A retired diplomat well experienced in security, negotiation, and tact, my husband's complexion goes a little red when he senses insensibilities and totally uncalled for exaggeration (unless it's adeptly manipulated to draw out a laugh or two). His reaction to such things is to research them immediately and try to discern truth from distraction; to tone down hyperbole so that rational thought might actually be encouraged. Well, I'll let him take over:
Such was the case when we received a no-reply email from ZAPP yesterday, the subject of which was "Four Important Updates You Should Not Miss!", one of which was "Note from the Department of Homeland Security About Internet Explorer." Uh-oh, you think, I'm using IE, and I'm screwed!
We're not trying to minimize the potential dangers we all face, but to enlighten those of us who are not computer experts or web professionals so that we don't naively fall prey to the cries of "wolf!" we hear so often these days. The danger is still there, but why must an organization like ZAPP -- which plays such an important role these days for so many us here -- needlessly distort, overdo, and indeed fabricate facts in an attempt to scare us to move from one browser to another?
ZAPP referred to "a widely distributed alert" from DHS that "advised computer users to stop using the Internet Explorer (IE) web browser," and wrote that DHS "stated that the browser is susceptible to a hack that could result in a security breach."
Let's discuss this alert's origin, first. The alert is yes, from DHS, but more accurately from their US-CERT (United States Computer Emergency Readiness Team), which actually issues alerts after culling software warnings from Carnegie Mellon University's "Vulnerability Notes" database. Note that Carnegie Mellon has published over 46,000 vulnerabilities since September 26, 2000 -- an average of over 3,000 per year, or roughly 8 each and every day, 7 days a week. Of those, US-CERT publishes alerts for the "most frequent, most high-impact types of security incidents ...". To receive an emailed alert from US-CERT, you must be signed up to receive them; otherwise, you'd need to access US-CERT's website daily, especially if you're a system administrator for an organization (e.g., ZAPP). Most everyday computer users, like you and we, don't need to see them (although it pays to be aware of all security alerts, be they physical, or IT-related).
(We may also critique ZAPP's use of "DHS" as the alert's originator. DHS alerts can take many forms, but they're usually not formally "DHS" alerts. In addition to US-CERT alerts, these include advisories from NTAS (the National Terrorist Advisory System), FEMA, USCIS, and USCPB. A little more specificity or elaboration would be more useful, practical, and less alarming.)
Second, does this specific alert advise computer users to "stop using the Internet Explorer (IE) web browser"?
It says (or more accurately, said) no such thing. The US-CERT alert's specific recommendations are that "users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds," and for "those who cannot follow Microsoft's recommendations, such as Windows XP users, [they] may consider employing an alternate browser (emphasis ours)."
Even more confounding is the fact that Carnegie Mellon published the vulnerability on April 27, US-CERT issued the alert on April 28, and on May 1, both Carnegie Mellon and US-CERT called attention to Microsoft's May 1 security update and resolution regarding the specific issue. ZAPP's email is dated May 6! It probably should be filed in our "Who Cares?" folder. It looks like the problem was resolved a week before ZAPP scared the hell out of us with their DHS alert telling us not to use Internet Explorer.
Third, ZAPP's email adds that it has "long recommended that ZAPP users utilize the Firefox, Chrome, or Safari browsers." That's interesting, because according to their website: "For optimal performance, use the most recent versions of Mozilla Firefox, Google Chrome, Internet Explorer, or Safari. In our experience, Mozilla Firefox and/or Google Chrome are most compatible with ZAPP." We don't know about you, but even in internet / software-speak, we find it difficult to make a distinction between "optimal performance," and "most compatible." Contrary to their email with its ultra-scary DHS alert, it appears that ZAPP has also "long recommended" Internet Explorer for optimal performance.
Finally, a rudimentary search of US-CERT software alerts will quickly reveal cautions concerning Firefox, Google Chrome, and Safari. Where was ZAPP when these were published?
So why would an organization like ZAPP publish a wolf-crying, potentially terrorist-related alert in an email like this? Because their IT person was probably having a bad day. And their email drafter was probably too confused (or web-innocent, like most of us), to question it. And the person approving its issuance on May 6 was probably on a fishing trip and didn't realize the "danger" we'd all been in for a week and a half while he or she was busy catching trout.
These are how things go sometimes. So stay smart! Be alert, but don't become paranoid. Paranoia always calls for more work than is necessary. (Such as installing and using a new browser, when the one you're already comfortable with, probably works fine.) Paranoia can also freak out your neighbors.
Comments
An attempt to put this into proper perspective: This was probably just a risk-reductions strategy by ZAPP. Like many ecommerce sites, they are almost certainly fighting security issues of their own. By redistributing a warning from a higher authority (who better than DHS?), they were probably hoping to reduce and shift their legal exposure. They did get their warning our laughably late, though.
Their bias against IE could be related to the fact that recent versions of IE have far better protection against tracking cookies than their competitors do. Yep - even Zapp uses tracking cookies. Also, IE has in recent times been much tougher about not accepting suspicious encryption certificates making many sites with sloppy certificate management at least partially non-functional. So when they say "less optimal", I have to ask "for whom?"
I would rather use a browser that allows me to block tracking and insists on the highest standard of encryption certificates when I do online banking or hand a site my credit card info. But during the 5 days of exposure after the security flaw was publicized and before Microsoft had distributed a fix, I like many others shifted over to using a different browser. With that crisis over now, I am back to preferring IE.
No need to single out ZAPP. Media worldwide reported the same, including Microsoft itself.
Oh no, you beat me to the punch, Srey! This was going to be my lead story today on the front of the site after I read the Zapp email:
But wait a minute -- you have so much more info! Thank you for putting this in context. Me, a Mac user and not too fond of IE was feeling just a tad superior this morning when reading about this problem. I went to the US gov't site to get more details from Homeland Security. I mean, scared me and I could almost decipher what that site said. And as Roxanne said when I got there I saw there were so many other ones. Your perspective helps. Thanks for the demystifying.
most of these internet alerts are already taken care of or are being worked on by the company. I do not take any alert about internet too seriously unless I get direct email from my security provider. my personal view is if the government has issued a warning it is about 6 years too late or politically based.
HA-HA! Glad I haven't read the email yet. I think the reason they sent this particular one out was because it got a lot of hype. Maybe they heard about this one and didn't know about any other ones.