IE full of holes, unsafe: Security experts

The reputation of Microsoft's Internet Explorer browser has been mauled by security experts.

The comments come after a glut of critical vulnerabilities were discovered in Internet Explorer and a delay of nearly four weeks between the very public disclosure of a critical vulnerability in the browser and the roll-out of a software patch.

The self styled 'chief hacking officer' of U.S.-based eEye Digital Security, which has been responsible for the discovery of a plethora of vulnerabilities in Microsoft products, says that Internet Explorer has been insecure for a long time.

"It has been a long running theme that at almost any given point there is a remotely exploitable bug in Internet Explorer," he told ZDNet Australia . "It's one of the biggest security risks for most 'Microsoft based' corporations. Microsoft is not fixing these publicly disclosed bugs in any sort of timely manner or more so they seem to just not be fixing them at all."

Adding fuel to the fire is Ken Dunham, the 'director of malicious code' at U.S. based 'security intelligence' company iDefense. He says using IE exposes users to a raft of nasties on the Web.

"Recent exploits of Microsoft software has made it unsafe to surf the Web... it will be very difficult for some users to even know their computer is infected with a virus or otherwise compromised," he said.

Microsoft's global head of product security, George Stathakopoulos, says the 25 day delay between the disclosure of a so called "object type" vulnerability and the release of a fix was the result of a strict quality control process imposed on patches.

"Two things come in play, one is you have to release a quality patch... the second thing that comes into play this is exactly a case where you did not have responsible disclosure," he said in reference to the way the vulnerability was made public -- it was posted on the Web with no advance warning given to the software maker.

"What really has happened is... the original vulnerability as reported was fixed with [Microsoft security bulletin] MS03-032, [Microsoft security bulletin] MS03-040 fixed additional vectors for this thing," he told ZDNet Australia  by phone from Microsoft's headquarters in Redmond, U.S.

The way he describes it, the vulnerability addressed in the MS03-040 patch was similar to, but distinct from, the MS03-032 patch.

However this puts Stathakopoulos slightly at odds with the way the facts play out as presented in the MS03-032 bulletin itself, which indicates that MS03-032 was simply a dud patch.

"Microsoft originally issued this bulletin on 20 August, 2003. Subsequent to issuing the security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," it reads. "Microsoft has investigated these reports and has issued a new bulletin with an updated patch that corrects these problems. Microsoft has released security bulletin MS03-040 which supersedes this bulletin."

Stathakopoulos would not comment on allegations made by security research company Pivx Solutions that there are over 30 un-patched vulnerabilities in Internet Explorer, but did say Microsoft is "investigating" the claim.

Microsoft has no plans to dramatically overhaul the browser, Stathakopoulos said, but users can expect some changes. "We're thinking clearly that in Internet Explorer there are certain things we could do like the hardening in Windows 2003 to minimise the exposure," he said. Changing the "user experience" is also an approach that's on the cards. The company will try to "give visual cues and mechanisms by which a user can make intelligent trust decisions on how to browse the Web".

However, Maiffret says dramatic changes are required. "Internet Explorer was a poorly thoughtout product. In their effort to become the number one browser, by cramming every feature possible, they have in essence forgotten about security and made a system so flexible that its even flexible to hackers," he said.

Anything that helps users configure and customise their security settings is a good thing, he added. "Internet Explorer is very lacking in any sort of granular security to help allow customers fine tune security settings in order to still view active content, yet in a secure manner."

iDefense's Dunham is slightly more sympathetic towards Microsoft. "Unfortunately, Micosoft has millions of lines of code to manage, which is a daunting task. I'd hate to be in the shoes of Microsoft today with so many rapid exploitations of their software emerging in the wild."

Advertisement

Talkback 7 comments

    What good is all this warning ...Anonymous -- 10/10/03

    What good is all this warning without a demonstration of what it CAN mean to us? This is something I never see when there is hoopla about IE vulnerabilities. I mean talk is talk. Does any other browser handle these exploits any better? If so, which ones. Are naming these browsers, and demonstrating their capabilities against the same exploits subjecting those also to the same insecurities? Why make us afraid without telling us the others could be just as bad?

    I was shocked earlier this wee ...Anonymous -- 10/10/03

    I was shocked earlier this week when surfing a warez site using Firebird as my browser I actually had my virus scanner pop up saying it had quarentined some javascript virus. That's why I used Firebird, to stop this stuff from happening. Also got a couple pop-ups. Guess people are figuring out how to do stuff to Firebird too.

    It's so reassuring to hear tha ...Rodd Clarkson -- 10/10/03

    It's so reassuring to hear that Microsoft's Internet Explorer isn't particularly secure, especially in the light of the fact that it's so tied into the operating system.

    When MS's George Stathakopoulos says that it takes time to fix bugs in IE due to "quality control" I imagine what he means it that they've tied IE so tightly to the Windows operating system then need to make sure that the changes that are needed don't change functionality in Windows.

    Why IE needed to be tied to tightly to Windows is of course a whole other issue, but I suspect that in trying to limit choice Microsoft has created a veritable mine-field of security issues.

    I'm so glad that alternatives like Mozilla and Linux exist to give me some choice over what software I use. I get very similar functionality to Windows and IE with these products, but they haven't been tied together so should Mozilla be too insecure I can easily replace it with another browser rather than being stuck without choice (and an open door to my computer).

    I don`t touch IE anless its wi ...Anonymous -- 12/10/03

    I don`t touch IE anless its with a ten foot barge pole, I will stick with netscape7 which I might add to me is more reliable and works faster then IE doe`s. IE is the same as microsofts operating systems flawed as they rush the products out before they are really ready

    I'd used Netscape Navigator fo ...Anonymous -- 15/10/03

    I'd used Netscape Navigator for a few years before switching to IE. Unfortunately at the time Netscape was buggy and slow. IE was slightly less so..

    Now I've finally managed to move away.. Why? Because the Mozilla has finally released a version, fast, stable and feature filled enough to retake over the Browser market.

    Have a look why I switched here: http://itmanagers.net/article-8--0-0.html

    Sir' I am a 26 years old gu ...Anonymous -- 09/02/04

    Sir'
    I am a 26 years old guy from nigeria in west africa .My opinion is that i want to know if you can have people working for you fron different part of the world.
    people who are ready faithful and honesti like to know because i like to work for you

    My name is Nicole. i tryed to ...Anonymous -- 08/12/04

    My name is Nicole. i tryed to access the clubland website and was rudley denied access.i feel this is totally unacceptable as all i wanted was some information on the cd .i shall there for not be trying to access this site again and strongly believe it is everybodys right to any information requested on a world wide web site .

Add your opinion

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Suzanne Tindal Love me, tender
    Considering how expensive and drawn-out tender processes can be to solve problems that might be very immediate, it's little wonder that the Victorian Police IT department tried to work the tender exemptions system.
  • Array 2009 funding drought rolls on
    For Australian start-ups looking for venture capital, 2009 was a very bad year. 2010 may be no better.
  • Array Can not-so-smart meters help the NBN?
    It was interesting to witness Conroy's recent enthusiasm to spruik the NBN's role in supporting the Smart Grid, Smart City initiative. What a pity that Conroy hadn't yet seen the damning report from the Victorian auditor-general about that state's smart-meter roll-out.
  • More blogs »

Tags

Back to top

Featured