Internet Explorer (IE) security issues triggered a national security alert today from the Department of Homeland Security (DHS), which issued an unusual advisory warning computer users not utilize the IE web browser until the most recently discovered security issue is fixed. Some experts say that is not very likely to happen any time soon.
The security alert may be the death knell for the still very popular XP operating system, and a wake-up call for thousands of companies that have so far refused to upgrade to Windows 7 or 8. It may also come back to haunt Microsoft later as computer users express continuing concerns about Microsoft’s abandonment of the popular operating system.
The browser problem, which affects IE versions 6 through 11, has allowed a well-organized group of hackers to gain access to confidential information from a broad spectrum of defense and financial industry computer systems in a campaign that has been dubbed “Operation Clandestine Fox.” The warning was issued by the United States Computer Emergency Readiness Team ( US-CERT) in a press release on Monday morning in which the DHS unit warned that the security issue could lead to a complete compromise of an infected system. The fox, it seems, is really in the hen-house this time.
Security analysts were quick to point out that the security breach ONLY affects the Internet Explorer web browser. If they can, computer users are being advised to switch to Google Chrome or Firefox until the problem has been fixed, if their business applications work with those browsers. Once the newer versions of IE have been fixed, users who must continue to use XP can download a utility from Microsoft that allows XP captives to use newer versions of IE, but there are known productivity bugs in that utility, which is why many companies have refused to use it.
A Concerted Attack on US Infrastructure
“Complete compromise” means different things to different organizations, but a technical support team at General Dynamics defines it as a complete takeover of system operations, sometime called the “going hog-wild” phenomenon among hackers. This is not a common garden variety hack, a phishing scheme, or some other low-level annoyance.
On the contrary, this is a prima facie illustration of what a cyber war attack will look like, because that is exactly what is happening right now. So far, the hackers have only been stealing data, but the nature of the security hole is such that the hackers could take control over entire systems and wipe data, change data, add data, or deliberately crash devices running on infected systems. In other words, this is no joke.
The security warning is especially important to Windows XP users because their systems do not work with any IE web browser newer than IE6. Microsoft no longer supports Windows XP, which raises questions about whether or not Microsoft will bother to fix the security hole for an out-of-date browser that is only used by an older version of Windows that the company is trying to kill off.
IE currently owns 55 percent of the web browser market, according to NetMarketShare,with the rest being divvied up between Google Chrome, Mozilla Firefox, Apple Safari and Opera. Those figures are contradicted by W3schools.com, whose figures show that IE only accounts for around 10 percent of the market, with Chrome holding 57.5 percent against Firefox’s 25.6 percent. Runner up Safari claims just 3.9 percent of the market, leaving 1.8 percent for Opera. The NetMarketShare report reflects a cross-section of all computer users. W3schools statistics are based on data from visitors to their websites, who tend to be computer professionals, rather than end users.
Who is Affected?
Just about anyone could be affected by the breach because almost everyone does business with the institutions that were affected, or with other institutions that do business with them. Neither Homeland Security nor anyone else is about to provide any details about who has been affected, or who may be affected in the near future, for the very obvious reason that making such information public would hang a target on those companies for other hackers. However, the fact that the warning came from Homeland Security, rather than Microsoft itself, suggests that at least one of the victims has ties to country’s defence systems.
Organizations in that category reportedly might include branches of the U.S. Military, The U.S. Postal Service, the Internal Revenue Service, the Federal Bureau of Investigation, defense contractors, and major financial institutions. Homeland Security itself has moved most of its operations to Windows 7, but still requires its employees to use Internet Explorer. The IRS recently admitted that it was paying Microsoft millions of dollars to continue to support their Windows XP installations, a situation necessitated by the fact that IRS’s own software will not run properly on Windows 7 or 8. Thee biggest potential victims in this scenario, however, are the Chinese, who are running more XP systems than anyone else.
Why do these organizations continue to use XP?
In addition to compatibility issues with enterprise software that has not been upgraded to run on new versions of Windows, many users also point to the fact that their older peripheral devices will not work on the newer operating systems. Manufacturers have not released updated drivers to allow older equipment to work on newer operating system, but many computer users have substantial investments in the older devices, which would have to be replaced during an upgrade to the newer systems.
According to Browsium, a software company that publishes software that enables newer operating systems to function like Windows XP, 80 percent of the organizations with more than 10,000 computers in their systems never upgraded their operating systems to Windows 7. The anemic market performance of Windows 8 to date is widely attributed to serious misgivings in the marketplace about Microsoft’s decision to “optimize” Windows 8 to run on touch-screen systems. Recognizing, belatedly, that the majority of the upgrade candidates do not have touch screen computers,Microsoft recently issued an update for Windows 8 that makes it easier to use on systems that do not have touch screens.
In many cases, however, Windows XP users is simply do not want to put new shoes on an old horse. They do not want to upgrade their software until they have to upgrade their hardware, and they don’t want to have to upgrade their hardware just to run Microsoft’s new software. In many cases, computers that run Microsoft XP perfectly well, will not be as successful with Windows 7 or 8 because the newer systems need more processing speed and more memory than the older systems. This forces customers who have to move up to Windows 8 to buy new hardware to run the new software.
Microsoft Reaction Muted
Microsoft’s immediate public reaction has been low-keyed, promising to get right on it….while skirting the issue of whether or not they will provide a fix for IE 6 so that Windows XP users can pick up where they left off and go about their business. That is not a likely course of events.
While there is little doubt that Microsoft’s decision to discontinue support for Windows XP was specifically motivated by their need to force computer users to upgrade to Windows 8, there is also little doubt that decision may have just created an enormous public relations problem for the company. Without describing the precise nature of the security hole, industry experts, including the prestigious Carnegie Mellon Software Engineering Institute, have indicated that there are no obvious quick fixes for this particular issue, suggesting that it will take a major rewrite to close the loophole, rather than a quick patch.
The Homeland Security announcement might just be the silver lining inside the dark clouds surrounding Windows 8’s poor performance in the marketplace. If Homeland Security is telling people not to use Internet Explorer, and Microsoft never fixes the older versions of Internet Explorer, it will be Homeland Security that will be blamed as hundreds of thousands of individuals and companies spend millions (if not billions) of dollars to upgrade to an operating system that most of them did not want in the first place.
The bad news for Microsoft is that this event may just trigger the widespread abandonment of Internet Explorer, rather than the retirement of more Windows XP systems , as XP users learn that they can avoid the security problem simply by switching from IE to Chrome or Firefox. That could mean a boost to user rates on those browsers, and continued sluggish sales of Windows 8.
The Internet Explorer security issue that triggered the Homeland Security warning has become the latest hot topic in the news media. The hysteria in the media is spreading as rapidly as the hackers have been spreading through XP computer systems. Some of that hysteria is well-meant getting the word out public service ,but most of it is more gilding on the lily. The best defense is a strong offense. Just do not use IE until the all-clear sounds – and then consider whether or not you want to go back to IE at all.
By Alan M. Milner
Look for me on Twitter:@alanmilner