Is Microsoft creating tomorrow's IE security holes today?
Seeds of disaster
Opinion Internet Explorer's problems can be traced to Microsoft's shortsightedness during the browser wars of the 1990s. Is the company sowing tomorrow's security woes today?
One day early last summer, I looked out my window and saw my neighbor planting a seedling just two feet from the side of his house. I knew that decades from now this particular type of tree would grow huge, and being that close it would certainly damage his house's foundation. I could have gone out there and warned him, but this was the same guy who calls animal control every time my dog steps outside my home. So I said nothing. Revenge is sweet, even if it takes fifty years to fulfill.
Around my yard, I space the trees and plants as if they were already full grown. Why do I do this? Because I am a security consultant.
As a security consultant, I constantly see others planting the seeds for future disasters. I see people making the very same mistakes over and over. Up to now, it has been somewhat excusable: much of the software codebase we use every day was written long before we trained developers about things like buffer overflows and canonicalization. Much of the software we have now grew from the extremely competitive environment of an explosive decade of growth where killer apps were the killer app.
Look at Internet Explorer for example. Internet Explorer versions 3 and 4 introduced concepts like client scripting, streaming audio, DHTML, ActiveX support, content channels, and an endless list of other cool features. Security certainly wasn't high on that list because back then no one switched browsers for security purposes. Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features. As a result, in the first 24 hours after the release of IE 4, users downloaded one copy every six seconds - ten terabytes of downloads. IE quickly secured its place as the dominant browser, a title that it still holds today.
But today people do switch browsers for security purposes and Microsoft is losing customers to competing browsers such as Mozilla Firefox, a browser with a smaller feature set but with better perceived, if not real, security. Users quickly lose confidence in a product that always seems to have some new critical threat.
Coding for the Future
Nevertheless, Microsoft is apparently learning the lesson. Despite seemingly endless public reports of security flaws in IE, I imagine that Microsoft has also quietly fixed hundreds if not thousands of other potential security flaws before anyone else discovered them. They are also improving default security settings and adding features such as pop-up blocking and add-in management. They are paying the price for making security a low priority in the past, but they are also making a reasonable effort to try and fix the product.
It may not yet be where it needs to be, but at least they are moving, and in the right direction.
But I wonder what measures they have in place to prevent future problems. Will they take a step back and instead of fixing a specific URL spoofing vulnerability ask themselves why it is even possible to spoof a URL in the first place? Or will they question the strategy of such tight OS integration? Will the code they write today stand up to the threats of tomorrow and beyond, the threats that we cannot even imagine today? I'll put up with the IE flaws for now, but show me you are planting the right seeds for the future.
One might ask, how do you code for these future threats if you don't even know what they are. The answer is simple: you follow basic best practices for security and never, ever divert from them. In all the history of security vulnerabilities, many issues were foreseeable and could have been avoided by following basic best practices. Follow the fundamentals and you worry less about the major threats. You worry about them less because you have so many layers of protection they either don't exist, or their impact is small.
Even if I had gone out and warned my neighbor about the tree, I doubt he would have dug it up and moved it. He's just not that kind of person. So the tree grows there, and actually looks quite nice for now. But I'm a security consultant and the tree bothers me every day I look at it.
Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress).
Sponsored: Protecting mobile certificates