It looks like Microsoft has moved to the “sticks and stones” method for handling public relations gaffes. As we reported yesterday, France joined Germany in suggesting that its citizens switch from Internet Explorer to, well, anything else. Now, Microsoft’s UK security chief, Cliff Evans, has responded by saying that switching to other browsers will only open you up to more security vulnerabilities than staying with Internet Explorer.
That’s saying a lot for the browser implicated in the Great Google Caper of 2010 and we have multiple security experts who said a lot on why it just isn’t true.
In a conversation with TechRadar, Evans said that “the net effect of switching [from IE] is that you will end up on less secure browser” and that “there are broader risks and issues with other browsers.”
Internet Explorer: The Reigning Champ of Security?
These statements just didn’t ring true in our ears, so we got in touch with Thomas Kristensen, the chief security officer for Secunia, a company that specializes in looking for security vulnerabilities.
“In my opinion the browsers aren’t the real problem for most users,” Kristensen told us. “The main concern for normal users is by far all the third party programs, such as programs from Adobe, Sun, Apple, and many other vendors, which are being exploited.”
Browsers, whether Mozilla Firefox or Internet Explorer, update themselves requiring little if any user involvement, he said, so most vulnerabilities are taken care of. With other programs, however, updates often sit waiting for “months and even years before they update.”
Kristensen did concede, however, that the latest versions of Chrome, Firefox and Opera currently have no un-patched vulnerabilities and are therefor a more secure choice compared with IE, while offering the same caveat.
“The normal user faces the almost same risk whether they run IE, Firefox, or Chrome if they haven’t updated all their software,” said Kristensen.
Vincent Steckler, CEO of anti-virus software provider Avast, agreed that Evans’ statement didn’t really add up.
“Other browsers may also have vulnerabilities but to suggest that changing browsers can increase vulnerability is not correct,” he told us this morning. “It is changing from the known to the unknown – while it may not increase your protection, it will not decrease it.”
IE 6: The Gift That Keeps On Giving
So, while Evans’ statement doesn’t really hold much water according to security experts, he does note later in the TechRadar article that “the reality of the risk is minimal, even if you have IE6; you would have to go to a website running the exploit.”
On this point we can find some agreement. Michael Sutton, VP of security research at security provider Zscaler, notes that a switch may be a wasted effort, except for in one case.
“Switching browsers in response to a single vulnerability is a wasted effort. All browsers have vulnerabilities,” said Sutton. “So what happens when you switch to Firefox and they announce a critical vulnerability? The larger story here is that the attack succeeded by targeting users running IE6 – an 8-year-old browser.”
Whether you switch browsers or not, there is one thing for sure – you need to stop using Internet Explorer 6 already. In the end, though, it doesn’t come down to running an ancient browser, as the vulnerability may go well beyond that.
“Currently it is evident that running IE6 on XP or Windows 2000 is a very bad idea, and any other browser would be a better choice for XP and Windows 2000 users,” Kristensen told us. “It is also evident that there is an unpatched vulnerability in IE7 and IE8 which may or may not be exploitable on Vista and Windows 7.”
We have to admit, the French may be right on more than red wine and food. Go get yourself a copy of Chrome, Firefox or Opera if you haven’t already.
