Trust but Verify

Trust but Verify

Summary: So is it time to kill IE? France and Germany think so.

TOPICS: Windows

So is it time to kill IE? France and Germany think so. Me, I’m not so sure. The latest versions are solid, support most of the key Internet standards and run in limited user mode, with minimal access to the core OS and the file system.

I do agree with them on one thing, though. There’s really no excuse for still running IE6. After all, IE 7 has been out for nearly 40 months, and IE 8 for most of a year. That’s more than long enough for your developers or your software vendors to have updated the code of any intranet applications. You don’t have to have updated the underlying OS, either, as both run happily on Windows XP as well as Vista. If you’re relying on ActiveX controls for performance and security, then Silverlight gives you all the features (and browser integration) that you want, with the added benefit of a .NET sandbox and a modern JIT compiler for added speed.

One view of the IE 6 problem comes from the Adobe folk we overheard on a bus during the MAX conference. The problem with enterprises who haven’t yet moved off IE 6, they said to each other as they compared notes on customers they’d come across, isn’t the IE 6 front end; it’s that if you’re still on IE 6 now for a line of business app, it’s because you wrote it before you understood Web database programming properly and you have a badly written back end with millions of rows of badly stored but crucial data in that you don’t know how to get out. That means you’re dependant not on IE 6 but on the connectors you wrote between your IE 6 front end and your bodge-tape-and-string backend – and you can’t really blame Microsoft for that.

So should you consider removing IE 7 and IE 8 from your network, then? Not really. They’ve benefitted from Microsoft’s security reset and the resulting development of a well thought out security development lifecycle and the tools needed to support the development of secure code. But no browser developer can cover all the bases, and you really should be thinking about how you manage your perimeter and how you handle contextual security.

Network access policies are now relatively easy to implement and deploy. Untrusted PCs and laptops should be quarantined as soon as they touch a network, and held in a separate VLAN until they’ve been tested to ensure they meet and match your current security policies. Group policies that require the use of anti-malware software need to be mandatory (and if budget is a problem, the free Microsoft Security Essentials is at heart the enterprise Forefront AV product, without the central management tools). Tools like Windows Update Services will push security updates to hardware, and can be configured to automatically update machines as soon as they connect to a quarantine VLAN. You’ll also need to push updates for common pieces of software, like Acrobat Reader and Flash, that have become a backdoor route in to PCs and networks for malware authors.

That’s only part of the story. Most common malware comes into networks through well-known channels, in email and in the web. Good perimeter security tools can ensure that most of that, blocking known malware vector sites and spam sources. It’s a good idea to sign up to one of the many real time block lists, especially services like SpamHaus, which track not just the IP addresses of spam servers, but also monitor the always fluctuating addresses used by active botnets. They won’t protect you from everything, but they will keep out most of the threats. You can use a perimeter security appliance to run the blocks – or just fill in the details in Exchange. It’s surprisingly easy to use Exchange’s anti-spam tools, and they’re also surprisingly powerful.

There are other simple techniques that can be used, for example blocking all mail that is sent to a secondary MX while the primary is in action. It turns out that this is a well-known spammer technique to try and get mail to appear to be coming from a trusted source. Web filtering on known malware sources works well too – and both Microsoft and Google have lists of sites that carry malware, as do appliance vendors like Barracuda. Upgrading to a recent version of Office can also have an effect, as newer versions of Outlook don’t use the Internet Explorer HTML engine and are less likely to randomly run scripts that download malware or connect PCs to insecure sites and services.

Of course you’re unlikely to catch everything, so having a mitigation and detection strategy is also important. Tripwire tools can catch modified files and data, and data loss prevention tools can control what leaves your network (as can using mandatory encryption). There’s also scope for using network monitoring tools to detect and block unusual traffic – after all, it’s easier to unblock a new application than inform your shareholders of data loss…

Hardening your client machines is also important. You don’t know what networks a laptop will be connecting to, so make sure that all machines that leave your network are both up to date and are running effective local firewalls and security tools. The built in tools in Windows (at least from XP SP2 onwards) are good enough for most day-to-day use, but third party tools can give you an extra edge.

Trust is key to effective security. Tools like Windows 7’s AppLocker control which applications can run on a managed PC. If you only allow tested and trusted code to run on your PCs, then you’re likely to prevent random malware from infecting your network. It’s like vaccination, protecting one PC reduces the risk of the rest of the network being infected. Protect them all, and you’re significantly reducing your risk of exposure.

Get rid of IE? No. Just run a secure network, with up to date tools and technologies, and you’re likely to be safe from most attacks. Just be sure who you trust, and how well you trust them. A trusted partner or PC is more likely to be an attack vector than a random web page. The less you trust a PC, the less access it should have – and the same rules need to apply to business-to-business connections and VPNs. They may be trusted connections, but you don’t know what’s using them…


Topic: Windows

Simon Bisson

About Simon Bisson

Simon Bisson is a freelance technology journalist. He specialises in architecture and enterprise IT. He ran one of the UK's first national ISPs and moved to writing around the time of the collapse of the first dotcom boom. He still writes code.

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Trust but Verify

    The German and French (and Swiss) governments have clearly and specifically said that the flaw is NOT only in IE6, it is also in 7 and 8. They have further clearly and specifically stated that the "temporary measures" recommended by Microsoft are NOT sufficient to block the attack, and that users should NOT use any version of IE, even with the Microsoft recommendations. Who are ordinary users supposed to believe - the company that provides the obviously broken, buggy and insecure software, and which certainly has a very large vested interest in NOT having users learn that there are other browsers available, many of which are much better, nicer, less buggy and more secure than IE? Or the chorus of government and industry experts and analysts (at least those who are not in Microsoft's pocket) who say to unequivocally NOT to use IE?

    As for making a PC "secure" and "trusted" and "reliable", go tell this to all the average PC users who buy a computer and expect it to be reliable and work properly. Explain to them what a "tripwire" setup is, how they download, install, configure and monitor it, what "spamassasin" and the like are, how they sign up for it, configure it and keep it current, and on, and on, and on... and then explain to them exactly how much all of this is going to cost, on top of what they have already paid for their PC, and the Internet Security software that came on it which they were led to believe would protect them from all of this, and which they probably already paid even more for once the 60-day trial version expired...

    Yes indeed, that certainly sounds like a lot of fun to me.

    jw 19/1/2010

    P.S. I just received a detailed analysis from a security firm which reinforces what I said above. Your blog clearly implies that IE 7 and 8 are not subject to this security problem - as does Microsoft's public statements. However, the analysis I have in front of me clearly shows the exploit, how it works and how it is triggered, and the entire procedure was performed on IE 7. So where is the flaw, which versions of IE are subject to it, who are we to believe? The only rational way to deal with this is to stop listening to all the misleading, mealy-mouthed excuses and cover-ups, throw IE in the trash where it belongs, and use a decent browser.

  • Trust but Verify

    Enterprises don't have the flexiblity of consumers. However they do have the resources to build a proper defence in depth - which is the point of this blog post.

    With regards to the vulnerability in IE7 and IE8 as I understand it, it requires DEP to have been turned off - somthing any admin worth their salt will be forcing on with a group policy. Security is about a lot more than browser choice. You're only as secure as the network you run, and that can only be secures byy defining a perimeter, enforcing policies and implementing a tiered set of security tools. With cross-platform, cross-browser tools rapidly becoming a major attack vector, it's clear that no browser is safe and that effective network security is the only real response to the current generation of attacks and atackers.
    Simon Bisson and Mary Branscombe
  • Trust but Verify

    and I have in front of me a security analysis from another company, Imperva, who doubts it's down to IE at all... "To execute an attack this sophisticated, it likely occurred as a result of spear phishing Google employees to gain access to Google users credentials. A hacker would have to jump through many hoops inside an internal network. This requires network
    Simon Bisson and Mary Branscombe
  • Trust but Verify

    And you've just completely changed the subject.

    When JW says:
    "I just received a detailed analysis from a security firm which reinforces what I said above. Your blog clearly implies that IE 7 and 8 are not subject to this security problem",

    he is clearly talking about the demonstrable bug in IEs 6, 7 and 8.

    However, when you reply:
    "and I have in front of me a security analysis from another company, Imperva, who doubts it's down to IE at all...",

    you are talking about the security breach at Google. So "thanks" for that non-sequitur, but what JW said still stands.
  • Trust but Verify

    Chris - Thanks, I had essentially the same thought, but had decided that this thread was not worth pursuing any more, as the relevant information had already been stated, so all that is left is the irrelevant (as we can see). In any case, you are exactly correct - the citation about "doubts it's down to IE at all" is totally irrelevant. It cites what, why and how the original attack took occurred, whether it was a targeted attack or not, and so on. At this point that is totally beside the point. The vulnerability is known, it has been proven, documented and distributed, and it is likewise known that there are sites exploiting this vulnerability - the only thing that is not known, of course, is exactly how many there are, and that too is irrelevant.

    At this point my position is very simple, for anyone who asks me anything related to this. Stop using IE. Period. Just stop. Pick another one. You will be happier, and your computer will be happier. But at the end of the day, those who don't change now will get another change, during the next IE crisis, and the one after that, and the one after that. Microsoft and their apologists can make all the excuses they want, and they can throw all the vague, ungrounded aspersions at "alternative browsers" that they want, and they can try to confuse, distort and obfuscate the issue, but the situation in the real world won't change. The bugs will keep coming, the security vulnerabilities will keep coming, and each time it will drive more people away from IE. Thankfully.

  • Trust but Verify

    We'll I thought it was a good article Simon and yes it is all relevant, adoption of preventive measures greatly reduces the impacts of any of the given situations.

    What surprises me amongst all this spiteful tung spitting, is not one mention of adobe in all of this?! where they too not partially responsible in all of this.

    Besides anyways the only thing protecting Linux distributions is their indifference to one another and lack of broader adoption, I find it quite amusing when I hear how some user's don't even install any anti virus scanners at all for their choice of distribution.

    Surely some where down the line this will eventually bite them in the ass.