IE flaw: MEA experts speak out
Regional specialists clarify pitfalls, options for affected users, as Microsoft works on fix
This week both the US and UK governments issued warnings to users of Microsoft Internet Explorer to stop using the browser and switch to an alternative, in a rare move for Western powers.
The advisory was a clear indication of the perceived severity of the flaw among experts and authorities. The vulnerability is present in IE versions from 6 to 11 (an estimated 55% of PC browsers worldwide, and just above 12% in the UAE, according to figures from StatCounter) and concerns Flash execution.
Here in the UAE, ITP.net spoke to regional cyber security specialists to get their views on what impact the flaw is having for users across the Gulf.
"[We have] concerns about those who abuse IT systems exploiting the flaw before Microsoft has released a fix," said Paul Wright, manager of professional services and investigation team, Middle East, India and Africa at AccessData.
"However due to the seriousness of the situation there can be no doubt that Microsoft and its partners are burning the midnight oil to produce a patch for this vulnerability."
But how long must users wait, running Enhanced Protection mode in IE (for the faithful) or using an alternative browser?
"As the issue has been identified to be present from version 6.0 it is most likely very embedded functionality that needs to change, and we may need to wait a bit of time before we have a real fix," said Nicolai Solling, director, Technology Services at Help AG.
Continues on next page>>
The bug is so worrying because it covers a worst-case scenario of ceding complete control of a system to an attacker. If the user of an affected machine were to visit an infected website and execute a compromised Flash object, a malicious party could install software with rights the same as the logged-on user, which includes admin rights if the user were logged on as such. But Wright pointed out that the problem is not as widespread as people may think and requires a deliberate visit to an infected site on the part of the end-user.
"Despite these dangers, an attacker would still have to use subterfuge to get users to visit such websites, for example a ‘phishing' email," he said.
As users wait for a fix, another issue arises, as Solling points out: "While it may be easy for a private user to just use Firefox or Chrome it may be much more difficult for enterprise organisations, as internal enterprise applications may be reliant on the usage of Internet Explorer."
Meanwhile, another group of users has a different problem, even once a patch is live. Some 20% of users worldwide run the now-unsupported Windows XP, for which a patch is not expected to be released.
"Those organisations [running XP] will have an important decision to make," said Wright. "Either upgrading to Windows 7 or 8 or switching to a different browser."
But Solling believes, given the severity of flaw, that Microsoft may, in fact, reach out to its legacy base.
"It is still not clear if Microsoft will deliver a patched version of Internet Explorer to Windows XP; however I could imagine that the seriousness of the issue will mean they will deliver this, specifically as we still see a very high percentage of devices.