Microsoft has hit back at criticism by French and German cyber security offices over vulnerabilities in its Internet Explorer browser.
Over the past few days, the German Bundesamt für Sicherheit in der Informationstechnik and the French CERTA (Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique) have issued advisories recommending users temporarily ‘switch to an alternative browser while waiting for Microsoft's patch'.
However Cliff Evans, head of privacy and security at Microsoft, acknowledged that there is a vulnerability in version six, seven and eight of Internet Explorer, but the exploit code so far is only applicable to IE6, so he advised upgrading to IE8 so that users will be removed from the exploits.
Evans acknowledged that there had been very specific targeted attacks, but commenting on the German and French advice, he said: “I can see how this advice comes about considering the style of the vulnerability, but in terms of advising we know that in 2009 there were 102 vulnerabilities in FireFox and only 30 in Internet Explorer, and it just so happens that this has happened to us now.
“This is not a good way to choose browsers, so to come back to IE8, the smart scan filter base will tell you if it has been listed as having hosted phishing sites etc. It is much better to look at the broader context.”
Also acknowledging the ‘noise' surrounding the vulnerability was George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Security, who said it was ‘only seeing very limited number of targeted attacks against a small subset of corporations'.
He said: “Even though we are only seeing limited targeted attacks today, we know that can change at any time. That is why through our Software Security Incident Response Plan (SSIRP), we actively monitor the threat landscape through our broad telemetry systems, including the Microsoft Malware Protection Center (MMPC), our Customer Service and Support group, and through our partners in the Microsoft Active Protection Program (MAPP) and the Microsoft Security Response Alliance (MSRA).”
Evans said that there will be an update for the vulnerability, and Microsoft is working on that and it will be released in due course.
On when that is expected to be released, he said: “We may wait until the next Patch Tuesday or maybe issue an update. It depends on the risks, and we have to consider that an update will affect businesses that need to apply it. The next patch Tuesday will be released on the evening of the 9th February.”
Commenting on other systems that are now rolling out patch updates, Evans commented that Adobe ‘is going through what we went through several years ago, do not lose sight that you need to update your software'.