browser (1)

ZAPP IE Exaggeration Uncalled For

    A retired diplomat well experienced in security, negotiation, and tact, my husband's complexion goes a little red when he senses insensibilities and totally uncalled for exaggeration (unless it's adeptly manipulated to draw out a laugh or two).  His reaction to such things is to research them immediately and try to discern truth from distraction; to tone down hyperbole so that rational thought might actually be encouraged.  Well, I'll let him take over:

     Such was the case when we received a no-reply email from ZAPP yesterday, the subject of which was "Four Important Updates You Should Not Miss!", one of which was "Note from the Department of Homeland Security About Internet Explorer."  Uh-oh, you think, I'm using IE, and I'm screwed!

     We're not trying to minimize the potential dangers we all face, but to enlighten those of us who are not computer experts or web professionals so that we don't naively fall prey to the cries of "wolf!" we hear so often these days.  The danger is still there, but why must an organization like ZAPP -- which plays such an important role these days for so many us here -- needlessly distort, overdo, and indeed fabricate facts in an attempt to scare us to move from one browser to another?

    ZAPP referred to "a widely distributed alert" from DHS that "advised computer users to stop using the Internet Explorer (IE) web browser," and wrote that DHS "stated that the browser is susceptible to a hack that could result in a security breach."

     Let's discuss this alert's origin, first.  The alert is yes, from DHS, but more accurately from their US-CERT (United States Computer Emergency Readiness Team), which actually issues alerts after culling software warnings from Carnegie Mellon University's "Vulnerability Notes" database.  Note that Carnegie Mellon has published over 46,000 vulnerabilities since September 26, 2000 -- an average of over 3,000 per year, or roughly 8 each and every day, 7 days a week.  Of those, US-CERT publishes alerts for the "most frequent, most high-impact types of security incidents ...".  To receive an emailed alert from US-CERT, you must be signed up to receive them; otherwise, you'd need to access US-CERT's website daily, especially if you're a system administrator for an organization (e.g., ZAPP).  Most everyday computer users, like you and we, don't need to see them (although it pays to be aware of all security alerts, be they physical, or IT-related).

     (We may also critique ZAPP's use of "DHS" as the alert's originator.  DHS alerts can take many forms, but they're usually not formally "DHS" alerts.  In addition to US-CERT alerts, these include advisories from NTAS (the National Terrorist Advisory System), FEMA, USCIS, and USCPB.  A little more specificity or elaboration would be more useful, practical, and less alarming.)

     Second, does this specific alert advise computer users to "stop using the Internet Explorer (IE) web browser"?

     It says (or more accurately, said) no such thing.  The US-CERT alert's specific recommendations are that "users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds," and for "those who cannot follow Microsoft's recommendations, such as Windows XP users, [they] may consider employing an alternate browser (emphasis ours)."

  Even more confounding is the fact that Carnegie Mellon published the vulnerability on April 27, US-CERT issued the alert on April 28, and on May 1, both Carnegie Mellon and US-CERT called attention to Microsoft's May 1 security update and resolution regarding the specific issue.  ZAPP's email is dated May 6!  It probably should be filed in our "Who Cares?" folder.  It looks like the problem was resolved a week before ZAPP scared the hell out of us with their DHS alert telling us not to use Internet Explorer.

     Third, ZAPP's email adds that it has "long recommended that ZAPP users utilize the Firefox, Chrome, or Safari browsers."  That's interesting, because according to their website:  "For optimal performance, use the most recent versions of Mozilla Firefox, Google Chrome, Internet Explorer, or Safari.  In our experience, Mozilla Firefox and/or Google Chrome are most compatible with ZAPP."  We don't know about you, but even in internet / software-speak, we find it difficult to make a distinction between "optimal performance," and "most compatible."  Contrary to their email with its ultra-scary DHS alert, it appears that ZAPP has also "long recommended" Internet Explorer for optimal performance.

     Finally, a rudimentary search of US-CERT software alerts will quickly reveal cautions concerning Firefox, Google Chrome, and Safari.  Where was ZAPP when these were published?

    So why would an organization like ZAPP publish a wolf-crying, potentially terrorist-related alert in an email like this?  Because their IT person was probably having a bad day.  And their email drafter was probably too confused (or web-innocent, like most of us), to question it.  And the person approving its issuance on May 6 was probably on a fishing trip and didn't realize the "danger" we'd all been in for a week and a half while he or she was busy catching trout.

     These are how things go sometimes.  So stay smart!  Be alert, but don't become paranoid.  Paranoia always calls for more work than is necessary.  (Such as installing and using a new browser, when the one you're already comfortable with, probably works fine.)  Paranoia can also freak out your neighbors.

Read more…