UK Government says “No Evidence” IE is Less Secure

A couple days ago I had mentioned that Lord Avebury had asked the UK Government about their usage of IE. The UK Government has now answered and I am reproducing the full text of the question and answer below:

Asked by Lord Avebury

To ask Her Majesty’s Government what discussions they have had with the governments of France and Germany about security risks of using Internet Explorer; and whether they will encourage public sector users to use another web browser. [HL1420]

The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): UK government officials and subject matter experts are in regular contact with their counterparts in France, Germany and other countries on both a bilateral and multilateral basis to exchange technical information and opinions on many aspects of cyber security, including software vulnerabilities. For example, the UK’s Government Computer Emergency Response Team (GovCertUK) and Combined Security Incident Response Team (CSIRTUK) are members of the group of European Government CERTS (EGG), as are their French and German equivalents.

Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. We take internet security very seriously and we have worked with Microsoft and other suppliers over many years to understand the security of the products used by HMG, including Internet Explorer. There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats.

Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

Source: Lords Hansard text for 26 Jan 2010

While the UK government contends that “there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure”, there are many others who would disagree.

Also, although IE8 has significantly improved security models as compared to IE6 and IE7, there is still evidence that IE6 is being heavily used by UK government departments, including the armed forces. I think most people would agree that a “fully patched” IE6 is still relatively more vulnerable to attacks.

11 thoughts on “UK Government says “No Evidence” IE is Less Secure”

  1. IE6 is used by my council (local government) exclusively. I believe this is true of most UK local and central government departments, who rarely stray from the Windows XP technology stack. Statements like this do little to challenge that culture, and the spokesperson carefully avoided comment on the widespread use of outdated versions of Internet Explorer, defending only the use of the latest version.

  2. Lord West of Spithead, like many Microsoft supporters, blindly accepts everything Microsoft says. The facts are:
    1) Internet Explorer is too deeply tied to the Windows o/s which means whenever the browser becomes compromised, the o/s is also compromised. E.g. a hacker causes I.E. to crash will also crash the o/s. All other browsers are not tied into the o/s so even if the software becomes compromised it doe not affect the o/s.
    2) Windows o/s in inherently insecure. It is virtually impossible to easily secure without major spending on security systems. Linux is both very secure and less expensive to keep maintain.
    3) Most web sites designed specifically for I.E contains security issues that would be noticeable in browsers like Mozilla Seamonkey or Mozilla Firefox.

    By promote a company that charges an arm and a leg but does not care about customer security. Why not promote open source software? Open Source software are free, secure and very responsive and concerned about user security.

  3. I agree IE is probably more secure than the many other browsers out there, as an admin I have had many problems with other browsers and 3rd party badly coded plugins than I have ever had with IE.

    Also other browsers are popular because they claim to be faster this may be true but only because of the amount of caching they are doing in the background wasting valuable bandwidth. caching every link they see is not always a good idea or needed

  4. When a Lord reports on minor details, ignores significant details and totally disregards government security, the Lord’s report can not be considered as valid. Using MSIE, an insecure browser, on Windows, an insecure operating system, for government work, for government communications, rather than use of a secure operating system with relatively secure browser, should be the matter in consideration.
    Safety of every UK citizen is severely compromised while the military & government use the most vulnerable software on the most vulnerable operating system. Paying billions of pounds to get the latest versions of same vulnerable system will not make UK secure.

  5. Terry Thomas – i guess you are living up to your moniker of a comedy actor – IE more secure – what a joke

  6. Clearly, the Home Office hasn’t examined the patch release model of Microsoft, in that they only release patches for vulnerabilities that are known to be being exploited, or are likely to become immediately exploited.

    Many security researchers have has issues with Microsoft’s suggestion that releasing patches enables those without prior knowledge to determine the vulnerability, however this logic is flawed, as ‘spearfishing’ and similar limited-distribution attacks typically use vulnerabilities that are known, but without any publically available patch.

    In short, if a patch is published, attackers can engineer an exploit, however this is only after all auto-updating systems have been made immune. Systems that are not auto-updating will not recieve the patch, but would also have not had many other patches – for which legacy exploits are widely available.

    Converesly, other web browsers vendors produce patches much more often, and their browsers check for, and prompt for installation, patches at every startup and periodically afterwards – so unpatched versions are highly unusual.


  7. @Terry Thomas

    People like you without a clue are the problem. “Caching” is not why other browsers are faster. They’re more efficiently coded, run javascript in a fraction of the time (learn what JIT compiling is) and don’t use ridiculously complex design like IE. I’ve never had a problem with Firefox, Opera or Safari on any number of large networks that I’ve administered. Pull your head out of MS’s lap and learn the facts.

  8. I抳e turn out to be a devoted admirer of the website for some time but not actually supplied just one thing back, I hope to alter that within the future with more conversation.Thanks for another new addition to the internet website.

Leave a Reply