Tag: "internet explorer"

Internet Explorer 8 is more secure, and why the Firefox fanboys and the media need a security lesson

So Internet Explorer has been the media's main victim this past week. With stories about how it is completely unsecure.

Of course having a vulnerability isn't a good thing, but why is this getting so much attention, especially considering it's not even being used to target individuals? Well I suppose the media have to knock Microsoft, it's about the only thing they can do when it comes to Microsoft so this will have to do.

Tech Radar recently interviewed Microsoft's head security guy in the UK Cliff Evans. And did a pretty bad job of it. So Evans was explaining how switching away from Internet Explorer 8 isn't a good idea - something I agree with.

"If you were to ask me 'what's the most secure browser?' I would say Internet Explorer 8 – we're talking about a single vulnerability," he added.

Ouch a single vulnerability that's bad right? Some guy called richmurrils seems to think so and comments:

That's the funniest thing I've read in ages. :D

Of course what he really demonstrates is how little richmurrils actually knows about technology or security, I expect he was one of the people telling people to turn UAC off /facepalm, and how Tech Radar can't report things in context. So I'll put things in context even if they can't be bothered to, Firefox 3.5 has had at least 35 documented security vulnerabilities. Linux based operating systems can have hundreds of vulnerabilities discovered each year, Windows historically has had the fewest usually at just a dozen or two every year discovered. A single vulnerability isn't anything unusual.

Of course nobody bothers reporting that this vulnerability can only be exploited on Internet Explorer 6, a 10 year old version and on Windows XP a 10 year old operating system. Do Mozilla even bother to support such old products? Of course not.

Alright sure the vulnerability still exists in later versions, but it cannot be exploited on newer systems because of the additional security measures Windows Vista and later provide. Namely Protected Mode made possible by UAC.

When using Firefox a hacker only has to exploit code in the browser to run code on the machine. Exploiting Internet Explorer not only requires them to find a vulnerability and exploit it but it also requires them to somehow break out of the Protected Mode sandbox. Charlie Miller a security researcher talks a bit about this back during the Pwn 2 Own contest:

Why Safari? Why didn't you go after IE or [Firefox]?

It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows (Vista and later -Paul).

It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

Of course 3rd parties could use Protected Mode on Windows Vista and later like IE7 and 8 do. But Mozilla, Opera and others simply don't bother. They let the process run with the same rights as the user which is fundamentally less secure then running the browser in its own little sandbox where it can't get out.

In reality vulnerabilities like these are rarely what normal people come up against on the internet. The main problem is phishing and malware. Both of which are socially engineered to get the computer user to either hand over their data willingly or willingly install an application that's malicious. So how does Internet Explorer compare? IE8 blocks 83% of phishing websites completely, compared to Firefox which blocks 80%. While Internet Explorer 8 blocked 81% of malware before it reached the machine. Firefox blocked less than 30%, and other browsers scored even worse (source).

So not only is it more difficult to exploit vulnerabilities on Internet Explorer 8 on Windows Vista and up. The malware and phishing filters are also better on IE8, something that will protect most computer users.

One last comment is on how well Google and the media have spun this around from a story about how Google got broken into and people's personal data was stolen into a story about how a 10 year old browser on a 10 year old system has a single vulnerability, without even asking why Google are running such dated systems or without bothering to report that newer versions of IE aren't as susceptible. Nice spin department working there.

Update: Mark informed me that Chrome also runs in a sandbox.

What is an MS Explorer and Google's security

The BBC have a headline that reads "German government warns against using MS Explorer". Well that's no problem, as I've never even heard of an MS Explorer. Of course what they're really going on about is Internet Explorer, and how version 6 was used to compromise Google's systems.

find an alternative browser to Internet Explorer to protect security.

Who knows what "protect security" actually means. Perhaps they mean protect their systems, or improve their security. Seriously who wrote this article?

What they should really be having a go at is what sort of incompetent system administrators would be using a 10 year old browser on a 10 year old operating system. Ed Bott says such administrators should be guilty of malpractice. And I agree with him, what sort of people are running the IT departments of companies like Adobe and Google to allow such dated technology on the network.

Even three year old systems like Windows Vista and Internet Explorer 7 in the default configuration are immune to this sort of attack.

And it is just amazing that this has somehow been spun into an anti-Internet Explorer story when the real story is how can we trust Google with our data in the cloud when they're running such antiquated systems?

Opera still complaining

Last week Microsoft accepted EU/Opera requests to have a browser ballot screen, where users can install from a list of web browsers the browser they would like.

This won't only be for Windows 7, but will be pushed down as an update to Windows XP and Windows Vista users too.

Surely Opera couldn't be more happy, surely they won't have anything else to complain about? This gives their 2% marketshare, a chance at being 20%, assuming people randomly select out of the 5 or so browsers listed.


Now they're complaining that the ballot screen shows the Internet Explorer icon. Hakon Wium Lie, Opera's chief technology officer said:

"The blue 'e' has become so associated with the Internet in general, due to the bundling with Windows. We think using the blue "e" might not be such a good idea."

You're worried about that? What about the giant Google logo plastered there, for many people Google is the internet, maybe they won't want to use the Opera or Firefox internets anymore.

Jeez, give it a rest.

Iowa State University's IT department clueless?

It isn't very often I come across such bad advice from IT departments - actually that's a lie - in my experience most IT departments are clueless, yes neighbouring County Councils I hear about you guys a lot.  But this has to be one of the dumbest things I've things I've come across.

Iowa State's student newspaper reports that Internet Explorer 8 isn't compatible with their Web Course Tools software, software which by the way is generally regarded as breaking almost every web accessibility rule in the book.

Anyway, their IT department wrongly claims that IE8 was released this weekend.  It was released a month ago.  Automatic rollouts will start this week in very small numbers, but even they're not automatic, and require the user to actually accept the installation.

The department also recommends students using Internet Explorer turn off automatic updates to their browsers.

What?  Turn off automatic updates?  Are you utterly incompetent or just INSANE?  I have a general rule of thumb for dealing with people who recommend average computer users turn off automatic updates, that rule involves punching them in the face, words just cannot express the utter stupidity of such a statement.

They then recommend that people who have already installed IE8 uninstall it.  Alright fair enough, if you didn't do your job properly 12 months ago and test these things and there's no other option, yes they're going to have to uninstall it.  But they go on and say "run the browser in Internet Explorer 7 compatibility mode."

What?  You're telling me it works in compatibility mode and you're telling people to uninstall it?  You're telling me that you recommend people waste 20 minutes uninstalling it, and go back to a slower and more insecure browser than take the 0.5 seconds to press the compatibility icon next to the address bar?  Are you utterly incompetent or just NUTS?

Incompetent and LAZY by my reckoning.  If compatibility mode works you don't even need to hassle your users to do anything - you guys could actually make the change on your server so it tells IE8 to render in compatibility mode.  How?  If you're using IIS use this in your web.config file:

<?xml version="1.0" encoding="utf-8"?> 
          <clear />
          <add name="X-UA-Compatible" value="IE=EmulateIE7" />

If you're using Apache uncomment this:

LoadModule headers_module modules/mod_headers.so

And then add this:

Header set X-UA-Compatible "IE=EmulateIE7"

Seriously guys, why didn't you test this 12 months ago when the first beta version of IE8 was released and implement the above fix?  Doing that would have meant your users wouldn't have even noticed any difference, it all would have happened completely transparently to them. Why did you wait until a month after its release to even realise something isn't working right, and then why did you give your users such bad advice?

Raise your game, there's a reason IT departments are getting a bad rep.

InformationWeek grasp at straws to bash IE8

InformationWeek have managed to prove their brainlessness continues. As they claim "IE8 Users Downgrade To Explorer 7".

Microsoft (NSDQ: MSFT)'s Internet Explorer 8 appears to be losing market share, even though the browser has been on the market for less than a week.

As of 8:00 am Monday, IE8 -- released Thursday -- held 1.86% of the browser market, down from a high of 2.59% on Sunday, according to market watcher Net Applications. The most likely reason for the decline is that early adopters of IE8 are switching back to the more familiar, and --at this point -- reliable Explorer 7 browser.

The Net Applications data is here. What they should have said if they weren't trying to make an ideological point was:

The most likely reason for the decline is that early adopters had to show up for work Monday morning, where they are forced to use Windows XP and Internet Explorer 6.

As we can see from the Net Applications data (which I've highlighted and marked the days for easier visibility), IE8 usage drops during working hours. This is nothing more than a high resolution version of the weekly cycle between Windows XP and Windows Vista, with Windows XP seeing greater use during the week, and Windows Vista showing greater use during the weekend.

Surprisingly InformationWeek's journalists aren't aware of this effect, despite it being core to their reporting.

Update: PC World are following along spouting the same nonsense, as have TechTree and no doubt others. Despite the fact that as of this hour (0100 UTC on the 26th) IE8 usage has climbed to 2.82% its highest ever figure.

Internet Explorer 8 released

Internet Explorer 8 has been released for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

Highly recommended, even if IE isn't your main browser grab it from here.

1 3 5