Google threatened to withdraw from the Chinese market following the “sophisticated and targeted” attacks, which it said originated in China. Hackers used a flaw in Microsoft’s Internet Explorer (IE) browser to target the Gmail accounts of Chinese human rights activists.

Following Google’s revelations, the French and German governments advised their citizens to switch to a different browser until the hole had been closed. Microsoft reacted by quickly updating the browser, nearly three weeks ahead of its regular security update. However, Google has now said it is going to phase out support for the browser “starting with Google Docs and Google Sites”.

It said that as a result, some “key functionality” of the applications would not work when used with IE6. Google Docs is the firm’s answer to products such as Microsoft Office, whilst Google Sites allows people to create web pages.

Google’s Rajen Sheth wrote in an official blog post:

“The web has evolved in the last ten years, from simple text pages to rich, interactive applications including video and voice. Unfortunately, very old browsers cannot run many of these new features effectively.”

Threat downplayed

Around 20% of web users still use the nine-year old browser, including many UK government departments. But many developers want to see the browser phased out as soon as possible. The online campaign ie6nomore, supported by more than 70 web firms, says that because the browser does not support modern web standards it restricts what developers can do and is “holding the web back”.

Microsoft has said that it will support the browser until 2014. Microsoft has released a fix for Internet Explorer and recommended that customers install the update as soon as possible or update to the latest version of the web browser for “improved security”. Microsoft normally issues patches monthly but the high-profile nature of the attacks led it to act more quickly.

Market share

The UK government played down the threat and said there was “no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure”.

However, Microsoft took the unusual step of patching the hole nearly three weeks ahead of its regular security update. The new patch is available via the Microsoft Update site and will also be fed out to those who have their machines set to update automatically. All versions of Internet Explorer will receive the update.

Microsoft has admitted that it has known about the vulnerability “since early September” 2009 and had planned to patch it in February. The bad publicity has allowed rivals such as Firefox to gain market share.

According to web analytics company StatCounter, Firefox is now a close second to Internet Explorer (IE) in Europe, with 40% of the market compared to Microsoft’s 45% share. In some markets, including Germany and Austria, Firefox has overtaken IE, the firm said. Mozilla, the foundation behind Firefox, has just released the latest version (3.6) of the open-source browser.

Three days later and still no response from the British government. We’re still waiting to hear back from the Department for Business, Innovation and Skills.

The weakness is in older versions of Internet Explorer like 6 and 7 which were running Windows XP SP3. The code has now been released making it fairly simple for an attacker to exploit the hole. Microsoft confirmed that the hole was used in the attacks against Google and 33 other companies believed to come from China. At its most extreme it would let an attacker run code on your machine.

If you don’t want to ditch IE altogether then at least running it in safe mode, with ActiveX and JavaScript turned off, will reduce the dangers.

Internet Explorer is the default browser on government computers. It would be a big job for them to all be changed overnight, but surely the government could offer some advice on keeping the rest of us safe?

The gaping hole might seem like bad news for Microsoft, but most IE users will probably remain unaware of the problem. If enough of them do notice then it might provide a bit of a boost for Firefox and Google’s Chrome – currently being heavily advertised in the UK. Microsoft is still working on plugging the hole which, so far at least, has been used to target corporations rather than individuals

UPDATE (19-Jan):

Microsoft’s Head of Security and Privacy in the UK, Cliff Evans, is now saying that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser.

With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser, and although the vulnerability has only been used against IE6, the company has not ruled out that something similar could be used against the later versions. With Microsoft not prepared to give details of how soon a fix will be released, and advising people to leave the appalling IE6 and its successor for the latest version – IE8 – Microsoft’s UK security chief insists that a non-Microsoft browser is the worse option.

The whole Google IE flaw issue is clearly a PR disaster for Microsoft, with Evans conceding that this particular problem is not likely to afflict IE’s rivals. Asked when a fix would be ready, Evans states that the rollout might or might not be before the normal upgrade cycle, but has no further details. In the meantime, the company will be hoping that the knee-jerk reaction of France and Germany is not mirrored elsewhere.

UPDATE no.2 (27-Jan):

Lord Avebury has since tabled a parliamentary question regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that’s unlikely to please most readers. The UK government contends that ‘there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.

Critics – some of which have started an online campaign – want the eight-year-old browser mothballed because they claim it slows the online experience.

Web monitoring firms estimate that 15-20% of people still use IE6 to browse the web. The most immediate threat to Microsoft’s 68% market share comes in the shape of Mozilla’s Firefox – used by 22% of browsers.

Ronald Gruia, a principal analyst with Gartner:

“The competition Microsoft has to worry about right now is Firefox. Not just from a market share perspective but from an innovation perspective because their plug-ins work really well. In the future they have to look out for Google with its Chrome browser. The main concern there for Microsoft is the rise in cloud computing and software as a service. Google is becoming very effective at delivering applications in the cloud and therefore poses a huge threat to Microsoft.”

On April 14, 2009, Microsoft retired Mainstream Support for Windows XP, and thus for Internet Explorer 6. That said, Microsoft is not planning to retire Extended Support for the operating system until April 8, 2014. If Redmond ends up releasing a fourth service pack for XP, it will retire support for SP3 (released in April 2008) two years after SP4 is released, or in April 2014, whichever comes first. In short, IE6 will continue to be supported by Microsoft for at least four more years.

Microsoft said that 400 million customers who are Windows Live consumers will have access to the Office web applications at no cost. At a conference for business partners in New Orleans, Microsoft announced an early release of web-apps to thousands of testers later this year. At the end of the year the company expects to release a proper public beta for the software and ship a final version off to PC makers in the first half of 2010.

Analysts have mostly given the thumbs up to Microsoft for moving some of its applications to the web, even if it might cost them dearly. The Wall Street Journal has estimated that offering free online software could “put at risk as much at $4bn (£2.46bn) in revenue”.

One analyst told the paper that despite such losses, it could be a canny move. “Making sure people are still using Microsoft products is more important” in the short term than risking revenue, explained Piper Jaffray analyst Gene Munster.

Microsoft’s announcement is being seen as the latest move in a tit-for-tat rivalry between two tech giants as it and Google increasingly make efforts to encroach on one another’s turf.

Google has more than 64% of the search market in the US, followed by Yahoo at 20% and Microsoft at 8.2%. Bing offers to make search more relevant by understanding the intention of searches, and grouping more related information to the original query.

For example, searches for a product will also bring links to reviews, accessories, and online shops, as well as information about the item. Searches for flight information will pull schedules and times from websites, as well as linking to hotels and weather. Microsoft wants to reduce the amount of clicking a user has to do to find specific and related information.

Paul Stoddart, Microsoft UK search lead, “Forty percent of search queries go unanswered. There is something missing here and a big consumer need. We can see it in the logs [of searches]. When searching using existing search engines I have to keep re-querying things – adding more words, clicking on a site, going back because it is not the right site, and ultimately abandoning their queries. We are pulling information that we know people use every day.”

He said Microsoft was hoping to build an “emotional connection” between users and its search engines, as well as brand loyalty. Bing has a much softer, less clinical feel than previous Microsoft search engines and rivals, with a daily changing backdrop image. Users are also able to save their searches to avoid having to remember on which site they found a particular piece of information.

Microsoft is forming partnership with a host of different online services which Bing can then trawl to aggregate specific information around searches – such as flight deals, reviews and holidays.

Users will be able to download IE8 in 25 languages at 5pm (GMT) from Microsoft’s IE Web site and its online download center.

Microsoft has been preparing users for IE8 for a good year now, stressing performance improvements, better support for Internet technology standards, the addition of new features to help people keep track of most visited sites and favorite sources of information, and of course, security, as highlights of the new browser.

According to the report Microsoft released Thursday, based on research conducted by NSS Labs, IE8’s Release Candidate 1 was 69% effective at catching malware before it did damage to a user’s system. Mozilla Firefox 3.07 came in second with a 30% effectiveness rate, with Apple Safari’s 3 in third place with a 24% rate and Google’s Chrome 1.0.154 in fourth place with 16% effectiveness rate.

NSS Labs said in the report that the data was collected from tests conducted in just over 12 days from Feb 26 to March 10 in its labs in Austin, Texas. During the course of the test, the company said it monitored connectivity to ensure the browsers could access the live malware sites being tested, and performed 141 discrete tests. The margin of error of the tests was 3.76 percent, according to NSS Labs.

Amy Barzdukas, a senior director at Microsoft, acknowledged that it might be a conflict of interest for Microsoft to sponsor a report in which IE8 came out on top in terms of security. However, she encouraged people to “look closely at the results” before making a judgment call on the validity of the report.

IE8 will be included as part of the Windows 7 OS. However, for the first time since adding browser technology to its operating system, Microsoft will give users the ability to turn off IE8 as a feature in the system.

This decision was outlined in a blog post on the Engineering Windows 7 blog. Microsoft is under pressure from an ongoing antitrust case in the European Union to give users more browser choice in Windows.

The money will be paid for ‘information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet,’ Microsoft said today in a statement, adding it is fostering a partnership with Internet registries and DNA providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all.

Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. Its main trick is to disable anti-malware protection and block access to anti-malware vendors’ Web sites

PCMag.com got an early look and has posted a full review of Internet Explorer 8 RC1. The release candidate differs only slightly from Beta 2, most notably in tweaks to its InPrivate Browsing feature, aka porn mode. That feature has been decoupled with InPrivate Filtering, which blocks third-party content providers from creating profile of your browsing habits. RC1 also improves on performance, especially in startup time, but still trails Firefox and Chrome in JavaScript speed. Protection against the relatively new threat of ‘clickjacking,’ where a site tries to get you to press buttons underneath a sham frame page, has also been added — the first browser to include such protections.

Versions for 32-bit and 64-bit Vista, as well as for 32-bit XP are available, but Windows 7, which will ship with IE8, is stuck with an older beta for now.

You can download the IE8 RC here, and view the full list of features here.

Although the spread of the worm appears to be levelling off, there are fears that someone could easily take control of any and all the reported 9.5m infected PCs. Experts say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch.

Method Of Attack

According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code. It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service. Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down. But Conficker does things differently.

The worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say. Microsoft is investigating the problem and preparing an emergency software patch to resolve it, it says. Internet Explorer is used by the vast majority of the world’s computer users.

“Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer,” said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against version seven of the browser – its most widely used edition.But the company warned that other versions were also potentially vulnerable.

Suggested workarounds to defend against the flaw, pending a security patch from Microsoft, include disabling active scripting – as explained by US CERT here.

UPDATE 1: Microsoft will issue an emergency security patch Wednesday for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected.

UPDATE 2: The patch is now available to download from here.