Is Internet Explorer Inherently Insecure?
In the wake of the recent attacks on Google and other companies that exploited a security vulnerability in IE 6, it seems that everywhere you turn, you hear someone advising you to dump Internet Explorer. Kim Komando was giving that advice last weekend on her radio show, but this is not limited to tech pundits only. According to recent reports, Germany's Federal Office of Information Security and the French CERTA have both advised EU citizens to quit using all versions of IE.
It's being taken as "common knowledge" that IE is inherently insecure. Is it true? Are Firefox, Chrome, Safari and/or Opera more secure? Should your company ban the use of Internet Explorer? In this article, we take a look beyond the sensationalized headlines and delve deep into the facts on browser security and whether switching will really make you safe from attack.
Inside the Google hack
January 12, Google disclosed on its blog that the company had come under attack in December. The post said that more than 20 other companies had also been targeted and the source of the attacks was apparently in China.
The Chinese government has since denied involvement in the attacks.
The specific vulnerability that was exploited by hackers in the targeted attacks is an HTML Object Memory Corruption vulnerability, which can allow the attacker to remotely execute the arbitrary code by accessing a pointer that's associated with a deleted object. Although the vulnerability also exists in IE 7 and 8, the only known exploits used IE 6. In fact, Protected Mode IE in IE 7 and 8 running on Windows Vista or Windows 7 makes it much more difficult to exploit this vulnerability. Additional protection is provided by Data Execution Prevention (DEP). DEP is enabled by default in IE 8, but not in previous versions of IE.
On January 21, Microsoft Security Bulletin MS10-002, labeled "critical," was issued along with a cumulative security update for Internet Explorer versions 5.01, 6, 7 and 8 on the following operating systems:
- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows XP Professional X64 SP2
- Windows Server 2003 SP2 (including x64 and Itanium editions)
- Windows Vista, SP1 and SP2 (including x64 edition)
- Windows Server 2008 SP2 (32 and 64 bit editions and Itanium edition)
- Windows 7 (32 and 64 bit editions)
- Windows Server 2008 R2, x64 and Itanium editions
The Server Core installation of Windows Server 2008 and 2008 R2 are not affected by this vulnerability.
This was an "out of band" or "emergency" update that did not wait for the regular Patch Tuesday, which would be February 9. In fact, a Senior Security Advisor for Sophos (which has criticized Microsoft in the past) stated that Microsoft's response to the IE vulnerability was "exceptionally quick" and even "explosive," and disagreed with the widespread opinion that users should dump IE altogether. See more here.
Consequences of the Google hack
The attacks made the headlines in both the tech and mainstream press and the ramifications were felt in both political and technology sectors. Google announced that they were reconsidering their relationship with China and threatening to pull out of the country. U.S. Secretary of State Hillary Clinton urged China to investigate the attacks and said Google should refuse to support "politically motivated censorship" as practiced by the Chinese. President Obama is reported to be "troubled" by the situation. A Chinese spokesperson said the U.S. was making "groundless accusations."
Meanwhile, on the tech side in the U.S. and elsewhere, the biggest outcry was not against China, but against Microsoft. "Stop using Internet Explorer" became the mantra, and even the US-CERT (Computer Emergency Readiness Team) recommended dumping IE in favor of other "safer" web browsers:
Looking beyond the headlines
Although the headlines make it sound as if everyone is abandoning IE completely, looking beyond the media reports to the actual advisories tells a slightly different story. For example, the statement issued by the German government actually recommended that IE users switch to another browser until a fix for the Hydraq vulnerability was issued by Microsoft. Many of the articles reporting on this advisory left out the last part, making it appear that the government agency was telling users to give up IE permanently (check out the following articles for more information, here and here).
Statistics can be misleading too however. This report from Secunia in February of last year shows that IE had more reported vulnerabilities than the other browsers. However, this doesn't take into account the greater market share (and thus increased attractiveness to hackers) of IE. Additionally, this report was made prior to the official release of IE 8, which added a number of security features.
Is IE inherently less secure than other web browsers?
There is no question that various versions of Internet Explorer contain security vulnerabilities that can be exploited by attackers. The real question is whether other web browsers are really more secure. Let us take a look at that.
- In November 2009, Secunia released an advisory rated as highly critical, stating that vulnerabilities in Apple's Safari web browser could allow attacks to bypass security restrictions, disclose sensitive information and/or remotely access the system. Security updates for Safari were also released in February, May, June, July, and August 2009. Several of these vulnerabilities include the possibility of remote code execution.
- In September 2009, ten security patches were issued for Firefox 3.5, all but one of them rated "critical". In fact, Mozilla generally releases security updates every two-three weeks. And last November, the Cenzic vulnerability report found Firefox to be the most vulnerable web browser, primarily due to its plug-in architecture. Firefox accounted for 44 percent of all browser vulnerabilities.
- A security vulnerability was found in Google's Chrome browser just one day after its release. Multiple security updates have been released since then. Last August, multiple serious security flaws in Chrome were reported, which could expose users to code execution attacks. In November 2009, Opera versions prior to 10.01 were reported to have multiple security vulnerabilities.
And according to Sophos representative Chet Wisniewski, Firefox and other "alternative" browsers are becoming more susceptible to threats, giving them attack surfaces equivalent to IE. IE's market share (just under 60% as of December 2009) is what makes it the favorite target of attackers. If users abandon IE and other browsers become more popular, hackers will naturally turn their focus to those browsers. And, as Graham Cluley (another Sophos consultant) pointed out, "All browsers have security flaws."
Should you fight or switch?
In making the decision about whether to switch your company's users to a different web browser, you should be motivated by facts, not fear mongering. There is undeniably a "security through obscurity" advantage to be gained by using a browser with low market share, such as Opera or Chrome (at 1.68% and 5.02%, respectively, as of December 2009). Attackers prefer to spend their time developing exploits for the most commonly used software, because they get a bigger payoff by affecting more users - just as terrorists prefer to target large gatherings where they can hurt more victims. However, this mode of protection is nebulous at best and will be lost if a substantial number of users do the same and move to the (currently) less popular browsers.
Because of all the hoopla regarding how "dangerous" IE is and the implication that other browsers do not have security problems, switching browsers may lead to a false sense of security. If users think all they have to in order to be safe is use the "right" browser, they may ignore the necessity to install updates or configure settings properly, leaving them more vulnerable than they were with IE.
Switching browsers may also result in a learning curve as users get familiar with the new software. Another consideration in making the decision is whether your users may need to access web sites that require IE to display correctly, or use custom applications that require IE.
Safer surfing with IE
Instead of switching to a different browser, the best option may be to switch to a different - newer and safer - version of IE itself. IE 8 includes many new security features, including the SmartScreen filter for blocking imposter sites, the cross-site scripting filter to prevent XSS attacks, prevention of "clickjacking" (which uses embedded code to persuade users to click a link that performs hidden actions), and domain highlighting, which helps users identify possible phishing sites.
In addition to upgrading to the latest version of IE, additional steps you can take to make surfing safer include:
- Apply security updates promptly. A large number of successful attacks exploit vulnerabilities for which patches have been released. According to Verizon Business's 2008 Data Breach Investigations Report, "Ninety percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach." Many organizations do not apply updates promptly, either through lack of time, lack of knowledge or fear that the fix will cause reliability/stability problems.
- Configure browser settings for best security. In IE, click Tools | Internet Options | Security to check settings. In IE 7 and 8, ensure that Protected Mode is enabled. In IE 8, DEP is enabled by default; you can enable it in IE 7 by checking the box labeled "Enable memory protection to help mitigate online attacks." For the best security, set the slider on the Security tab to the High setting for the Internet zone (however, this may cause some web sites not to display or function properly). In IE 8, ensure that the SmartScreen filter is enabled.
- If you are still using IE on Windows XP, log on with a standard user account instead of an administrator account, which will prevent inadvertently downloading and installing programs or having malware make changes to the system settings.
- Another way to increase security is to run your web browser in a virtual machine installed on desktop VM software such as Windows Virtual PC or VMWare Workstation. This way, an exploit of the browser will affect only the operating system in the VM and not your primary system. It's even better to connect the VM to the Internet through a DMZ or other network that's isolated from your production network.
Web browsers in general are inherently vulnerable to outside attack, because they are the software that is most frequently exposed to the Internet. Unlike early web browsers that displayed only text and graphics, modern browsers are sophisticated clients that run scripts, Java, Flash, QuickTime, Silverlight, ActiveX controls and other executable code within the browser.
Firefox's ascension to the top of list when it comes to browser vulnerabilities, at the same time it has gained market share (now close to 25%) illustrates that as a browser becomes more popular, it becomes more of a target for hackers and malware authors. Recent advisories to use "anything but IE" are misguided because they lead users to believe that other browsers are safe, and a mass shift away from IE to Firefox or Chrome is almost sure to just shift the attackers' efforts to those browsers.
The best way to protect your systems and network from web-based attacks is to follow simple guidelines for upgrading, updating, and properly configuring the settings of your browser, whichever one you choose to use.