Why?
I don't think it's the job of government to say which internet browser people should or shouldn't use. Businesses can assess their own risks surely and individuals can make up their own mind.
France and Germany have already told their citizens to avoid Microsoft's Internet Explorer because of a critical hole in the browser, so what does the British government think? The problem emerged late last week and both governments reacted with a simple warning - use another browser until this is fixed. Three days later and …
because I think your statement is pure bollocks. For a start you aren't referencing versions, so you are effectively claiming that IE6 is more secure that Ff 3.5, which is laughable. Even assuming you are talking about IE8, "more secure" is a completely subjective concept, given that security depends on architecture, deployed platform, scripting, usage, speed to fix problems, etc. etc.
IE is a perfectly secure browser on a machine which is not connected to a network - I'll give you that.
So define "more secure", and stop just regurgitating marketing-speak.
...and where did you pick that from? Or did you confuse bug count with security?
And that you have to determine which bugs affect security and what the severity of that effect is.
And don't forget that FF/Moz publicly declare bugs and MS does not.
In fact, just using different browsers (Konqueror, Safari, Chrome, Opera etc) will reduce the possibility of an attack being successful as it is much harder to have an attack that can hit multiple nodes in a heterogeneous environment. So long as intranet applications are coded to the standards then it will not matter what browser an end-user may have.
If, however, you have been a moron and spec'd/coded to some proprietary format; then you deserve everything you get.
And being government departments they will get pwned, and pwned hard. Just like last time(s).
"In fact, just using different browsers (Konqueror, Safari, Chrome, Opera etc) will reduce the possibility of an attack being successful"
Statistics would say otherwise. More browsers means more chance of getting attacked. For if there is a hack that exploits a weakness in Opera and you're using Chrome, not a problem. But if you are using Chrome at that point, could well be a problem.
You only need to have one successful attack to make all the other effort worthless. So, indeed, pick your browser carefully.
You appear to say Microsoft does not publically declare bugs like this is a good thing. Firstly the bugs declared are the KNOWN bugs; and secondly this problem partially affected IE8 (crashed but was not compromised) and goes back forever, except for one specific version of IE5. It might be worth wondering "was this known about?" and if it could have been fixed in the intervening years (IE6 hails from 2001!).
Hmm, while I'd agree that the IE team have made good progress in security, I think (and others seem to say the same) that FF is easy to 'secure' with AdBlock+, NoScript, etc, and the resulting browser is therefore 'better' than IE8 (even with the kind of securing that Joe/Jane Public can do). So I for one would like to hear what metrics you use for those claims of IE's superiority.
I'm also curious as to why, having pimped IE, you feel it necessary to put a URL for Opera in there.
As to the main story - yes, I too keep coming across folks with IE6, where their IT dept has prevented them going to something a little less archaeological. Personally, I can't see any problem with the government issuing an advice along the lines of "if you're using a pre-v8 version of IE at home then you really should upgrade" ... whether that is to IE8 or FF3.x I leave to others to argue.
I assume that the Dept of BIS will have to wait until TDL has done some more schmoozing and been told what to think. So expect a bulletin along the lines of "Using any other browser than IE8 will cause the banks to lose all your money [again!] and your children to be made homeless and destitute." ;-)
Right so the vulnerability only occurs in older versions of the browser running on an old version of the OS. Upgrading your OS costs money, but upgrading your browser costs nothing.
So it would make more sense to advise users to upgrade to IE8 than it would to change browsers. It would certainly make more sense. The majority of computer users would be terrified by the idea of changing broswers, but an upgrade would frighten them less. It's also easier to give instructions to upgrade to IE8. Go to this URL, click this link. The problem with giving instructions to install a new browser is that governments will have to give instructions for every alternative browser in order to avoid claims of bias. Probably in a random order as well.
In this case Microsoft are actually victims of their own touchy feely-ness. You don't see Mozilla supporting old versions of their browser, Microsoft continue to support IE7 and IE6 and it creates problems for them. Of course if they did a Mozilla end refused to support old versions of the browser their detractors would be down on them like a ton of bricks.
Rock - Microsoft - Hard place.
http://www.microsoft.com/technet/security/advisory/979352.mspx
"Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable"
If you read on, DEP, protected mode, restricted zones only help they do not complete prevent the exploit.
Fail, because its affects 3 browsers and 7 versions of their operating systems.
Bob, you and the rest of your gang need to learn from (ironically,) marketing people. If you want people to take you seriously and actually listen to you, things to avoid are calling them dumb/Joe Sixpack/<insert FF fan insult here> and gloating when these sorts of things happen. They'll just write you off as an arrogant tosser and disregard you. It's not a difficult idea to get your head around. Since one of the arguments that you guys use is how hijacked computers cause problems for you Internet High IQ guys, you'd be doing yourself a favour by taking a more mature approach. Not that you'll listen, of course. Because nobody who hates IE can ever see they're doing something wrong, much less admit it and try something else. Still, I suppose your relatives who know nothing about computers and have been "migrated" by you and some IT managers are impressed. Not much use when supplying references to back up your rants though, huh?
I think the French and German governments are setting a very dangerous precedent in issuing this warning. What happens if, at some time in the future, a lot of users get their PCs pwned because of a security hole in their chosen browser? They blame the government because they didn't warn them. And why stop at browsers, surely the same applies to all computer software?
Before they know it those governments will have to set up full blown IT security advisory bodies in order to avoid getting sued by every computer user who gets their machine pwned.
I don't understand why this post has received thumbs up. Neither government has told its people what to use (exact quote in French "Le CERTA recommande l'utilisation d'un navigateur alternatif."), it has only told them what NOT to use. Given that the software is both vulnerable and as-yet-unfixed _and_ the attack code has been released, it makes sense for the governments to attempt to avoid a potential widescale crisis. Such a thing might never happen, but then again it just might. The orginal attack seemed to me to be very targetted. Now with the method known, the next round of attacks could be irresponsible idiots doing it "for a laugh" or personal vendettas, or whatever screwed up reason sounds vaguely convincing to their inner moppet.
French security alert here: http://www.certa.ssi.gouv.fr/site/CERTA-2010-ALE-001/index.html
I really wish corporations WOULD upgrade from IE6 then we wouldn't have to support the bastard anymore. However some organisations have company policies that mandate IE6 as they have old web apps that only work on IE6 ffs!! I really really wish we could stop supporting IE6...
The UK government is technically incompetent. I have always suspected this when government contracts are constantly awarded to fuck up merchants like EDS and BT, topped by the NHS £13 billion fiasco.
I suspect the German and French ministers in charge of technology is more IT savvy, or at least listen to their support teams while the technophobic UK population has an equally technophobic minister in charge who does not know his bit from his byte. Hence the silence - when in doubt, keep mouth shut and hope it all goes away.
Proof the British public are technophobes? Look at the queues at filling stations - the pay-at-pump queue is nearly always empty while the pay-at-kiosk queues are through the door. Same for the M6 Toll booths - you can always zoom through pay-by-card lanes!
As for responding to cyber attacks, we'll just have to rely on the Americans, won't we?
... technically it is true. I think at least some ministers have degrees and maybe even doctorates but whether in computer science or some other IT related discipline is unknown to me.
However! (there always is a However! yes?) Governments (in the UK that scope covers local, regional, national and UK levels) tend to outsource advice from consultants, interested parties, QUANGOs, ... focus groups, ... with the job of government really being governance related and the job of effecting or making policy manifest being the job of contracted parties.
The civil service feature highly in sense that they tend to be the ones preparing the reports, information, shortlisting options and contractors. Basically the background details are prepared by employees and not by elected representatives. Elected representatives then act on (or should act on) current information provided to them and add a dash of party politics into the decision reaching process.
It's a point of order really.
Basis: Government signs the cheques based on decisions made by a process of decision reaching?
So if by having a strong lobby of these "consultation" groups, such said groups could in fact run or go a long way to running the country? Therefore if some Evil Empire populated these said groups with infiltrators... the consequences are unthinkable!
No wonder we are in the mess that we are in. What's worse than a weak government? An ignorant government. Time to emigrate. This country has had it.
Since the Labour government has involved itself in almost every aspect of life in Britain, except *maybe* the bedroom, and given their proclamation they are spending BIG pounds on defending 'cycberspace' by IGNORING such a vulnerability as this - given that MS claims 60%+ of browser use - it proves that Cameron was right.
Labour is all talk and no action.
Germany and France are demonstrating responsibility.Obviously Microsoft doesn't give a pile of camel sh*t about it's products, so long as they make money.
...will just airbrush problems out of existence I suppose.
I yearn for the days when politicians had to regularly stand in front of a cynical crowd and give a meaningful and congruent series of sentences over a time period of longer than 15 seconds. The days when an orator had to persuade by having command of the subject and the wits to construct arguments on the fly, or else suffer the 'Glasgow Empire' effect.
Sorry, I tried to insert the word 'Cameron' in the paragraph above, but it just wouldn't stay there. Brown and all the others likewise.
The government should recommend open-source software due to the fact that it is inherently more secure than closed-source alternatives.
The security of MS Windows and Internet Explorer is entirely dependant on Microsoft keeping the source code ("blueprints") secret and reacting quickly to fix holes that are discovered and exploitable. Yet still, months or years after the software is released and in widespread mission-critical use by business and government, security holes will be discovered by poking the software from the outside, even without knowing the internal details.
Whereas the source code of open-source operating systems and browsers is released for anyone to see. The "blueprints" are published and viewable by the world. Thousands of developers around the globe can study the internal details of the software. Thousands of eyes are looking for and communicating any potential security implications in the design or implementation.
Most of the "security vulnerabilities" reported and fixed in Firefox were discovered by looking at the source code and most had no actual exploit/attack vector. Compare that with IE where all of the security vulnerabilities were discovered from the outside and have current real exploit mechanisms and are actively being used in attacks.
Open-source is the only way forward. Propitiatory closed-source software will always be dangerous.
It's not just Government departments that are stuck in the dark days of IE6.
In the NHS trust I work for, the clinical staff are stuck with IE6 in order to maintain compatibility with third party developed web based applications. It'll take those companies pulling their digit out of their posteriors in order to update these clinical applications for us to rollout a browser version update to all machines. As usual it's all down to money, so it'll take more than just the Government advising us not to use IE6 in order to resolve the problem, especially as the trust I work is millions in debt. It needs a good old fashioned injection of money and I can't see that miraculously appearing so close to an election.
Eh, MarkOne? You sound suspiciously like a Microsoft shills with that unqualified and meaningless scattergun assertion.
Quote "Internet Explorer is the default browser on government computers."
Unsurprising as well. But let us hope they at least run IE8 and that browser, OS and apps are kept fully patched. Let us also hope that staff are given basic security instruction. Little chance of any of that though - for some reason the civil service still doesn't seem to 'get' IT.
Since (and I quote):
"Internet Explorer is the default browser on government computers."
it would surely be incumbent on a competent government department to advise its own to be as secure as possible?
I recognise of course that the expression "competent government" is rather an oxymoron, but I am trying to be as generous as I can. We have essentially the same difficulty Down Under - such animals are as rare here as the Bunyip.
Personally I don't see it as being an issue. They've made an suggestion to users, it's up to them to follow it.
Obligatory car analogy: While driving I come across an "Accident ahead" sign just before a blind corner, can I assume that every blind corner I will come across in the future is guaranteed to be accident free by the police? Unfortunately, the majority of this country probably think this way: it really shows how the UK have turned into the "slow learners" of Europe.
In this case, I'd assume the Government doesn't want to insult their best friends in industry.
Many years ago the internet was a joy.
Now many fear to tread, why because we all fear chaos.
The internet has now become chaotic. It is out of control.
What does this mean?
It means that now we have given the powers that be the right to enforce control.
We have given up our right to privacy. The powers that be will say that they are making the internet audit-able for our own safety. Every transaction, every packet of data will have to be validated and verified to ensure security.
We have lost our freedom and now there is no way to get it back.
The whole planet now suffers from this invasion of our privacy, they use these security issues as an excuse to undermine our rights.
Remember V for Vendetta 2005
People should not be afraid of their governments. Governments should be afraid of their people.
ADarkGerm
As with everything with all UK governments, they won't do anything until there's a major fubar and they have to take action due to public demand.
Standard fare, why bother to preempt problems and disasters when you can get a gold star for handling the obvious fallout after the fact.
I'm in no way a Microsoft shill. Their practices are disgraceful and if they were any other company, illegal (they are untouchable these days). I also broadly support Open Source, however I don't believe that open source makes a more secure browser, as it works both ways, that is only true if you have outsiders reading and fixing code, the reality is, you don't have too many people doing that, you have far more hackers reading the code for exploits.
The only secure browser is Opera, a fine example of closed source development. It's has a exceptional track record of security, it's also blisteringly fast, standard complaint and does all the useful Firefox extensions (AdBlock, GreaseMonkey, Bookmark sync) out the box, without needing extensions that compromise security and/or bloat the system.
Lastly, I wonder where Windows7 Browser Choice Update is? Probably a bad time to release it. I suspect Microsoft had to pay some more backhanders to the EU to delay it for the dust to settle...
If you ARE stuck with IE6 for this legendary stupid-application compatibility requirement, I dunno if you can install IE8 alongside it - and you're liable to be hit anyway. But you can install Firefox, or Opera, or anything else that isn't Internet Explorer underneath - which a lot of "browser" brand names are - and use IE for Stupid-Thing and any non-Microsoft post-9/11 browser for all your other HTML-rendering needs.
Then again, is there scope for an "IE6 Is Stupid But Do It That Way Anyway" Mode in Firefox?
Wikipedia says: "Internet Explorer 5.0, 5.5, 6.0, and 7.0 (Experimental) have also been unofficially ported to the Linux operating system from the project IEs4Linux." Can you do anything useful from that? Say, run Linux on Windows, in a sandbox, and IE6 in a cage inside that?
Or, install a Windows 7 version with support for the Windows XP sandbox and IE6 locked down... uh oh. What this is for, is getting people to buy Windows 7.
"But you can install Firefox, or Opera, or anything else that isn't Internet Explorer underneath - which a lot of "browser" brand names are - and use IE for Stupid-Thing and any non-Microsoft post-9/11 browser for all your other HTML-rendering needs."
A reasonable suggestion. Are you new here?
Then you probably work for a large corporate / government organisation and don't have local admin access rights to your PC, all software being dictated by you IT department.
The reason you ARE stuck with IE6 is because the same IT department screwed up years ago by allowing outside contractors to write business critical applications that only run on IE6
Thought not.
"If enough of them do notice "
Why would they notice? You average IEtard wouldn't notice his computer falling down the stairs if he lived in a bungalow, let alone whether or not it's been compromised (and it almost certainly has been, if not through this bug then through any one of a thousand others).
Thing is, some government or other says "don't use IE" just about every other month these days. No one cares.
http://www.guardian.co.uk/technology/2008/dec/16/internet
& as well all remember, this was the end of the world back then too. The sky burned blah, blah, blah... can we have a **yawn** icon please. I suggest Bagpuss, he was always yawning too.
Beer, because only beer will see us through....
the guys at microsoft who created IE's for its failings, blame the idiots who thought coupling an internet browser so closely with the OS that a flaw in the browser allows exploits to be run on the OS.
Anyone with 1/2 a brain could see that was going to lead to this sort of disaster. as it has on past occasions.
But hey what do I care
FF/Linux
Or FF/ WinXp depending what I boot to
just do the opposite, that's how bad they have become, they are the anti-ruler by which all cockups are created and measured.
MS is a Merkin company, they do nothing for the British Isles, it is the mark of a traitor to use MS software, so not surprising the UK government uses it.
The UK government is horrendously locked in to IE6, they have all kinds of crufty apps that won't work in other browsers and some won't work in newer versions of IE either.
The government is *supposed* to demand open standards when procuring new technology, but so far this legislation is rather toothless and more IE specific apps are being deployed all the time, further locking them in.
Had they actually demanded from the get-go, they wouldn't be locked in to IE now and would be in a much better situation. They would be free to ditch IE and use other browsers, and would be free to ditch windows (and save the taxpayers a huge amount of money).
"The government is *supposed* to demand open standards when procuring new technology ..."
Do you mean open standards or open source? If the former it doesn't preclude any software, closed or open source. Their use of the term open standards is mainly with regard to sharing information, as far as I can see from their action plan. As for Open Source, it's meant to be given equal consideration and chosen if it provides the best value, not simply demanded. You're representing your personal wishes as government policy. Accusations of incompetence, buttering up corporations or money-wasting are not going to sway things, no matter how loudly the open source community stamps it's minority foot and cries foul. Can't please everyone, I'm afraid. Maybe more of you guys should move into government jobs to try to get some influence? No? Thought not - they wouldn't throw enough money at *you* for that, would they?
I don't think he was talking about Open Source. Simply that whatever web applications were built for government departments should render the same on any browser (or even render at all on any browser) which isn't that difficult to achieve as you see it everywhere and almost always this is because open standards were followed in development. Right?
@AC
"Do you mean open standards or open source?"
I think the poster made it quite clear in his actual post when he combined the word "open" with "standards".
At no point did he start waffling on about open source so hardly deserved your response. I assume you must work for Microsoft so I suggest you get back to fixing IE.
that understands computer systems.
Computer Science is responsible for most of the wealth of Western Countries and really is, nowadays, the essence of business, but no representation in Government. And anyone trying to take the role is going to have to prove themselves at the sharp end of Computer Science, which is and always will be, the correct coding of powerful and useful concepts.
Dash it! An afterthought based on rather shaky premise.
Shaky premise
In the US of A a change in government also brings a change or at least allows for a change in administration too yes?
Afterthought based on shaky premise above
In the UK making a political appointment to administration (usually civil or uncivil service) is a strong No No. It is, if by some stretch of the imagination is imagined, then it is usually met with howls of 'cronyism'.
I for one admire and propose the uS of A system for the UK.
A change of government should also be accompanied with a permissible change in administration and moreover for it to cater for political appointees.
To do so now would have the civil servantry and/or uncivil servantry up in arms and that, in my humble opinion, is sufficient merit for it to be done.
Otherwise governmental change and whim of the people upon election times is met with gargantuan inertia of service based servantry that may indeed be contrary to public whim.
On the other hand one might posit that continuity in servantry acts as a ballast ever towarding towards continuity but that continuity seems to favour servantry rather than elected governance or whim of the people.
On the other, other hand anything to compromise mandarin-ship within UK for exist it does, is to be supported, nourished and cherished?
m$ created this situation. they did not adhere to standards. now it is back home to roost.
m$ get their come uppance. about time.
they can fix this issue, but it will cost lots of money they don't want to spend. so my bet is it stays unfixed.
uk government being labour - definite fail. here we go again with the strikes.
now grow up !
The incredulity of it all has left me all astounded. But they fixed Windows...didn't they? I'm sure Stevie & Billy had fixed all the Windows so that they shut properly. I guess there just made of glass & some brat comes along & throws a stone & whammo, the glass pops out. There it is on the floor, all alone waiting to get fixed...again...broken...shattered...crushed.
Oh the indignity of it all. I'm sure Stevie (I'm gonna f***ing kill Google) Balmy must be swinging wildly through the forest quagmire of upsettedness (a word just for Stevie). Throw another chair Stevie, yell at the wall but don't hit the windows because the chair will go straight through. No glass!
How to tell in one easy lesson.
Last year (year before) it emerged that the Houses of Parliament IT system had Autorun set to On for all devices, including USB sticks, and there was no system in place for members and staff to register those devices before being allowed to plug them into the House of Parliament IT system.
Contained within that gem is everything you need to know about IT in Government.
And that's without the well documented relationship between Microsoft and New Labour/BBC.
Can someone please explain: How is personal browser choice a matter for Government?
They don't tell us a particular brand of car is unreliable so we should all drive other ones. They don't tell us that a particular brand of TV has a poor picture so we should all buy another brand.
So why does anyone expect HMG to come across with an opinion on what software you should be running on your PC?
I think the question should be, why are France and Germany taking such a stance (other than their usual anti-Microsoft stance, that is)
"They don't tell us a particular brand of car is unreliable so we should all drive other ones. They don't tell us that a particular brand of TV has a poor picture so we should all buy another brand."
They do much more than that: they actually prevent dangerous cars or TVs from even reaching the market. Here it's just an _advice_ not to use a borked piece of crap so would you please shut up already?
The government should be addressing themselves to the economy, to help companies stay afloat and for everyone to keep their jobs.
I couldn't give a shit what any government thinks about my choice of browser, toothpaste, the colour of my underwear, etc. None of this is any of their business and is outside their areas of expertise (if they have any).
As for companies, the same applies. Companies employ people to decide on such issues - if they don't listen to the experts they employ, why would they be likely to listen to some government advice?
http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/
http://bit.ly/5EHred
Brian Krebs writes:
If you happen to stumble upon a Web site that freaks out your anti-virus program, chances are good that the page you’ve visited is part of a malicious or hacked site that has been outfitted with what’s known as an “exploit pack.”
These are pre-packaged kits designed to probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software.
Exploit packs have been around for years, and typically are sold on shadowy underground forums.
A constant feature of exploit packs is a Web administration page (pictured above), which gives the attacker real-time statistics about victims, such as which browser exploits are working best, and which browsers and browser versions are most successfully attacked...
It’s important to keep in mind that
some of these exploits are browser-agnostic:
For example, with the PDF exploits, the vulnerability being exploited is the PDF Reader browser plug-in, not necessarily the browser itself.
That probably explains the statistics in the images below,
which shows a fairly high success rate against Opera, Safari, and Google Chrome users...