The comments come after a glut of critical vulnerabilities were discovered in Internet Explorer and a delay of nearly four weeks between the very public disclosure of a critical vulnerability in the browser and the roll-out of a software patch.
The self styled 'chief hacking officer' of U.S.-based eEye Digital Security, which has been responsible for the discovery of a plethora of vulnerabilities in Microsoft products, says that Internet Explorer has been insecure for a long time.
"It has been a long running theme that at almost any given point there is a remotely exploitable bug in Internet Explorer," he told ZDNet Australia . "It's one of the biggest security risks for most 'Microsoft based' corporations. Microsoft is not fixing these publicly disclosed bugs in any sort of timely manner or more so they seem to just not be fixing them at all."
Adding fuel to the fire is Ken Dunham, the 'director of malicious code' at U.S. based 'security intelligence' company iDefense. He says using IE exposes users to a raft of nasties on the Web.
"Recent exploits of Microsoft software has made it unsafe to surf the Web... it will be very difficult for some users to even know their computer is infected with a virus or otherwise compromised," he said.
Microsoft's global head of product security, George Stathakopoulos, says the 25 day delay between the disclosure of a so called "object type" vulnerability and the release of a fix was the result of a strict quality control process imposed on patches.
"Two things come in play, one is you have to release a quality patch... the second thing that comes into play this is exactly a case where you did not have responsible disclosure," he said in reference to the way the vulnerability was made public -- it was posted on the Web with no advance warning given to the software maker.
"What really has happened is... the original vulnerability as reported was fixed with [Microsoft security bulletin] MS03-032, [Microsoft security bulletin] MS03-040 fixed additional vectors for this thing," he told ZDNet Australia by phone from Microsoft's headquarters in Redmond, U.S.
The way he describes it, the vulnerability addressed in the MS03-040 patch was similar to, but distinct from, the MS03-032 patch.
However this puts Stathakopoulos slightly at odds with the way the facts play out as presented in the MS03-032 bulletin itself, which indicates that MS03-032 was simply a dud patch.
"Microsoft originally issued this bulletin on 20 August, 2003. Subsequent to issuing the security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," it reads. "Microsoft has investigated these reports and has issued a new bulletin with an updated patch that corrects these problems. Microsoft has released security bulletin MS03-040 which supersedes this bulletin."
Stathakopoulos would not comment on allegations made by security research company Pivx Solutions that there are over 30 un-patched vulnerabilities in Internet Explorer, but did say Microsoft is "investigating" the claim.
Microsoft has no plans to dramatically overhaul the browser, Stathakopoulos said, but users can expect some changes. "We're thinking clearly that in Internet Explorer there are certain things we could do like the hardening in Windows 2003 to minimise the exposure," he said. Changing the "user experience" is also an approach that's on the cards. The company will try to "give visual cues and mechanisms by which a user can make intelligent trust decisions on how to browse the Web".
However, Maiffret says dramatic changes are required. "Internet Explorer was a poorly thoughtout product. In their effort to become the number one browser, by cramming every feature possible, they have in essence forgotten about security and made a system so flexible that its even flexible to hackers," he said.
Anything that helps users configure and customise their security settings is a good thing, he added. "Internet Explorer is very lacking in any sort of granular security to help allow customers fine tune security settings in order to still view active content, yet in a secure manner."
iDefense's Dunham is slightly more sympathetic towards Microsoft. "Unfortunately, Micosoft has millions of lines of code to manage, which is a daunting task. I'd hate to be in the shoes of Microsoft today with so many rapid exploitations of their software emerging in the wild."
What good is all this warning without a demonstration of what it CAN mean to us? This is something I never see when there is hoopla about IE vulnerabilities. I mean talk is talk. Does any other browser handle these exploits any better? If so, which ones. Are naming these browsers, and demonstrating their capabilities against the same exploits subjecting those also to the same insecurities? Why make us afraid without telling us the others could be just as bad?