UK Government says “No Evidence” IE is Less Secure

A couple days ago I had mentioned that Lord Avebury had asked the UK Government about their usage of IE. The UK Government has now answered and I am reproducing the full text of the question and answer below:

Asked by Lord Avebury

To ask Her Majesty’s Government what discussions they have had with the governments of France and Germany about security risks of using Internet Explorer; and whether they will encourage public sector users to use another web browser. [HL1420]

The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): UK government officials and subject matter experts are in regular contact with their counterparts in France, Germany and other countries on both a bilateral and multilateral basis to exchange technical information and opinions on many aspects of cyber security, including software vulnerabilities. For example, the UK’s Government Computer Emergency Response Team (GovCertUK) and Combined Security Incident Response Team (CSIRTUK) are members of the group of European Government CERTS (EGG), as are their French and German equivalents.

Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. We take internet security very seriously and we have worked with Microsoft and other suppliers over many years to understand the security of the products used by HMG, including Internet Explorer. There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats.

Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

Source: Lords Hansard text for 26 Jan 2010

While the UK government contends that “there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure”, there are many others who would disagree.

Also, although IE8 has significantly improved security models as compared to IE6 and IE7, there is still evidence that IE6 is being heavily used by UK government departments, including the armed forces. I think most people would agree that a “fully patched” IE6 is still relatively more vulnerable to attacks.

Lord Avebury asks UK Government to review use of IE in the Public Sector

Lord Avebury (blog, bio) has tabled a written question in the United Kingdom House of Lords yesterday, which reads as under:

Lord Avebury to ask Her Majesty’s Government whether, in the light of the recent announcement by Microsoft that Internet Explorer was used to carry out the cyber attacks which prompted Google to say it will withdraw from China, they will review the use of Internet Explorer throughout the public sector. HL1505

Source: House of Lords Business (26 January 2010) and Eric Avebury: Internet vulernability

Lord Avebury mentions that the Parliamentary IT authorities are actively discouraging the use of alternative browsers such as Chrome so it is great to see that he is holding the government accountable for their policies.

According to UK parliamentary procedure, the government is obliged to provide a written response to his question on or before 8 February 2010. I think it will be interesting to see what they have to say.

Lord Avebury is an active campaigner for the rights of ethnic minorities in the UK and also those who are British nationals living abroad. He is also a member of the EU Select Committee which considers EU policy on protecting Europe from large-scale cyber attacks.

HSBC drops Firefox support

Today I tried to complete an online purchase using my HSBC Visa Card (issued in Hong Kong), and when the merchant redirected me to HSBC for the Verified by Visa page, instead of the password prompt I used to receive, I saw the following:

Thinking that this must be an error (since it used to work fine before), I called up HSBC’s customer service hotline to find out what was going on.

I was shocked to hear that HSBC now officially only supports IE, and no other browsers are supported for Verified by Visa. I asked them what I’m supposed to do if I have a Mac and don’t have IE, and they responded that I’m supposed to use IE or nothing at all.

I asked why Firefox is unsupported since it used to work fine before and they gave a vague response that Firefox cannot exchange data with Visa properly (which does not make sense at all). They also said that their entire online platform is “built for Internet Explorer”.

The message from HSBC Hong Kong is clear: if you’re not using IE, don’t bother making online purchases with our Visa card.

My message to HSBC is this: if you’re not going to support Firefox, don’t count on me using your Visa card to make any purchases (online or offline).

In case anyone wants to comment on this, this is where the complaints need to go:

HSBC
Attn: Credit Card Services
8 Floor, Block 2 & 3
HSBC Centre
1 Sham Mong Road
Kowloon
Hong Kong

Enterprise Deployment of Firefox

I am responsible for overseeing the IT infrastructure of an office with about 40 Windows-based computers. We always keep the OS and relevant software patched, though sometimes even keeping Windows/Office/IE patched to the most current level is not enough.

The workarounds provided by Microsoft for this issue are frankly, not acceptable because website functionality with security set to ‘High’ is unacceptable and generate user complaints (and doesn’t even solve the problem completely).

Events like this give me cause to consider a company-wide deployment of Firefox as the default browser. We have no internal applications that rely on IE so this is not a sticking point for us as it is for many corporations. Plus, Firefox has far fewer “vulnerable days” as compared to IE (and when Firefox is vulnerable the potential risk to the system is usually lower).

However, there are a couple of blockers that stop me from taking this step. These include:

  • Lack of an automated/scriptable way to deploy Firefox that is supported by Mozilla (though bug 231062 has been filed for an MSI install package – almost 5 years later there is still no resolution).
  • Lack of any way to force Firefox product/security upgrades upon users. Without this, Firefox is arguably even more insecure than IE because at least with IE we can be reasonably sure that updates are being pushed out on schedule.
  • Lack of any centralised way to make sure plugins are up to date (I will concede that IE is not up to par on this front either).

There are probably a few other points that I can’t think of at the moment. However, our company is an SME with less than 100 computers and I find these issues troubling. Imagine a Fortune 500 company – the problem for them would be multiplied many fold.

I am unhappy about the latest problems with IE and unhappy that there is no patch yet for an exploit that is so clearly in the wild and unhappy that there isn’t even an acceptable way to mitigate the risk.

Having said all this – at the moment I don’t see that switching to an alternative browser is an acceptable solution to this problem for enterprise users for the reasons above.

If work was done to make Firefox more enterprise friendly, this would go a long way towards adoption in the workplace. As it stands, there are just too many reasons not to deploy even though the product is clearly superior from an end user standpoint.

Google Munging Search Result URIs

I just noticed that Google is munging search result URIs. For example, if you run a search on “mozilla”, the first result is http://www.mozilla.org/. However, the URI that they link to on the search results page is:

http://www.google.com/url?sa=U&start=1&q=http://www.mozilla.org/&usg=AFQjCNGjMwD4PF4GezESBBRN2It3HBj5Qg

I suspect that the usg parameter is probably one used to prevent bots from gaming whatever results they’re trying to garner, and possibly also to link clicked search results to a specific user or browser session. I understand why they do this, but the downside for the end user is that the copy link option in the context menu of any browser is no longer useful. One needs to actually follow the link to get the URL in a form that you can copy into another application.

From my perspective, this is a pretty major usability bug, and I hope they revert it.

Google Groups and FeedDemon Woes

I’ve been having a couple of issues recently with a Google Groups hosted list that I manage, for which no solutions seem to be available.

Issue #1 – Google Groups Atom Feed id and link attribute broken

I’ve detailed this issue more in my post to the Is Something Broken forum on the Google Groups website, but so far there’s no resolution. Basically the Atom feeds generated by Google Groups generate a id and link attribute that contains a relative link without an FQDN so that when viewed from an RSS reader, the links are broken because the RSS reader passes a URL without an FQDN to the web browser. I hope this gets fixed as it seems like a pretty major problem.

When viewed from Firefox’s Live Bookmarks it works fine, but not otherwise.

The RSS 2.0 feed generated by Google Groups does have an FQDN in the link attribute so it works properly. The “obvious” solution (other than fixing the issue, which is up to Google) is to use the RSS 2.0 feed instead of the Atom feed but that creates another problem.

UPDATE (18/06/2008): As of today, Google seems to have fixed the issue with the Atom feeds.

Issue #2 – FeedDemon 2.7 does not handle the pubDate in the RSS 2.0 feeds correctly

The pubDates in the RSS 2.0 feed seem to be generated correctly, like the following:

<pubDate>Fri, 06 Jun 2008 00:02:27 UT</pubDate>

When the RSS 2.0 feed is added to FeedDemon in synced mode (where it syncs with the Newsgator servers), it seems to ignore the pubDate and pick some arbitrary date for all the entries, and all the entries share this same date.

When the RSS 2.0 feed is added in non-synced mode (where FeedDemon pulls from the feed server directly), all the pubDates are respected and it works properly. In Firefox Live Bookmarks it works properly too.

With the Atom 1.0 feed from Google, the dates are correct in all cases but the links are broken. But at the moment users are in a quandry as there appear to be problems in both Google’s feed implementation and FeedDemon’s parsing of Google’s feeds.

UPDATE (08/06/2008): Nick Bradbury, the creator of FeedDemon has been able to reproduce the bug and has added it to the FeedDemon bug tracking database.

Crucial.com gives Firefox users a discount?

I was buying RAM today for a friend, and I noticed something quirky going on at Crucial.com. When I was at his house, I noticed that the stick of RAM he needed was $67.97. When I got home I went to order it, the price had ‘dropped’ to $65.93. I figured this was just due to volatile RAM prices. I placed the order at $65.93 and didn’t think much of it.

Later on, out of curiousity I checked the prices again, and I happened to use IE for this. Price was back to up $67.97. I thought this a little odd, so I checked again in Firefox, and the price there was still showing $65.93. I checked in Opera, and prices were $67.97.

The part in question, CT522745 is a 512MB upgrade for a Dell Dimension 4500. Screenshots from Firefox and IE are below:

Screenshot of Crucial.com showing RAM prices in Firefox

Screenshot of Crucial.com showing RAM prices in Internet Explorer

Are Firefox users getting a hidden discount?

UPDATE: It looks like Firefox users are not being singled out for a discount, but rather that I had a cookie set in Firefox by them (it’s been years since I ordered anything from them) and when I cleared this cookie, pricing went back to ‘normal’. False alarm, but if only I had saved the cookie… 🙂