Access to embc/Synetrix services are well protected in light of Microsoft security issues 

Access to embc/Synetrix services are well protected in light of Microsoft security issues

 

Microsoft IE6 security vulnerability: embc are confident that access to embc/Synetrix services is well protected and the sort of account breach experienced by Google and Adobe should not occur.

 

Many teachers, children and school staff use web browsers to access information on the internet and also embc online services. One of the most popular browsers is Microsoft’s Internet Explorer. You may be aware of the recent reports regarding the security vulnerability reported in Microsoft’s Internet Explorer http://news.bbc.co.uk/1/hi/technology/8460819.stm . This specifically affects IE6 and no reports of incidents affecting IE7 have been noted yet. For more detail, a summary can be found at http://blogs.technet.com/msrc/archive/2010/01/17/further-insight-into-security-advisory-979352-and-the-threat-landscape.aspx  

 

Synetrix have been monitoring events with IE6 as the situation developed from the initial hacking at Google [http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/ ]. Over the last few days general awareness has been heightened with the publication on the Internet of how to exploit this security hole in IE6.  Microsoft advise they have not seen widespread customer impact, rather only targeted and limited attacks exploiting IE6.

 

All schools are under a serious potential threat for this security hole if the actions discussed in this bulletin are not acted on. The security threat could mean exposing personal data and private communications to others across the internet; school admin systems relying on browser access to online payroll and finance systems may be rendered insecure and pupil’s work may be lost of incorrectly posted to online storage tools. Webmail content may also be at risk of insecure access.

 

Information on the potential mitigation of the vulnerability can be found in the Microsoft security advisory at [http://www.microsoft.com/technet/security/advisory/979352.mspx]. Although these workarounds will not correct the underlying vulnerability, they will help block known threats. 

 

Whilst Synetrix cannot comment on individual school services, we are confident that access to embc/Synetrix services is well protected and the sort of account breach experienced by Google should not occur.

 

Microsoft is currently working to develop an update and have announced now that a patch will be released at 1000 PST (1800 GMT) on Wednesday 21st January 2010. Microsoft advise all customers that :-

"All web browsers are at ongoing risk to vulnerabilities and as such Get Safe Online's recommended advice ... is always to use the most up-to-date version."

 

Microsoft’s standard recommendation now is that users using IE6 or IE7, should upgrade to IE8 as soon as possible to benefit from the improved security protections it offers. However IE8 is not currently supported on certain services provided by embc, such as Click to Meet but key applications such as the SharePoint portal, webmail and SUMS appear to work well. 

 

Many issues that users experience with different versions of software can be overcome by using IE8 in Compatibility Mode that supports most software written for the earlier versions.

 

Synetrix are currently analysing both the impact of the issue itself and the repercussions of changing the recommended browser versions for the services embc/Synetrix provides. 

 

Current Government advice is that it is up to IT service providers to assess the potential impact and take appropriate action which may not include changing the browser version. More information on this topic will follow.

 

Embc users should note that alternative browsers such as Firefox, Safari and Opera etc., are fine for general web browsing but the embc services have been designed to work with Internet Explorer 7 and also works fine with IE8. Use of other browsers for access to the embc portal, webmail and SUMS may result in a loss of some functionality and some resources may not be available.

 

School ICT Administrators should take immediate action to update their Internet browser after the patch release. School staff and students concerned about the vulnerability of the PC and laptops and network systems should contact their ICT Administrator for advice. If Auto-Update is being used on local PCs and laptops this will download and install the update release as soon as this is available.

 

Embc and Synetrix January 21st 2010.