Thursday, January 21, 2010

Microsoft 'strongly recommends' customers upgrade web browsers from IE6 to IE8 to solve security issues

In their strongest advisement yet, Microsoft Australia has issued a "strong recommendation" through its Government Affairs Blog that customers upgrade from the nine-year old Internet Explorer 6 web browser to Internet Explorer 8.

This is because the security flaws now being discovered in Internet Explorer 6 are such that they leave organisations more vulnerable to successful co-ordinated hacking attacks - the potential theft of confidential or sensitive information and intellectual property.

The risk isn't from a 17-year old hacker in their bedroom, but from crime syndicates, corporate interests and, potentially, other governments.

Google and at least 33 other companies have experienced co-ordinated attacks, originating from China, in the last week. Google believes these attacks were launched, or at least endorsed by, the Chinese government - although they cannot prove it beyond doubt. However the concern is great enough that the US President has asked the Chinese government to comment on the attacks and Google is considering leaving China.

These attacks exploited a security flaw present in Internet Explorer versions 6, 7 and 8. Microsoft reported that attacks only seem to be effective against IE6. Information out of Google agree with this, as do comments by other security specialists.

This security flaw has no fix at this time and it is unclear when a fix will be available.

Defence Minister John Faulkner was recently quoted in the media (including this Brisbane Times article) as saying that cyber attacks were a worsening global problem. "Cyber intrusions on government, critical infrastructure and other information networks are a real threat to Australia's national security and national interests."

Both French and German governments have advised their citizens to stop using Internet Explorer 6.


In Australia some government agencies are still using Internet Explorer 6 as their standard web browser.

So why do government agencies (and some large commercial organisations) still use a nine-year old web browser with dubious security, that isn't compliant with modern web standards and is soon to no longer be supported by major websites (including YouTube and Gmail owned by Google and Facebook)?

I can't speak for any agencies, however while most modern web browsers, such as Internet Explorer 8, Firefox 3.5, Opera 10 and Chrome are free to users, there are often switching costs for organisations to change even free software on a large scale.

They may have designed internal software around a particular web browser or have costs associated with rolling out new software across thousands of computers.

Switching from IE6 in particular can be quite involved as it has a number of features (developed in ActiveX) that may be exploited by organisations in websites and other software. South Korea in particular built around Internet Explorer 6 and has had difficulties in migrating to modern browsers or operating systems.

There is also the need to test how modern browsers work on a network and ensure that their security models are understood so new vulnerabilities do not arise. This costs time and money - at a time when Australian government departments are expected to save money in IT as a result of the Gershon Report. It's another choice they have to make on where to allocate their limited funds.

Plus as many government agencies block sites like YouTube, Gmail and Facebook, citing concerns over staff wasting time (as previously was the concern over access to personal telephone calls), improving agency capability to engage in social media may not create any urgency to upgrade.

However, given the clear and present dangers linked specifically to Internet Explorer 6 I'm hopeful that 2010 will be the year where many Australian organisations still using this old, less accessible and insecure technology decide to implement modern web browsers.

8 comments:

  1. I'd say a lot is because of https://bugzilla.mozilla.org/show_bug.cgi?id=231062

    ReplyDelete
  2. Do you think it is wise for you, as a Public Servant, to publicly announce that a number of government agencies utilise a web browser with security flaws - how about you just list the agencies and send a link to the Chinese government? I'm not saying they couldnt find out some other way, but you are blatantly flaunting the APS Code of Conduct and potentially bringing the APS into disrepute. I am all about open and honest Government - But in your case you need to choose, are you going to try to make a difference working on the inside, or are you going to be an outside commentator/ agitator...if you continue doing both, you may need to talk to Mr Gresch about tips for avoiding incarceration.

    ReplyDelete
  3. Thank goodness. It's about time - here's hoping government (and people in general) will actually follow this advice.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. (deleted previous comment because of wrong link)

    http://blogs.technet.com/msrc/archive/2010/01/20/advance-notification-for-out-of-band-bulletin-release.aspx

    Summary: Please move from 10 year old technology

    ReplyDelete
  6. Hi Anonymous,

    I appreciate that you read my blog and I appreciate a diversity of views.

    I'm happy to address any specific concerns you have once you name them. I also prefer that you name yourself. If you're going to level accusations at an individual, please have the courtesy to do so face-to-face.

    I do advise that you first familiarise yourself with the APS Code, Values and the APSC's Circular 2009/6: Protocols for online media participation.

    Cheers,

    Craig

    ReplyDelete
  7. Thank you for your response. While I choose to remain anonymous, I also think it would be difficult to meet face-to-face as I am from Western Australia (and I imagine you are in the ACT?).

    I think my concerns are quite specific enough – you have disclosed information that you likely gained through your career in the public service (even if you did not gain it this way, a reasonable person would assume you did). This is the case with this blog post and with some previous.

    I am very familiar with the APS Code of Conduct, the APS Values and the APSC Circular you mention, in fact I consulted with each before I first posted my comment. In particular you may wish review the APS Values and Code of Conduct in Practice Publication in particular where it says: ‘It is not appropriate for APS employees to make public comment which could be perceived as ...compromising public confidence in the agency or APS’. In addition, in the online consultation section it mentions that APS employees should take ‘...reasonable steps to avoid conflicts of interest’. I would appreciate your advice as to how you believe you are adhering to these requirements?

    ReplyDelete
  8. Hi Anonymous,

    Face-to-face courtesy refers to being willing to name yourself rather than hiding behind 'Anonymous'. If you're going to make a public complain specifically about another individual it is respectful to do so after identifying oneself by name. Would you come up to me in person at a public event and make accusations and then leave without giving your name?

    Your perception of using knowledge gained through my APS career is impossible to address in the broad sense you have applied as any public statement by any public servant on whatever topic could be perceived as being based on knowledge they gained through being an APS public servant.

    Generally the spirit of this is applied in the public service as applying the letter, as you have done, would potentially prevent most professional comments by any public servant in any publc place, online or otherwise, which were not word-for-word approved by their departments.

    I am an internet communications professional and spend a lot of time outside of work increasing my professional knowledge such that I can better conduct my job. Most professionals do this and therefore bring knowledge into their departments, rather than simply taking it out.

    You may also wish to refer to Minister Tanner's remarks at the Gov 2.0 conference last year (http://www.financeminister.gov.au/speeches/2009/sp_20091019.html). In this he states, To make government more open and responsive the public service must be empowered and encouraged to proactively disseminate information and participate in public discussion.

    Again you should also refer to the APS circular I linked above.


    In response to your points, I did not gain my knowledge through being an APS public servant.

    Many people across the web community are aware of the dependence of Australian governments and large corporations on Internet Explorer 6. When they develop websites they need to make an informed decision about their audiences on where to set their minimum levels of support as it impacts their time to market, costs and reach.

    Any web development company who might contract to the government similarly gains a good awareness of what the parameters are in terms of browser support.

    It is also widely known across Content Management System developers who sell to the public sector, as their systems must be backwards compatible to meet government requirements.

    This holds for developers of other applications delivered through web browsers as well - anyone who has an 'internet dashboard' for their product.

    It takes significant resources to be backwards compatible on web browsers and it is quite common to develop code specifically for IE6 to provide users with the same experience as those using more modern web browsers.

    Microsoft themselves made a particular point of the recent security issues on their Australian and US government blogs, which would communicate to anyone applying some common sense that the government sector was one which specifically could use this information.

    As to compromising public confidence in an agency or the APS, firstly no agencies are named in my post, I have made general statements based on industry knowledge (gained through my 15 years in the web industry).

    Secondly, I approached the topic by explaining why organisations remain attached to IE6. There are some good and sound business reasons which, however, are becoming weaker over time. I did not in any way indicate that the APS or any major commercial corporation as a whole or in part was behaving in an inappropriate manner. There are challenges and costs to upgrading.

    Finally, regarding conflict of interests, I don't understand where you see a conflict.

    There is no commercial gain for me in advocating a browser upgrade, it is purely about ensuring that we can serve the public and government as effectively as possible.

    That's our aim as public servants, isn't it?

    ReplyDelete