Ditch IE over Google China 'Aurora' hack bug?

Should we be ditching IE because of the Google China hacking vulnerability? The German government thinks so. In IT Blogwatch, bloggers debate putting Internet Explorer out of our misery.

By Richi Jennings. January 18, 2010.
(MSFT)

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention an alien shapeshifter...
 
 
Ben Parr drives an eagle:

The German Federal Office for Security in Information Technology ... recommends that all Internet Explorer users switch to an alternative browser. ... If you missed it, yesterday McAfee released a report outlining details of the cyber assault on Google. ... It specifically implicates a critical flaw in all versions of IE.
...
Microsoft has responded that it is developing an update to the vulnerability. ... Even running Internet Explorer in “protected” mode is not enough to prevent a hacker from exploiting this security flaw.

Dan Goodin has more bad news:

Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow. ... The flaw affects all versions of IE except for 5.01 SP 4.
...
Microsoft hasn't said when it expects to fix the bug. Its next regular update release is scheduled for February 9. Speculation is growing that the company will issue an out-of-band patch.

Stephen J. Vaughn-Nichols is his usual self:

The latest attacks on Google have made it clear. Internet Explorer is a set of security holes masquerading as a Web browser. Get rid of it. Now. ... Windows has been, is now, and always will be insecure. It's baked into its single-user, stand-alone computer design that was never designed to handle a networked universe with attackers always one network connection away.
...
Pouring salt on the wound, the IE attack code is now public. That means anyone can use it. And guess what? They are. It's already inside one automated attack script. That means any script-kiddie moron can, and will, use it. ... It doesn't have to be that way. Dump IE now. It would be smarter still if you moved off Windows.

Preston Gralla is a more pragmatic guy:

As of yet, you can't completely close the security hole. However, there are ways to limit your exposure, notably using Protected Mode in IE ... and enabling Data Execution Protection (DEP). Changing your IE security zone to "High" will help as well.
...
Will taking all these steps keep you safe from the Chinese Google-style attack? Not completely, but it will keep you safer than if you don't do it. At some point, though, expect a patch from Microsoft fo fix the problem.

Microsoft's George Stathakopoulos chips in:

We understand that there is a lot of noise about this topic right now ... so we want to provide some additional insight. ... We are only seeing very limited number of targeted attacks against a small subset of corporations. ... We are not aware of any successful attacks against IE7 and IE8 at this time.
...
We continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible to benefit from the improved security protections it offers. ... We want to assure you that we have teams working around the clock worldwide to develop a security update of appropriate quality for broad distribution to address this vulnerability.

Kelly Jackson Higgins :

With the IE exploit in the wild now, it could be used by other cybercriminals to go after other organizations or users. And while Metasploit's new exploit is meant for researchers and penetration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool that can be deployed for nefarious purposes.
...
Meanwhile, the U.S. State Department reportedly may take more formal measures against China over the alleged attacks. State Department officials want answers from China, but thus far have been unsuccessful in doing so in their initial meetings with Chinese officials.

So what's your take?
Get involved: leave a comment.
 
 
And finally...

• Pop quiz: how many things are wrong with this picture?

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email: itblogwatch@richij.com.

 
 
Don't miss out on IT Blogwatch:

• Subscribe to the Computerworld Blogs and IT Blogwatch newsletters
• Catch up with posts from the previous few days