Criticisms of Internet Explorer: Encyclopedia II - Criticisms of Internet Explorer - Criticisms regarding security

Criticisms of Internet Explorer - Criticisms regarding security

Internet Explorer comes under heavy scrutiny from the computer security research community, in part due to its sheer ubiquity. Exploitation of Internet Explorer's security holes has earned IE the reputation as the least secure of the major browsers.

As of December 16, 2005, security advisory site Secunia counted 21 unpatched security flaws for Internet Explorer 6, many more and older than for any other browser, even in each individual criticality-level, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications.

Another advisory site SecurityFocus counts 27 unpatched security flaws for Internet Explorer 6 on Windows XP SP 2, but even many more and older on earlier versions of Windows.

See computer security for more details about the importance of unpatched known flaws.

On June 23, 2004, an attacker using compromised Microsoft IIS Web servers on major corporate sites used two previously-undiscovered security holes in IE to insert spam-sending software on an unknown number of end-user computers ^{[1] [2] [3]}. This malware became known as Download.ject and it caused users to infect their computers with a backdoor and key logger merely by viewing a web page. Infected sites included several financial sites.

Art Manion, a representative of the United States Computer Emergency Readiness Team (US-CERT) noted in a vulnerability report that the design of IE6 SP1 makes it difficult to secure. He stated that:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

Manion later clarified that most of these concerns were addressed in 2004 with the release of Windows XP Service Pack 2, and other browsers have now begun to suffer the same vulnerabilities he identified in the above CERT report. [4]

Note that Windows XP Service Pack 2 is not available for earlier versions of Windows, including Windows 9x, NT and 2000.

In addition, some security exploits associated with Internet Explorer are made possible through normal usage patterns of users of Microsoft Windows. For example, in Windows XP, it is the default system behavior to allow normal users to log into accounts with administrator privileges for everyday computer use. In this situation, an exploit which allows a cracker to run arbitrary code effectively gives away control of the entire computer. This would be the case for any browser which ran with unrestricted privileges. Because the everyday use of root accounts for normal users is rare on other operating systems, attacks which rely upon inappropriately restricted browser processes are most often targeted at Windows-based browsers. However, many programs on Windows do not work or work poorly without administrator privileges, so what are considered normal security practices on other operating systems are sometimes impractical to perform on Windows.

Many security analysts attribute IE's frequency of exploitation in part to its ubiquity, since its market dominance makes it the most obvious target. However, many critics argue that this is not the full story; the Apache HTTP Server has a much larger market share than Microsoft IIS, yet Apache has had fewer (and generally less serious) security vulnerabilities than IIS. Microsoft's Craig Mundie has admitted that Microsoft's products were "less secure than they could have been" because it was "designing with features in mind rather than security."

As a result of its many problems, some security experts, including Bruce Schneier ^[5] and open source advocate David A. Wheeler ^[6], recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead. Several technology columnists have suggested the same ^{[7] [8]}. On July 6, 2004, US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites. In December 2004, Pennsylvania State University issued an alert to students and staff telling them to drop IE and use an alternative.

Criticisms of Internet Explorer - Component Object Model

Many of IE's security issues are related to components based on Component Object Model (COM). The embedding of COM into the Internet Explorer via ActiveX or Browser Helper Objects (BHO) created a combination of functions that provided a gateway for computer virus, trojan and spyware infections.

These malware attacks mostly depend on ActiveX for their activation and propagation to other computers. Microsoft has recognized the problem with ActiveX since 1996 when Charles Fitzgerald, program manager of Microsoft's Java team said, "If you want security on the 'Net', unplug your computer. … We never made the claim up front that ActiveX is intrinsically secure."

ActiveX controls, once run, have all the users' privileges instead of the limited privileges granted by competing approaches (like Java and JavaScript); ActiveX controls are also non-standard and are not portable to non-Windows platforms. As pointed out by Professor Edward Felten of Princeton University:

ActiveX security relies entirely on human judgment. ActiveX programs come with digital signatures from the author of the program and anybody else who chooses to endorse the program. … The main danger in ActiveX is that you will make the wrong decision about whether to accept a program. … The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what this program does, but if you reject it you won't be able to see anything. … The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well.

ActiveX security relies on security zones and digital signing, which are not as reliable as other measures like sandbox security model and same origin policy. It is explained in an O'Reilly book, "Malicious Mobile Code":

ActiveX's biggest problem is the way it incorrectly marks controls Safe for Scripting. Already used in several email worm attacks, these types of holes continue to appear. If Microsoft cannot correctly determine the safety and appropriateness of its own system controls, how can vendors be expected to? Following that problem is the growing use of unsigned code. The digital signing process is technical and expensive. Most ActiveX controls on the Web are unsigned. Many of those that are signed, are expired. I rarely come across a control that is signed and current. If ActiveX's security lives or dies on whether end-users correctly choose to trust or not trust unsigned controls to run, it appears doomed unless digital signing of code becomes widespread. If ActiveX controls become standardized across the world's web sites, as expected, we will surely see a rise in malicious code for ActiveX.

The security problems of ActiveX were first demonstrated in February 1997 by the Chaos Computer Club (CCC), who demonstrated an ActiveX control that could communicate with an installation of Intuit's Quicken financial software on a user's hard drive to automatically transfer money from a user's account to CCC's bank account.

The United States Department of Defense (DoD) defines ActiveX as a category 1 (maximum risk) mobile code technology, and strictly limits how ActiveX can be used in DoD systems.

Other experts stipulate that the dangers of ActiveX have been overstated and there are safeguards in place. Larry Seltzer of eWeek notes:

While there has been a striking lack of actual evidence that ActiveX is unsafe, there has been no shortage of baseless assertions and cheap shots against it. My favorite was the "Internet Exploder" incident in which Sun actually paid someone to write a malicious ActiveX control. I was there at JavaOne when they demonstrated it (I think it was 1997). The test system brought up all the warning dialogs about the program that you usually get and the Sun employee actually had the nerve to keep whacking on the enter key quickly so they would close as quickly as possible and didn't mention that there were any such warnings. Meanwhile, they also didn't mention that a signed Java applet could also perform dangerous privileged operations and would provide similar warnings. Most ActiveX criticism is simply uninformed, but this example was hypocritical and dishonest.

The forth-coming Microsoft AntiSpyware, which is currently in beta, monitors BHOs in Internet Explorer on Windows 2000, XP and Server 2003, and will warn the user before a new BHO is installed.

Criticisms of Internet Explorer - Patches

Critics have claimed that security fixes take too long to be released after discovery of the problems, and that the problems are not always completely fixed. After Microsoft released patches to close holes in its general operating system in February 2003, 200 days after their initial report (instead of 30-60 days), Marc Maifrett, Chief Hacking Officer of eEye Digital Security, said: "If it really took them that long technically to make (and test) the fix, then they have other problems. That's not a way to run a software company." The Register criticized Maifrett for publicizing a security hole leading to the creation of the Code Red worm, arguing that "had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems."

Microsoft attributes the perceived delays to rigorous testing. The testing matrix for Internet Explorer demonstrates the complexity and thoroughness of corporate testing procedures. The browser is released in 26 different languages on many different Windows platforms. Therefore, it is estimated that each patch is tested on at least 237 installations.

Criticisms of Internet Explorer - Spyware adware and Windows XP SP2

Spyware and adware, like other malware, generally target Windows / Internet Explorer based systems. Older spyware attacks have largely been mitigated by security improvements in Windows XP SP2, but newer attacks against Internet Explorer allow the installation of spyware on SP2. Microsoft advises against installing SP2 on a system which is already infested with spyware, as it can cause the system to become unbootable:

Failure to clean up spyware and adware on your computer before installing SP2 can cause issues and in some cases make your computer difficult to restart. You may not even know that spyware or adware programs are installed on your system. And some spyware or adware programs may not cause serious issues with SP2, but it's a good idea to run spyware and adware removal programs before installing SP2.

Depending on the type of spyware installed, removing it in preparation for an SP2 upgrade can be as simple as running an anti-spyware tool, or in serious cases require manual editing of the Windows Registry. Nevertheless, security experts generally recommend installing Service Pack 2.

Adapted from the Wikipedia article "Criticisms regarding security", under the G.N U Free Docmentation License. Please also see http://en.wikipedia.org/wiki