Feeds

Is Microsoft creating tomorrow's IE security holes today?

Seeds of disaster

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Opinion Internet Explorer's problems can be traced to Microsoft's shortsightedness during the browser wars of the 1990s. Is the company sowing tomorrow's security woes today?

One day early last summer, I looked out my window and saw my neighbor planting a seedling just two feet from the side of his house. I knew that decades from now this particular type of tree would grow huge, and being that close it would certainly damage his house's foundation. I could have gone out there and warned him, but this was the same guy who calls animal control every time my dog steps outside my home. So I said nothing. Revenge is sweet, even if it takes fifty years to fulfill.

Around my yard, I space the trees and plants as if they were already full grown. Why do I do this? Because I am a security consultant.

As a security consultant, I constantly see others planting the seeds for future disasters. I see people making the very same mistakes over and over. Up to now, it has been somewhat excusable: much of the software codebase we use every day was written long before we trained developers about things like buffer overflows and canonicalization. Much of the software we have now grew from the extremely competitive environment of an explosive decade of growth where killer apps were the killer app.

Look at Internet Explorer for example. Internet Explorer versions 3 and 4 introduced concepts like client scripting, streaming audio, DHTML, ActiveX support, content channels, and an endless list of other cool features. Security certainly wasn't high on that list because back then no one switched browsers for security purposes. Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features. As a result, in the first 24 hours after the release of IE 4, users downloaded one copy every six seconds - ten terabytes of downloads. IE quickly secured its place as the dominant browser, a title that it still holds today.

But today people do switch browsers for security purposes and Microsoft is losing customers to competing browsers such as Mozilla Firefox, a browser with a smaller feature set but with better perceived, if not real, security. Users quickly lose confidence in a product that always seems to have some new critical threat.

Coding for the Future

Nevertheless, Microsoft is apparently learning the lesson. Despite seemingly endless public reports of security flaws in IE, I imagine that Microsoft has also quietly fixed hundreds if not thousands of other potential security flaws before anyone else discovered them. They are also improving default security settings and adding features such as pop-up blocking and add-in management. They are paying the price for making security a low priority in the past, but they are also making a reasonable effort to try and fix the product.

It may not yet be where it needs to be, but at least they are moving, and in the right direction.

But I wonder what measures they have in place to prevent future problems. Will they take a step back and instead of fixing a specific URL spoofing vulnerability ask themselves why it is even possible to spoof a URL in the first place? Or will they question the strategy of such tight OS integration? Will the code they write today stand up to the threats of tomorrow and beyond, the threats that we cannot even imagine today? I'll put up with the IE flaws for now, but show me you are planting the right seeds for the future.

One might ask, how do you code for these future threats if you don't even know what they are. The answer is simple: you follow basic best practices for security and never, ever divert from them. In all the history of security vulnerabilities, many issues were foreseeable and could have been avoided by following basic best practices. Follow the fundamentals and you worry less about the major threats. You worry about them less because you have so many layers of protection they either don't exist, or their impact is small.

Even if I had gone out and warned my neighbor about the tree, I doubt he would have dug it up and moved it. He's just not that kind of person. So the tree grows there, and actually looks quite nice for now. But I'm a security consultant and the tree bothers me every day I look at it.

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress).

Related stories

Phishers tapping botnets to automate attacks
Poison applet peril affects IE, Opera and Firefox
IE in fresh security drama

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.