You'd think the news that Chinese hackers used a vulnerability in Microsoft's Internet Explorer (IE) to attack Google would be a PR disaster for both companies. Surprisingly, the two stand to benefit from the whole affair.
The recently-discovered invalid pointer reference bug found in IE6, IE7 and IE8 that was used against Google is being seen as so grave that it's prompted the governments of France and Germany to warn their citizens not to use IE at all.
The recommendation of our European chums is to use some other browser any other browser instead of IE. (You may think that most people would take any computer security warning from the French, German or any other government with a healthy dose of skepticism, and while that may be true, it's not exactly a security endorsement, is it?) The most obvious browser to switch to is Mozilla Firefox, IE's main competitor and an excellent browser although one not without its own security problems from time to time. "Switching away will get away from this particular problem," Graham Cluley, a senior technology consultant at Sophos pointed out yesterday. "But all browsers have security flaws."
Quite right. But just as bank robbers rob banks because that's where the money is, hackers attack IE because that's where the users are. The problem with Firefox is that it's becoming too successful: It has about a 25 percent share of the browser market (although this is small compared to the 66 percent share enjoyed by all versions of IE combined.) Pretty soon it will have enough users for it to be worthwhile attacking more often especially if every Jean-Pierre and Fritz migrates to it en masse.
So if you're going to abandon IE, the smart move is to switch to a browser with a market share too small for hackers to be interested in, even if, as Cluley says, it is bound to have security flaws, too. Ignoring the marginal browsers like Opera and Safari, that leaves only one choice: Chrome, the browser produced by Google.
Today, Chrome has only a sub-5-percent market share, and there's no doubt Google would love to see mass adoption. In no small part that's because the browser's tuned to work well with its cloud-based services, making a migration from a Microsoft-centric world to a Google-centric world (as we discussed last week), a much smaller step for those that use it. Far from being a PR disaster, getting hacked via the IE bug could be the best thing that ever happened to Google.
Did Google put the Chinese up to the hacking job precisely so that many IE users would flock to Chrome? That's taking things a bit far. Besides, France and Germany's advice is questionable at best especially when applied to enterprises. That's because the most vulnerable version of IE is IE6, running on Windows XP. The best bet for any enterprise still running IE6 is to upgrade to IE8 (which has been made more secure by design and which can be made immune to the vulnerability), rather than to switch to Firefox or Chrome. After all, the only good reason for any enterprise to still be running IE6 is for compatibility reasons. Moving to IE8 will likely lead to fewer complications than moving to a different browser altogether.
It turns out that a combination of Windows 7 and IE8 is the most secure combination of Microsoft products when it comes to facing this particular vulnerability, thanks to features like IE Protected Mode and on-by-default Data Execution Protection. (As an interesting side-note, Windows 2000 and IE5 is also immune.) So the upshot of all this is that while consumers especially European ones may flee from IE and head for Chrome, there might well also be an accelerated takeup of Windows 7 and IE8 from enterprises looking for extra security. If that happens, Microsoft will become more entrenched in the enterprise than ever.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.