OtaSoft

Microsoft’s Internet Explorer (IE) is a major security problem.

The Washington Post found some horrific statistics that justify
this claim pretty well:
“For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users… In contrast, Internet Explorer’s closest competitor in terms of market share — Mozilla’s Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.”
Let’s sum that up: in 2006, IE was unsafe 78% (284/365) of the time - 27%
(98/365) had known criminal use - compared to Firefox’s 2% (9/365).
This is an improvement for IE; in 2004, it was unsafe 98% of the time,
and 54% of the time there was known active exploitation of them.
But Firefox is improving too; in 2004 it was unsafe 15% of the time (with
0% known exploitation), and half of that time only affected Macintosh users.
(I blogged
on these Internet Explorer / Firefox security statistics in 2005.)
You really want to be using the safer product, and now we have two
different years with the same result.
But none of these studies considered IE version 7… so has it all changed?

IE version 7 is finally out, and I’d like to think it’s better than IE 6.
Indeed, I suspect IE 7 is better than its predecessor;
Microsoft did try to improve IE security, and IE 6’s security
was so bad that it was hard to get worse.
But IE is not the only browser available, and
early signs suggest that IE is still far behind Firefox.

In particular,
there are already signs that Microsoft still isn’t addressing vulnerabilities
aggressively the way that the Mozilla/Firefox team have been doing for years.
Why? Because recent “Full disclosure” and Bugtraq postings give room for worry.

Michal Zalewski’s “Web 2.0 backdoors made easy with MSIE & XMLHttpRequest”
(3 Feb 2007) noted that the XMLHttpRequest object (used by many
so-called “web 2.0″ applications) allows
“client-side web scripts to send nearly arbitrary HTTP requests, and then
freely analyze and manipulate the returned response, including HTTP
headers. This gives an unprecedented level of control over your browser to the
author of a visited site. For this reason, to prevent various types of
abuse, XMLHttpRequest is restricted to interacting only with the site from
where the script originated, based on protocol, port, and host name
observed. Unfortunately, due to a programming error,
Microsoft’s Msxml2.XMLHTTP ActiveX object that MSIE
relies on allows you to bypass this restriction
with the use of - BEHOLD - a highly sophisticated newline-and-tab
technology.”
(This last bit about being “highly sophisticated” is quite sarcastic;
security problems with control characters like newline and tab are
as old as computer security problems.)

One poster found
a previous May 2006 article about this problem:

“IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning)”.
Indeed,

the basic information goes back to
September 2005.
(There are hints in January 2003, but to be fair few noticed its implications
at the time.)

Now it turns out that this kind of error is easy to make; even the
Mozilla/Firefox people made this kind of error.
In particular,
this basic problem (differing in some details) was

identified and fixed in Mozilla in 2005 as bug 297078.

The problem in this case
isn’t that the Microsoft people made an error, and the
Mozilla/Firefox people didn’t.
Certainly, there’s
evidence
that Mozilla’s policy of releasing the source
code for people to review, combined with worldwide development/review and
a “bug bounty” to encourage additional review, really
does produce good results.
But in this case, both Microsoft and Mozilla made the error; what’s
different is what happened next.
Mozilla fixed it in 2005, the same year the issues had become clear,
yet Microsoft still hasn’t fixed it in 2007.
(And no, this particular defect isn’t included in the Washington Post
study above; it sure wouldn’t improve IE’s statistics if they had.)

If a supplier won’t quickly fix known security problems, that’s a really big
warning sign.

The Washington Post earlier found that Microsoft took far longer to
fix a vulnerability than Mozilla, and this latest report is consistent
with that sad news.
I do not understand why Microsoft hasn’t addressed this; hopefully this
will turn out to be a false alarm (that seems unlikely) or they
will fix it soon.

The only way to really see which browser is more secure is examine its
vulnerability pattern over time into the future - for example,
does it have more vulnerabilities over time (of a certain criticality), and
how fast are reported vulnerabilities repaired?
But note a key issue:
unless you throw away the entire program and start over from scratch, it’s
difficult to turn an insecure program into a secure one.
Thus, while past performance is no guarantee of future results, it’s
a good way to bet.
It appears that Microsoft still hasn’t fixed all the problems in IE 7 that were
publicly known at least two years earlier (in some of the most
widely publicized vulnerability discussion groups!).
If that’s true, it’s a really bad sign… how can they have removed
most vulnerabilities not publicly known, if they haven’t even addressed the
ones already publicly known?

I continue recommending that users switch to Firefox and not use IE
for security reasons.
And I highly recommend that web developers ensure that their systems conform
to web standards so that users can choose and switch their browsers.
These are only my personal opinions, but I think you can see why I
think it makes sense.
Even ignoring this particular issue, IE has a terrible track record.
I’m glad that Microsoft is starting to take security seriously (they are
at least saying the right things), and I’d delight
in a race between suppliers to see who can produce the most secure software.
But these recent reports reinforce the supposition that
IE is still too dangerous to use safely.
There’s nothing “user friendly” about a program that is easily subverted.

Original post by David A. Wheeler’s Blog and software by Elliott Back