with the caveat that on Microsoft Vista systems it would only allow an attacker read access to the victim’s files (as opposed to full privileges to delete or modify system files).

In a sign that we may very soon start to see a number of hacked and malicious Web sites leveraging this flaw to install unwanted software, security firm Websense warned that it had spotted a Web site that was exploiting the IE vulnerability.

Microsoft’s assurances have not been enough for some. The governments of France and Germany have urged people to stop using Internet Explorer (Update, 1:16 p.m: The Australian government just issued a similar warning). For its part, the U.S. government is expected to issue a demarche to the Chinese government, looking for an explanation of the attacks against Google and others, which experts have described as a sophisticated and targeted attempts to steal trade industry secrets, as well as information about Chinese dissident groups.

At least one top Chinese computer security firm is urging consumers there not to wait for Microsoft’s patch, but to instead install an unofficial, stop gap fix (rough, Google translation). No doubt, if the wait drags on for an update from Microsoft, we will see the same offers from U.S. security firms and experts.

There are, of course, alternatives to IE. But then again, I’m preaching to the choir. Most of my readers already use another browser, according to the latest visitor stats for krebsonsecurity.com, compliments of Google Analytics. Here’s how my visitors break down:

Looks like krebsonsecurity.com does have some IE6 users (and at least one IE5! user). Nearly 14 percent of the visitors browsing this site with IE are using IE6:  Here’s the visitor breakdown by IE version:

If you do want to keep browsing with IE (or, work at an organization like my bank which apparently doesn’t have much choice in the matter), Microsoft has some tips here on ways to leverage additional protections both in Windows and in newer IE versions.

56 thoughts on “Revisiting the Internet Explorer Security Bug

  1. Don Doofus

    I blame Siebel/Oracle for IE6 still being used at corporations. Why does a company buy enterprise software that relies on ActiveX and is very difficult to upgrade? Oh yeah, its the big O’s salespeople.
    Does Microsoft’s CRM rely on ActiveX?

  2. Mark Ratledge

    Late to the discussion here, but when recently looking at my web server logs, I noticed one IE6 user’s domain in particular: The Department of State. I’ve heard say that many branches of the Federal Goverment still use IE6, and now I believe it.

  3. Gedicht

    Hello from Germany! May i quote a post a translated part of your blog with a link to you? I’ve tried to contact you for the topic Revisiting the Internet Explorer Security Bug — Krebs on Security, but i got no answer, please reply when you have a moment, thanks, Gedicht

    1. BrianKrebs Post author

      Sure. You can quote me. If you’d like to reach me directly, why not use the contact form on the Web site? or email me directly at krebsonsecurity at gmail dot com.

  4. Miss Andrea borman

    I could not believe it when I first read about the British government workers in civil service using Internet Exploer6 IE6 for short. Nobody uses that anymore not even most of the worst Internet cafes who do not maintain their computers. True,because Windows 7 is very new only a year old,it came out in early 2009. Most public computers still have Windows Vista or windows Xp. And I even came accross some netbook latops bieng sold with Windows Xp and Vista in one of the stores! But even they had IE8 pre-installed not IE6 and Internet cafes still using windows Xp and windows Vista have IE8 installed on them too. so why are banks and government workers still using IE6 it is a wonder they can get any work done in such an old and terrible browser. I remeber using Ie6 in an Internet cafe in 2007 it was slow,backword and sites on the web looked terible and crshed and i could not do anything with IE6.But that was before I got my own laptop and found out about Flock and Firefox. And even back then in 2007 they had those 2 wonderful browsers and many others you could use as an alternative to IE. I do not understand why the government does not just update to IE8 or 9 and they do not have to upgrade to Windows 7 yet. As both Windows Xp and Vista is still supported but IE6 and 7 is NOT anymore. It costs no money at all to upgrade to IE8 or IE9 the new IE that Microsoft wants everyone to have now in september 2010.( IE9 came out 2 weeks ago)As for their excuse that their desktop apps will break if they upgrade I bet most of those apps are old editions that are no longer supported now either. Any person who knows about computers should update their software when they have to. And the government workers and others are putting the publics personal data and their system at risk of viruses and PC hacking if they continue to use IE6 or 7. And if they dont know this they should not be sitting behind a computer.

Comments are closed.