Is Microsoft creating tomorrow's IE security holes today?

Seeds of disaster

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Opinion Internet Explorer's problems can be traced to Microsoft's shortsightedness during the browser wars of the 1990s. Is the company sowing tomorrow's security woes today?

One day early last summer, I looked out my window and saw my neighbor planting a seedling just two feet from the side of his house. I knew that decades from now this particular type of tree would grow huge, and being that close it would certainly damage his house's foundation. I could have gone out there and warned him, but this was the same guy who calls animal control every time my dog steps outside my home. So I said nothing. Revenge is sweet, even if it takes fifty years to fulfill.

Around my yard, I space the trees and plants as if they were already full grown. Why do I do this? Because I am a security consultant.

As a security consultant, I constantly see others planting the seeds for future disasters. I see people making the very same mistakes over and over. Up to now, it has been somewhat excusable: much of the software codebase we use every day was written long before we trained developers about things like buffer overflows and canonicalization. Much of the software we have now grew from the extremely competitive environment of an explosive decade of growth where killer apps were the killer app.

Look at Internet Explorer for example. Internet Explorer versions 3 and 4 introduced concepts like client scripting, streaming audio, DHTML, ActiveX support, content channels, and an endless list of other cool features. Security certainly wasn't high on that list because back then no one switched browsers for security purposes. Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features. As a result, in the first 24 hours after the release of IE 4, users downloaded one copy every six seconds - ten terabytes of downloads. IE quickly secured its place as the dominant browser, a title that it still holds today.

But today people do switch browsers for security purposes and Microsoft is losing customers to competing browsers such as Mozilla Firefox, a browser with a smaller feature set but with better perceived, if not real, security. Users quickly lose confidence in a product that always seems to have some new critical threat.

Coding for the Future

Nevertheless, Microsoft is apparently learning the lesson. Despite seemingly endless public reports of security flaws in IE, I imagine that Microsoft has also quietly fixed hundreds if not thousands of other potential security flaws before anyone else discovered them. They are also improving default security settings and adding features such as pop-up blocking and add-in management. They are paying the price for making security a low priority in the past, but they are also making a reasonable effort to try and fix the product.

It may not yet be where it needs to be, but at least they are moving, and in the right direction.

But I wonder what measures they have in place to prevent future problems. Will they take a step back and instead of fixing a specific URL spoofing vulnerability ask themselves why it is even possible to spoof a URL in the first place? Or will they question the strategy of such tight OS integration? Will the code they write today stand up to the threats of tomorrow and beyond, the threats that we cannot even imagine today? I'll put up with the IE flaws for now, but show me you are planting the right seeds for the future.

One might ask, how do you code for these future threats if you don't even know what they are. The answer is simple: you follow basic best practices for security and never, ever divert from them. In all the history of security vulnerabilities, many issues were foreseeable and could have been avoided by following basic best practices. Follow the fundamentals and you worry less about the major threats. You worry about them less because you have so many layers of protection they either don't exist, or their impact is small.

Even if I had gone out and warned my neighbor about the tree, I doubt he would have dug it up and moved it. He's just not that kind of person. So the tree grows there, and actually looks quite nice for now. But I'm a security consultant and the tree bothers me every day I look at it.

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress).

Related stories

Phishers tapping botnets to automate attacks
Poison applet peril affects IE, Opera and Firefox
IE in fresh security drama

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.