IT Security: Microsoft's Internet Explorer was gateway for attacks on Google in China

Microsoft almost leaked out its admission in a blog deep in its website; it did not make a media release-announcement and it did not take out space on its front page. And since the blog entries found their way into hte media, the company has been putting out messages for damage limitation.

The company says it "has not seen widespread customer impact." Translation: we have hundreds of millions of users and only a small percentage have had problems. It says there have been "only targeted and limited attacks" - translation: this is not indiscriminate spreading of malware or other exploitation of a weakness. The company also says the version of the software which is vulnerable is Internet Explorer 6.

This is very convenient for Microsoft: the company is still smarting after many corporations refused to migrate from Windows 2000 to XP. Microsoft's refusal to sell 2000, it has gradually left those who have no good reason to change to suffer as the operating system has had no updates since 2005. That means it cannot operate many of the features of e.g. recent laptops. And they are being starved of new Microsoft developments, too. Internet Explore 7 does not work on Windows 2000. And finally, the so-called "extended support," i.e. security fixes, will end this year leaving Windows 2000 users orphaned, as has happened with Windows 95 and Windows 98. Microsoft does not permit third parties to reverse engineer the earlier versions and therefore be able to patch them.

Across the world, then, there are millions of older PC, which cannot run XP or Vista, which are already extremely vulnerable or will become so as Win2000 comes out of support later in 2010.

Windows Internet Explorer 7 has been available since late 2006, and IE8 since March 2009. It, too, does not work in Win2000.

Microsoft says that it is working to produce patch to address the vulnerability that has led to attacks on Google, Adobe and others in China, leading Google to threaten to leave that market.

The German government has taken a firm stance: it has advised computer users to discontinue use of Internet Explorer - and has not limited that advice to users of IE6.

Microsoft in Germany has said that "there is no threat to the general user." In subtle terms, it told the German government to get stuffed.

Microsoft's immediate way of addressing the problem is to set IE browser security settings to "high."

But that blocks access to millions of sites worldwide - especially those using Windows and other MS technology for their back end, particularly because Microsoft has not followed standards set by the internet industry but has chosen to bulldoze its own technologies into mass use. Microsoft has not drawn obvious attention to this irony.

But it has updated its original comment and admitted that v6,7 and 8 are all vulnerable.

The imperative to secure browsers is increasing since details of the hack and how to exploit it have appeared on the internet, according to SOPHOS.

Meanwhile, corporations have the considerable problem of deciding whether to deploy an alternative - with secure default settings - or to make local changes in individual user's PCs - knowing that if they instruct users to do it themselves many will not and, worse, many will turn the controls off once they find they cannot access many sites - including, as the final irony, Windows Update - the program that will be needed when MS post its fix.