David A. Wheeler's Blog

Mon, 05 Feb 2007

Internet Explorer 7: Still a security problem, keep using Firefox

Microsoft’s Internet Explorer (IE) is a major security problem. The Washington Post found some horrific statistics that justify this claim pretty well: “For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users… In contrast, Internet Explorer’s closest competitor in terms of market share — Mozilla’s Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.”

Let’s sum that up: in 2006, IE was unsafe 78% (284/365) of the time - 27% (98/365) had known criminal use - compared to Firefox’s 2% (9/365). This is an improvement for IE; in 2004, it was unsafe 98% of the time, and 54% of the time there was known active exploitation of them. But Firefox is improving too; in 2004 it was unsafe 15% of the time (with 0% known exploitation), and half of that time only affected Macintosh users. (I blogged on these Internet Explorer / Firefox security statistics in 2005.) You really want to be using the safer product, and now we have two different years with the same result. But none of these studies considered IE version 7… so has it all changed?

IE version 7 is finally out, and I’d like to think it’s better than IE 6. Indeed, I suspect IE 7 is better than its predecessor; Microsoft did try to improve IE security, and IE 6’s security was so bad that it was hard to get worse. But IE is not the only browser available, and early signs suggest that IE is still far behind Firefox.

In particular, there are already signs that Microsoft still isn’t addressing vulnerabilities aggressively the way that the Mozilla/Firefox team have been doing for years. Why? Because recent “Full disclosure” and Bugtraq postings give room for worry. Michal Zalewski’s “Web 2.0 backdoors made easy with MSIE & XMLHttpRequest” (3 Feb 2007) noted that the XMLHttpRequest object (used by many so-called “web 2.0” applications) allows “client-side web scripts to send nearly arbitrary HTTP requests, and then freely analyze and manipulate the returned response, including HTTP headers. This gives an unprecedented level of control over your browser to the author of a visited site. For this reason, to prevent various types of abuse, XMLHttpRequest is restricted to interacting only with the site from where the script originated, based on protocol, port, and host name observed. Unfortunately, due to a programming error, Microsoft’s Msxml2.XMLHTTP ActiveX object that MSIE relies on allows you to bypass this restriction with the use of - BEHOLD - a highly sophisticated newline-and-tab technology.” (This last bit about being “highly sophisticated” is quite sarcastic; security problems with control characters like newline and tab are as old as computer security problems.)

One poster found a previous May 2006 article about this problem: “IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning)”. Indeed, the basic information goes back to September 2005. (There are hints in January 2003, but to be fair few noticed its implications at the time.)

Now it turns out that this kind of error is easy to make; even the Mozilla/Firefox people made this kind of error. In particular, this basic problem (differing in some details) was identified and fixed in Mozilla in 2005 as bug 297078.

The problem in this case isn’t that the Microsoft people made an error, and the Mozilla/Firefox people didn’t. Certainly, there’s evidence that Mozilla’s policy of releasing the source code for people to review, combined with worldwide development/review and a “bug bounty” to encourage additional review, really does produce good results. But in this case, both Microsoft and Mozilla made the error; what’s different is what happened next. Mozilla fixed it in 2005, the same year the issues had become clear, yet Microsoft still hasn’t fixed it in 2007. (And no, this particular defect isn’t included in the Washington Post study above; it sure wouldn’t improve IE’s statistics if they had.)

If a supplier won’t quickly fix known security problems, that’s a really big warning sign. The Washington Post earlier found that Microsoft took far longer to fix a vulnerability than Mozilla, and this latest report is consistent with that sad news. I do not understand why Microsoft hasn’t addressed this; hopefully this will turn out to be a false alarm (that seems unlikely) or they will fix it soon.

The only way to really see which browser is more secure is examine its vulnerability pattern over time into the future - for example, does it have more vulnerabilities over time (of a certain criticality), and how fast are reported vulnerabilities repaired? But note a key issue: unless you throw away the entire program and start over from scratch, it’s difficult to turn an insecure program into a secure one. Thus, while past performance is no guarantee of future results, it’s a good way to bet. It appears that Microsoft still hasn’t fixed all the problems in IE 7 that were publicly known at least two years earlier (in some of the most widely publicized vulnerability discussion groups!). If that’s true, it’s a really bad sign… how can they have removed most vulnerabilities not publicly known, if they haven’t even addressed the ones already publicly known?

I continue recommending that users switch to Firefox and not use IE for security reasons. And I highly recommend that web developers ensure that their systems conform to web standards so that users can choose and switch their browsers. These are only my personal opinions, but I think you can see why I think it makes sense. Even ignoring this particular issue, IE has a terrible track record. I’m glad that Microsoft is starting to take security seriously (they are at least saying the right things), and I’d delight in a race between suppliers to see who can produce the most secure software. But these recent reports reinforce the supposition that IE is still too dangerous to use safely. There’s nothing “user friendly” about a program that is easily subverted.

path: /security | Current Weblog | permanent link to this entry