Security firms round on IE
The comments come after a glut of critical vulnerabilities were discovered in Internet Explorer, and after a delay of nearly four weeks between the very public disclosure of a critical vulnerability in the browser and the roll-out of a software patch.
The self-styled 'chief hacking officer' of US-based eEye Digital Security, which has been responsible for the discovery of a plethora of vulnerabilities in Microsoft products, says that Internet Explorer has been insecure for a long time.
"It has been a long running theme that at almost any given point there is a remotely exploitable bug in Internet Explorer," he told ZDNet Australia . "It's one of the biggest security risks for most 'Microsoft-based' corporations. Microsoft is not fixing these publicly disclosed bugs in any sort of timely manner or more so they seem to just not be fixing them at all."
Adding fuel to the fire is Ken Dunham, the 'director of malicious code' at US based security intelligence company iDefense. He says using IE exposes users to a raft of nasties on the Web.
"Recent exploits of Microsoft software has made it unsafe to surf the Web... it will be very difficult for some users to even know their computer is infected with a virus or otherwise compromised," he said.
Microsoft's global head of product security, George Stathakopoulos, says the 25-day delay between the disclosure of a so-called "object type" vulnerability and the release of a fix was the result of a strict quality-control process imposed on patches.
"Two things come in play, one is you have to release a quality patch... the second thing that comes into play this is exactly a case where you did not have responsible disclosure," he said in reference to the way the vulnerability was made public -- it was posted on the Web with no advance warning given to the software maker.
"What really has happened is... the original vulnerability as reported was fixed with [Microsoft security bulletin] MS03-032, [Microsoft security bulletin] MS03-040 fixed additional vectors for this thing," he told ZDNet Australia by phone from Microsoft's headquarters in Redmond, US
The way he describes it, the vulnerability addressed in the MS03-040 patch was similar to, but distinct from, the MS03-032 patch.
However, this puts Stathakopoulos slightly at odds with the way the facts play out as presented in the MS03-032 bulletin itself, which indicates that MS03-032 was simply a dud patch.
"Microsoft originally issued this bulletin on 20 August, 2003. Subsequent to issuing the security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," it reads. "Microsoft has investigated these reports and has issued a new bulletin with an updated patch that corrects these problems. Microsoft has released security bulletin MS03-040 which supersedes this bulletin."
Stathakopoulos would not comment on allegations made by security research company Pivx Solutions that there are over 30 unpatched vulnerabilities in Internet Explorer, but did say Microsoft is "investigating" the claim.
Microsoft has no plans to dramatically overhaul the browser, Stathakopoulos said, but users can expect some changes. "We're thinking clearly that in Internet Explorer there are certain things we could do, like the hardening in Windows 2003, to minimise the exposure," he said. Changing the "user experience" is also an approach that's on the cards. The company will try to "give visual cues and mechanisms by which a user can make intelligent trust decisions on how to browse the Web".
However, Maiffret says dramatic changes are required. "Internet Explorer was a poorly thought out product. In their effort to become the No. 1 browser, by cramming every feature possible, they have in essence forgotten about security and made a system so flexible that it's even flexible to hackers," he said.
Anything that helps users configure and customise their security settings is a good thing, he added. "Internet Explorer is very lacking in any sort of granular security to help allow customers fine tune security settings in order to still view active content, yet in a secure manner."
iDefense's Dunham is slightly more sympathetic towards Microsoft. "Unfortunately, Micosoft has millions of lines of code to manage, which is a daunting task. I'd hate to be in the shoes of Microsoft today with so many rapid exploitations of their software emerging in the wild."