Mozilla reported a “huge increase” in downloads of Firefox in Germany after that country's computer security agency urged users of Microsoft's Internet Explorer (IE) to dump the browser and run a rival instead.
German downloads of Firefox during a four-day stretch starting last Friday jumped by about 300,000 over normal, said Ken Kovash, Mozilla's director of analytics, on the company's “Blog of Metrics.” “Over the past few days there has been a huge increase in the number of Firefox downloads from IE users in Germany,” Kovash claimed.
Norwegian browser maker Opera Software said that downloads in Germany of its desktop application were double the usual rate last weekend, and downloads in Australia were up 40% over normal.
Mozilla and Opera cited recommendations by German, French and Australian authorities to stop using IE as the cause for the jump. Last Friday, Germany's Federal Office for Information Security, known by its German initials of BSI, and France's CERTA each called for users to stop running IE until Microsoft patches a critical vulnerability. “Pending a patch from the publisher, CERT recommends using an alternative browser,” a translation of the French advisory stated.
An alert posted by the Australian government's Department of Broadband, Communications and the Digital Economy made a similar recommendation last week. “If you do not wish to install the temporary fixes [by Microsoft] … consider using an alternate web browser (Mozilla Firefox, and Apple Safari are two such browsers) until an update becomes available,” the alert read.
The countries were responding to Microsoft's confirmation last week that a flaw in IE was exploited by hackers to break into the corporate network of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers and security experts have offered evidence that links the attacks to China.
Today, Microsoft announced that it would deliver an “out-of-band” update tomorrow at approximately 1 p.m. Eastern.
Some security experts have argued that the advice to dump IE is wrong-headed.
“That's an irrational fear,” said Richie Lai, the director of vulnerability research at security company Qualys. “Any browser has vulnerabilities. Rather than recommend switching from IE, the messaging should be that corporations should be upgrading to the latest browser, whether it's IE8 or Firefox.”
The nearly nine-year-old IE6 is the most vulnerable to the current round of exploits on the Web, in part because the attack code was written specifically for that edition, in part because it lacks advanced security features like DEP (data execution prevention) and Protected Mode, a sandbox-style defense that makes it more difficult for hackers to break into the operating system if they exploit the browser.
Lai acknowledged that many corporate computer users were unable to upgrade from IE6 because they needed it to access older Web applications or intranet sites. Those people, Lai said, are stuck. But if users could install a rival browser, such as Firefox, that meant they could also install IE8, Lai argued.
Other security experts disagree. Sheri McLeish, an analyst with Forrester Research who covers browsers, noted that even if many enterprise workers are forced to use IE6, they often can install a non-Microsoft browser, as a second browser. The same isn't possible with a more secure version of IE, say IE8; that's because Windows does not allow users to run two different versions of IE.
When asked to comment on the dump-IE calls by German, French and Australian organizations, Microsoft instead repeated its assertion that only IE6 has been targeted by hackers. “As such, customers using earlier versions of Internet Explorer, such as Internet Explorer 6, should upgrade to Internet Explorer 8 immediately,” said a company spokesman.