British Health Officials Waiting for IE 6 Security Patch

The British Department of Health recommends that its National Health Service staff stop using Internet Explorer 6 without a necessary security patch. The British move is part of a general concern in Europe about Internet Explorer security following a wave of attacks against Google and other companies carried out by exploiting an invalid pointer reference. Germany and France have also advised their citizens to stop using unpatched versions of Internet Explorer. Windows 7 includes IE 8, the latest version of the Web browser.

The British Department of Health has issued a bulletin to its National Health Service staff recommending that they stop using Internet Explorer 6 until the necessary security patch can be downloaded, as part of a wider European pullback from the browser due to security concerns.

Following news in January that a zero-day bug in Internet Explorer had been exploited in intensive attacks against Google and other companies, both France and Germany advised their citizens to stop using Internet Explorer until a patch could be issued. Those attacks allegedly originated from China, leading Google to threaten to cease operations in that country.

The British Department of Health's bulletin advised any organizations continuing to use Internet Explorer 6 to download the necessary security update patch. Otherwise, it added, the vulnerability "could allow an attacker to download and install further malware [and] spyware on the computer, add user accounts to the computer, steal sensitive data held locally and centrally, and so forth." While the attacks against Google and other companies had been executed via Internet Explorer 6 running on Windows 2000 and Windows XP, "work is ongoing to leverage the exploit code so that it works successfully on other versions of Internet Explorer on other Windows platforms."

Furthermore, the bulletin added, "If an organization has systems compromised via this vulnerability, there may be consequential reputational damage, especially if sensitive data is affected or the compromised system is used to attack other systems."

According to Microsoft, the vulnerability in question centers on an invalid pointer reference, which can be accessed after an object is deleted; more information can be found in a Microsoft security bulletin. The company is also urging users of Internet Explorer 6 to upgrade to Version 8, the most recent edition, and to set their Internet and local intranet security zones to "high" so as to prompt before running ActiveX controls and active scripting in these zones.

"Microsoft has consistently recommended that consumers upgrade to the latest version of our browser," a Microsoft spokesperson told eWEEK. "Internet Explorer 8 offers improvements in speed, security and reliability as well as new features designed for the way people use the Web."

Representatives of the British government have suggested that no browser is necessarily safe for very long.

"Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them," Lord West of Spithead said during a discussion in the House of Lords about public-sector use of Internet Explorer 6. "There is no evidence that moving from the latest fully patched versions of [Internet] Explorer to other browsers will make things more secure. Regular software patching and updating will help defend against the latest threats."