Internet Explorer security FUD

Internet Explorer security FUD

Summary: The day after Microsoft releases IE7, a security firm revives an old vulnerability report, rushes out a press release, and cues a predictable wave of gloating and "I told you so's". A closer look reveals that maybe there's not so much to gloat about after all.

TOPICS: Security

Well, that didn't take long. The day after Microsoft released Internet Explorer 7.0 for Windows XP, Secunia published a bulletin describing a "vulnerability ... in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information."

And the gloating and "I told you so's" began almost immediately.

Australia's ITWire headlined the story "Serious flaw revealed in one-day old IE7," despite the fact that Secunia's rating for this vulnerability was "Less Critical." On its 1-to-5 scale, where 5 is most serious, this one ranks only a 2, and its graphical indicator is green, not yellow or red.

Slashdot's entry included the snarky comment: "So much for the 'you wanted it easier and more secure' slogan found on Microsoft's IE Website."

Well, maybe breathing into a paper bag a few times will help everyone stop hyperventilating. A few comments:

  • Microsoft says the vulnerability is actually in Outlook Express, not IE.
  • BetaNews reports that this is an old IE6 vulnerability that went unpatched in IE7. And sure enough, even the Secunia article references this six-month-old report. Hmmm. Is Secunia trying to piggyback on the IE7 publicity by reviving this report now?
  • Visiting Secunia's test page with IE7 running on a release candidate of Windows Vista results in a message that reads: "Your browser does not appear to vulnerable [sic] to this particular exploit."

And finally, a question: What should the criteria be for evaluating whether a product is secure? If your standard is that even a single patch means the product has failed, then you might as well unplug your computer and get busy sharpening your quill pen. No modern operating system or moderately complex connected application can pass that test.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I agree it's fuddish, but larger issue?

    Why was an old vulnerability still present in a brand new, much anticipated upgrade? The other issue is simply that IE is still too tightly coupled to the operating system. If MS has learned anything about security you would think that isolation of application from OS would be one of them. IE is aparrently still one with the OS (with same low level APIs where an email client is insecure because of a browser!?), and unfortunately, any security problem will have an easy route to the machine OS.

    I know it is a tough balancing act, making everything easy for the customer, but MS had the chance, everyone exepected different operation, and would have accepted some real architecture changes if it meant that, for example, IE created a wall that required permission to access an external program.

    Well, for my inbox's sake and a reduction in spam, I do hope it is more secure.

    • It's not an IE7 bug

      "Why was an old vulnerability still present in a brand new, much anticipated upgrade?"

      That's the wrong question to ask, since the vulnerability is not present in Internet Explorer. The correct question is, "why hasn't the Outlook Express team fixed this yet?"
      • The outlook express people have fixed it.

        The have fixed it. It's called Windows Mail and it's in Vista.
        • Classic cart before the horse nonsense.

          Vista isn't out yet, IE7 is. Saying it is fixed in Vista is like saying everybody needs to NOT install IE7 until Vista comes out if they want to be protected from this vulnerability.

          I didn't notice an option to NOT install Outlook Express when I upgraded a "virgin" (WinXP SP2 with IE6) box to IE7. Saying Outlook Express is somehow removed from being IE7 is Disingenuous (note: with a capital "D.") ;)
      • Correct

        That's why I said it was fuddish, however, I do software development and am ALWAYS working around other flaws (usually in other vendors misinterpretations of standards: telecom) and even if I know it isn't our software's fault, I/We will still code a fix in our software that makes their fault a "don't care", that was my point.

        Since they knew of the exploit in the other software, they could have done something in their software to make it a don't care.

    • They have done exactly that in Vista

      To do the same in XP would require rewriting the OS.
      Ed Bott
      • Glad Vista has it

        They could have done the same within IE itself for non Vista Windows. Since it is IE that is calling the APIs, simply build a wall within IE to be ABLE to call the APIs without some kind of security mechanism. For example, an API that talks directly to the OS module "Play WMV Content". Normally fat dumb and happy but makes a WMV exploit a security weakness waiting to happen.

        "This site is attempting to access a movie player, do you want to allow this action? (Y/N) Check here to remember this answer for this site".

        "Suspicious activity detected, this site is attempting to access USB devices, do you want to allow access? (Y/N) Check here to remember this answer for this site".

        "Suspicous activity detected, this site is attempting file systen direct access, a common malware procedure, if you are not sure, do not allow this action. Allow (Y/N) Check here to remember this answer for this site."

        No OS rewrite required, and sure, to start with, until you register your answer with your most visted sites, it occurs frequently, but something as simple as that would go MILES further preventing spyware and spamware and trojans than anything else.

        How about a simple rules setting where by default
        1) Write access to all except temp is BLOCKED
        2) No external access to any external INDEPENDANT program
        3) Prompt on media play

        • "Simply build a wall"

          Software developers call that the SMOC fallacy. It's a "simple matter of code."

          Question: How many person-hours of dev time would it take to build that layer and test it? How many apps would it break?

          You're really talking about a fundamental change in the OS, which is why it's in Vista and not in XP.
          Ed Bott
          • Isn't it all software? :-D

            [B]Question: How many person-hours of dev time would it take to build that layer and test it? How many apps would it break?[/B]

            I thought they spent tens of millions and MS had the resources to do it right?

            What applications would it break = ZERO. It may take 5 question and answer sessions to make the NEW I.E.7 behave exactly as I.E. 6 for a given site, with all the access the site requires, but again, security VS ease of use.

            Look at NoScript in FF as an example. For ZDnet, it took three clicks. Allow, page reloads, need to allow another domain, page relaods, add a third domain, poof ZDnet works like NoScript doesn't even exist but it gave me the control to DECIDE to allow it to work that way.

            You can't tell me it could not be done by MS. They could hard code the rules so no one can prevent WGA, etc FULL access by default, but make everything else ask.

      • So they HAVE rewritten the OS

        IE7 is the next BIG THING. It's so much more secure. But ONLY if you BUY ( the new Windows. Forget the support for XP, now that we have something else to sell you!!

        That they have "done...that in Vista" is NO answer. Vista costs. They SHOULD fix it in XP. That there is a flaw in OE that relates to IE, whether it's IE6 or IE7 means that there is a flaw that should be fixed for those users who haven't purchased Vista.
        • Yes, it should be fixed

          And I am confident it will be. With a patch, not with a rewrite of XP.
          Ed Bott
    • Antitrust

      it would be pretty easy to add an abstraction layer to force the browser to a higher level runtime... but then, it wouldn't be a tight, integral piece of the OS, and the whole "integral piece of windows" argument would fail... and as such, everyone would be up in arms over why it's ok for MS to force it to be installed, if it's not a tightly integrated piece of the OS...

      they'd have instant anti-trust issues... and they'd need to make a way to remove it from the system, if they didn't want the anti-trust issues... and they couldn't do that... it'd involve having a **new** piece of code doing the windows updates... after all, that's the only thing I see in IE as an integral part of windows for me... I use it for little else (only website testing... whenever I am making a website)
      • Pretty easy?

        "it would be pretty easy to add an abstraction layer to force the browser to a higher level runtime"

        OK, how many person-hours of dev time would it take, and how many apps would it break?

        Seriously, there are literally thousands of corporate line of business apps that would break in the "easy" scenario you outline here. And that would be after a year of testing and dev time.
        Ed Bott
  • Criteria

    "What should the criteria be for evaluating whether a product is

    The criteria should be its record of consequences related to
    known exploits. By this standard users should have replaced IE
    with another browser years ago. More to the point, Windows,
    which allowed remote execution of code should have been
    replaced with another platform. IE7 has not proven itself to be
    secure or insecure. Anyone giving Microsoft the benefit of the
    doubt with their track record, has a serious problems with

    Glad you asked?
    Harry Bardal
    • "Remote execution of code"

      Glad you pointed that out. I'll be sure to take the following programs and operating systems off my list.

      <p><a href="">This one</a>: "A buffer overflow in Directory Services could lead to remote execution of arbitrary a remote attacker."

      <p><a href="">Or this one</a>: "an attacker may be able to exploit these vulnerabilities by supplying an application ... with a specially crafted XPM image. Applications that receive input from remote sources may be remotely exploitable."

      <p>Or <a href=",39020375,39239293,00.htm">this one</a>:

      <p>"Thomas Kristensen, chief technology officer for security site Secunia ... rated Apple's updates as 'highly critical' ? the second-highest danger ranking ? in its advisory.

      <p>"A large number of applications could be affected by the vulnerability in the PCRE library used by Safari's JavaScript engine, Kristensen said. People who inadvertently click on a malicious Web site with their Safari browser could find the flaw exploited, leading to a remote execution of code on their system."
      Ed Bott
      • Caution is not recommended?

        If I.E. proves itself to be much more secure, then have a blast. I can understand that MS needs to prove it is secure based on past proven history of being insecure.

        Every OS has security flaws, yes, even Linux with FF has em. Can they be exploitable and do harm, don't know, but your example is valis, all have security exploits but is slightly misleading.

        Safari exploits - number in the handful, most already patched
        FF exploits - number in the handful, maybe a few tens, most already patched
        Pre IE 7 exploits - numbered in the thousands, hundreds still unpatched not released.

        If I had Windows, if I needed IE, I would download I.E.7 and use it sparingly where needed until it proves more secure than I.E. 6 was. For anyone, well, maybe not you, probably running it virtually to evaluate security visiting as many p0rn sites as you can, caution is NOT bad advice.

        • Of course caution is recommended

          But the criteria Harry enumerated are ludicrous.
          Ed Bott
          • "record of consequences related to known exploits"

            Just what, exactly, is ludicrous about this criterion?

            I think that it succinctly states the obvious.

            If you have a better one, this would be the time and place to posit it.
          • Record of what?

            IE7 is a complete, top-to-bottom redo of Internet Explorer. Many of the core pieces, including the URL parser, have been rewritten from scratch. So an evaluation of the "record of consequences of known exploits" for IE6 is relevant?

            Isn't that like saying that Mac OS 9 and earlier were slow and crash-prone, so therefore Mac OS X should be evaluated the same way?

            Yes, the record will have to be evaluated, but in the context of this product, not in terms of a previous edition that was different. Beta versions of IE7 have been out for a year, with release candidates out for several months, so there is a record to go by.

            And my real point is that the fact that the release of a report of a single low-grade vulnerability does not prove anything.
            Ed Bott
          • "known exploits" for IE6 is relevant

            Certainly these are very relevant, Ed, as the IE7 is being hyped as better and more secure than IE6. It's the same product, by the same company, and its prior history is quite relevant.

            I really couldn't care if it was a total rewrite (which is as hyped but rather doubtful since they both pass the same exploit right to OE) or just a slight increment. MS does not get a clean slate just by releasing a "new" version. And we would very understandably expect that the new version would at least not carry the sins of the old, but it does apparently.

            A "single low grade vulnerability" speaks volumes about the quality of a product that is hyped as being very secure and better than its predecessor. Even if you can't admit that, most reasonable and rational adults will agree. And time will prove one of us or the other of us to be correct.