So Internet Explorer has been the media's main victim this past week. With stories about how it is completely unsecure.
Of course having a vulnerability isn't a good thing, but why is this getting so much attention, especially considering it's not even being used to target individuals? Well I suppose the media have to knock Microsoft, it's about the only thing they can do when it comes to Microsoft so this will have to do.
Tech Radar recently interviewed Microsoft's head security guy in the UK Cliff Evans. And did a pretty bad job of it. So Evans was explaining how switching away from Internet Explorer 8 isn't a good idea - something I agree with.
"If you were to ask me 'what's the most secure browser?' I would say Internet Explorer 8 – we're talking about a single vulnerability," he added.
Ouch a single vulnerability that's bad right? Some guy called richmurrils seems to think so and comments:
That's the funniest thing I've read in ages.
Of course what he really demonstrates is how little richmurrils actually knows about technology or security, I expect he was one of the people telling people to turn UAC off /facepalm, and how Tech Radar can't report things in context. So I'll put things in context even if they can't be bothered to, Firefox 3.5 has had at least 35 documented security vulnerabilities. Linux based operating systems can have hundreds of vulnerabilities discovered each year, Windows historically has had the fewest usually at just a dozen or two every year discovered. A single vulnerability isn't anything unusual.
Of course nobody bothers reporting that this vulnerability can only be exploited on Internet Explorer 6, a 10 year old version and on Windows XP a 10 year old operating system. Do Mozilla even bother to support such old products? Of course not.
Alright sure the vulnerability still exists in later versions, but it cannot be exploited on newer systems because of the additional security measures Windows Vista and later provide. Namely Protected Mode made possible by UAC.
When using Firefox a hacker only has to exploit code in the browser to run code on the machine. Exploiting Internet Explorer not only requires them to find a vulnerability and exploit it but it also requires them to somehow break out of the Protected Mode sandbox. Charlie Miller a security researcher talks a bit about this back during the Pwn 2 Own contest:
Why Safari? Why didn't you go after IE or [Firefox]?
It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows (Vista and later -Paul).
It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.
It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.
Of course 3rd parties could use Protected Mode on Windows Vista and later like IE7 and 8 do. But Mozilla, Opera and others simply don't bother. They let the process run with the same rights as the user which is fundamentally less secure then running the browser in its own little sandbox where it can't get out.
In reality vulnerabilities like these are rarely what normal people come up against on the internet. The main problem is phishing and malware. Both of which are socially engineered to get the computer user to either hand over their data willingly or willingly install an application that's malicious. So how does Internet Explorer compare? IE8 blocks 83% of phishing websites completely, compared to Firefox which blocks 80%. While Internet Explorer 8 blocked 81% of malware before it reached the machine. Firefox blocked less than 30%, and other browsers scored even worse (source).
So not only is it more difficult to exploit vulnerabilities on Internet Explorer 8 on Windows Vista and up. The malware and phishing filters are also better on IE8, something that will protect most computer users.
One last comment is on how well Google and the media have spun this around from a story about how Google got broken into and people's personal data was stolen into a story about how a 10 year old browser on a 10 year old system has a single vulnerability, without even asking why Google are running such dated systems or without bothering to report that newer versions of IE aren't as susceptible. Nice spin department working there.
Update: Mark informed me that Chrome also runs in a sandbox.