Yet another Microsoft IE flaw

Created by Stuart Yeates (University of Oxford) on March 29, 2006

Yet another bug / flaw / vulnerability / whatever-you-want-the-call-it has hit Microsoft's Internet Explorer. Much of the ho-ha in the press is about the short-term implications of this and they (and thus presumably their readers) are still not asking questions needed to shed real light on the underlying issues:

Is there something about browsers that makes them inherently prone to these kinds of security bugs? Yes. There have been a range of bugs with security implications across a wide variety of browser, IE, Opera and Mozilla.
Are there well-understood ways to make browsers more secure against software flaws? How? Yes. By separating functionality into units within a framework with clear, sparse, well documented protocols between them and clear security responsibility within the framework. By having extensive review and testing of the framework and regular updates to both the framework and the components within it. By including security features such as the Java sandbox and by using so-called "layer" security model, in which a single flaw doesn't lead to the complete compromise of an entire system.
Why aren't these things used now? Some of them are, but there are many design requirements when designing, building and maintaining software, and security has to be balanced against issues such as cost, time-to-market, flexibility, robustness, ease-of-use, backwards compatibility and the availability of third party add-ins. Companies such as Microsoft, Opera and Apple, who all have commercial browser offerings, produce software they think is going to get used in the market by balancing these.

At the end of the day, Microsoft ships products with known bugs, flaws and weaknesses because it is "good enough" and Microsoft knows that a significant number of people will buy it anyway. The solution is to look seriously at installing a different browser or office suite on top of the operating system. It doesn't matter whether it's open source or not, but the loss of market share for security reasons changes the definition of "good enough" within Microsoft and the increased diversity of applications slows malware spread.

In case you missed it:

Two well-respected Internet security companies have shipped unofficial patches for a critical flaw in Microsoft's Internet Explorer browser a full two weeks before the software maker's scheduled release of a comprehensive update.

With a wave of zero day attacks underway, eEye Digital Security and Determina offered separate hotfixes to provide temporary protection for IE users, but experts warn that the third-party patches carry a "buyer beware" tag.

As a general rule, Microsoft never recommends third-party updates because, without rigorous quality assurance testing, it is impossible to know what impact the unofficial fix might have on applications mandated in regulated industries or in-house applications.

Earlier this year, at the height of the WMF malware attacks, reverse-engineering guru Ilfak Guilfanov created a temporary patch that was recommended by experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure.

This time around, the SANS Storm Center is not recommending the temporary patch. In a diary entry, chief research officer Johannes Ullrich said the Microsoft-sanctioned workaround to turn off Active Scripting is sufficient to mitigate the risk from an attack.

Stuart's blog
Login or register to post comments
4433 reads

		Yet another Microsoft IE flaw Created by Stuart Yeates (University of Oxford) on March 29, 2006 Yet another bug / flaw / vulnerability / whatever-you-want-the-call-it has hit Microsoft's Internet Explorer. Much of the ho-ha in the press is about the short-term implications of this and they (and thus presumably their readers) are still not asking questions needed to shed real light on the underlying issues: Is there something about browsers that makes them inherently prone to these kinds of security bugs? Yes. There have been a range of bugs with security implications across a wide variety of browser, IE, Opera and Mozilla. Are there well-understood ways to make browsers more secure against software flaws? How? Yes. By separating functionality into units within a framework with clear, sparse, well documented protocols between them and clear security responsibility within the framework. By having extensive review and testing of the framework and regular updates to both the framework and the components within it. By including security features such as the Java sandbox and by using so-called "layer" security model, in which a single flaw doesn't lead to the complete compromise of an entire system. Why aren't these things used now? Some of them are, but there are many design requirements when designing, building and maintaining software, and security has to be balanced against issues such as cost, time-to-market, flexibility, robustness, ease-of-use, backwards compatibility and the availability of third party add-ins. Companies such as Microsoft, Opera and Apple, who all have commercial browser offerings, produce software they think is going to get used in the market by balancing these. At the end of the day, Microsoft ships products with known bugs, flaws and weaknesses because it is "good enough" and Microsoft knows that a significant number of people will buy it anyway. The solution is to look seriously at installing a different browser or office suite on top of the operating system. It doesn't matter whether it's open source or not, but the loss of market share for security reasons changes the definition of "good enough" within Microsoft and the increased diversity of applications slows malware spread. In case you missed it: Two well-respected Internet security companies have shipped unofficial patches for a critical flaw in Microsoft's Internet Explorer browser a full two weeks before the software maker's scheduled release of a comprehensive update. With a wave of zero day attacks underway, eEye Digital Security and Determina offered separate hotfixes to provide temporary protection for IE users, but experts warn that the third-party patches carry a "buyer beware" tag. As a general rule, Microsoft never recommends third-party updates because, without rigorous quality assurance testing, it is impossible to know what impact the unofficial fix might have on applications mandated in regulated industries or in-house applications. Earlier this year, at the height of the WMF malware attacks, reverse-engineering guru Ilfak Guilfanov created a temporary patch that was recommended by experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure. This time around, the SANS Storm Center is not recommending the temporary patch. In a diary entry, chief research officer Johannes Ullrich said the Microsoft-sanctioned workaround to turn off Active Scripting is sufficient to mitigate the risk from an attack. 6708 \| Cyber-Security \| Cybersecurity \| Cybersecurity Policy \| internet explorer \| Security Architecture \| Security Policies \| web browser Stuart's blog Login or register to post comments 4433 reads
		© Copyright 1999-2009 EDUCAUSE Need Help? \| Feedback \| Privacy Policy
	Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members.