Is Microsoft creating tomorrow's IE security holes today?

Seeds of disaster

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Opinion Internet Explorer's problems can be traced to Microsoft's shortsightedness during the browser wars of the 1990s. Is the company sowing tomorrow's security woes today?

One day early last summer, I looked out my window and saw my neighbor planting a seedling just two feet from the side of his house. I knew that decades from now this particular type of tree would grow huge, and being that close it would certainly damage his house's foundation. I could have gone out there and warned him, but this was the same guy who calls animal control every time my dog steps outside my home. So I said nothing. Revenge is sweet, even if it takes fifty years to fulfill.

Around my yard, I space the trees and plants as if they were already full grown. Why do I do this? Because I am a security consultant.

As a security consultant, I constantly see others planting the seeds for future disasters. I see people making the very same mistakes over and over. Up to now, it has been somewhat excusable: much of the software codebase we use every day was written long before we trained developers about things like buffer overflows and canonicalization. Much of the software we have now grew from the extremely competitive environment of an explosive decade of growth where killer apps were the killer app.

Look at Internet Explorer for example. Internet Explorer versions 3 and 4 introduced concepts like client scripting, streaming audio, DHTML, ActiveX support, content channels, and an endless list of other cool features. Security certainly wasn't high on that list because back then no one switched browsers for security purposes. Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features. As a result, in the first 24 hours after the release of IE 4, users downloaded one copy every six seconds - ten terabytes of downloads. IE quickly secured its place as the dominant browser, a title that it still holds today.

But today people do switch browsers for security purposes and Microsoft is losing customers to competing browsers such as Mozilla Firefox, a browser with a smaller feature set but with better perceived, if not real, security. Users quickly lose confidence in a product that always seems to have some new critical threat.

Coding for the Future

Nevertheless, Microsoft is apparently learning the lesson. Despite seemingly endless public reports of security flaws in IE, I imagine that Microsoft has also quietly fixed hundreds if not thousands of other potential security flaws before anyone else discovered them. They are also improving default security settings and adding features such as pop-up blocking and add-in management. They are paying the price for making security a low priority in the past, but they are also making a reasonable effort to try and fix the product.

It may not yet be where it needs to be, but at least they are moving, and in the right direction.

But I wonder what measures they have in place to prevent future problems. Will they take a step back and instead of fixing a specific URL spoofing vulnerability ask themselves why it is even possible to spoof a URL in the first place? Or will they question the strategy of such tight OS integration? Will the code they write today stand up to the threats of tomorrow and beyond, the threats that we cannot even imagine today? I'll put up with the IE flaws for now, but show me you are planting the right seeds for the future.

One might ask, how do you code for these future threats if you don't even know what they are. The answer is simple: you follow basic best practices for security and never, ever divert from them. In all the history of security vulnerabilities, many issues were foreseeable and could have been avoided by following basic best practices. Follow the fundamentals and you worry less about the major threats. You worry about them less because you have so many layers of protection they either don't exist, or their impact is small.

Even if I had gone out and warned my neighbor about the tree, I doubt he would have dug it up and moved it. He's just not that kind of person. So the tree grows there, and actually looks quite nice for now. But I'm a security consultant and the tree bothers me every day I look at it.

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress).

Related stories

Phishers tapping botnets to automate attacks
Poison applet peril affects IE, Opera and Firefox
IE in fresh security drama

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.