Chapter 8: Securing Internet Explorer

Previous page
Table of content
Next page

Since its release, Internet Explorer (IE) has been Microsoft's weakest security point. As the most common browser in the world, it is a malicious hacker's most popular target. Nearly 85 percent of the world's computers run IE (see http://www.en.wikipedia.org/wiki/Usage_share_of_web_browsers). By exploiting IE vulnerabilities, hackers and criminals gain the largest possible foothold into the greatest number of potential victim machines.

Secunia (http://www.secunia.com/product/11) lists over a hundred Internet Explorer 6.x vulnerabilities, many remaining unpatched for a year or longer. Consequently, many Windows users are exploring browser alternatives. Fire-fox and other competing Internet browsers have gained notable market share over the last two years.

To decrease the risk of new malicious attacks utilizing IE and to restore consumer confidence, Microsoft created Internet Explorer 7.0. It contains dozens of security and feature improvements. IE 7.0 was pushed down as a critical upgrade for Windows XP Pro near the end of 2006, and is the installed browser of Windows Vista. Chapter 8 will cover the security features of IE 7 and discuss how to secure Internet browsing.

Should You Use Another Browser?

Many security "experts" recommend that IE be replaced by some other "more secure" Internet browser. Often they recommend Mozilla Firefox (http://www.mozilla.com/firefox), Safari (http://www.apple.com/macosx/features/safari), Opera (http://www.opera.com), or one of the other less known alternatives (Netscape, Lynx, Konqueror, and so on).

Note 

Safari and Konqueror are not available natively for the Windows environment. However, both can be installed using emulation or interfacing software.

The belief is that because Internet Explorer is the most hacked software target in the world, switching to another browser will make any computer user more secure. And in the short run this statement might be true, albeit with a loss of key functionality.

But if everyone switched browsers to some other popular standard, the malicious hackers would just attack that product, and would probably be just as successful. Hackers hack popular software. They want the most bang for their effort. As a product becomes more popular, so too, does the number of attempts and announced exploits.

For example, Internet Information Server 6 (IIS 6) has a 19 percent worldwide market share in public web servers. Open source Apache (http://www.apache.org) has a 79 percent market share. IIS 6 has had three exploits (http://www.secunia.com/product/1438) since its release in March 2003. Apache 2.x has had over 30 vulnerabilities (http://www.secunia.com/product/73) in the same time period. We can either say that Microsoft IIS 6 is significantly more secure than open source Apache, and that may be likely, or that Apache's wider popularity and availability attracts more hackers. Either way, market share attracts hackers. Similar statistics occur on nearly every product type and platform, with few exceptions.

When Mozilla's Firefox 1.0 (http://www.mozilla.com/firefox) came out in November 2004, it was heralded as the world's best and most secure browser. And a lot of the world bought the hype and switched from IE. Since late 2004, Firefox has garnered anywhere from 8 to 15 percent of the Internet browser market, depending on whose survey you believe.

Firefox is a great, open source browser. But more secure? According to Secunia (http://www.secunia.com/product/4227), Firefox 1.x has had over 35 announced vulnerabilities discovered since its release. Since June 2006, the time period when IE 7 announced its first public security advisory, Firefox 2.x has had 6 advisories to IE 7.x's 9 (as of April 2007). Do you think Firefox will become more or less hacked as it becomes more popular? Browser vulnerability statistics ebb and flow with each month's discovery announcements, but can an Internet browser with nearly as many security advisories as IE be considered the secure alternative?

Other browsers look like less promising security alternatives if their market share is compared to the number of found vulnerabilities (see Table 8-1).

Table 8-1: Comparing Browser Market Share to The Number of Vulnerabilities
Open table as spreadsheet

BROWSER

IE 7.x

Firefox 2.x

Safari 2.x

Opera 8.x

Percent market share

85%

11%

2%

1%

Number of vulnerabilities from June 2006 to April 2007

9

6

3

5

Market share statistics provided by http://www.en.wikipedia.org/wiki/Usage_share_of_web_browsers. Vulnerability statistics provided by http://www.secunia.com.

No single set of numbers measuring only one vulnerability facet can begin to summarize one browser's security over another. The main takeaway idea from Table 8-1 is that all browsers have holes and exploits, which increase with popularity. This makes sense as more people and hackers use and test the software.

Switching from one browser to another may provide a temporary measure of security, but if the world decides to make a new browser the more popular, the security through obscurity benefit begins to fade. In a large organization, switching all the users from one browser to another may provide a temporary benefit. But after all the hard work and re-education, the security risks may end up the same.

The real answer is that all popular browsers can be used securely to minimize the risk of malicious exploitation. IE 7, in particular, has a very robust, granular, security model. It defeats all the past attacks and raises the bar for future attacks.

But remember that ultimately there is no such thing as a completely secure Internet browser. If you choose to install an Internet browser and connect to the Internet, you have increased the risk of malicious exploitation-regardless of the browser.

High security networks, such as the United States Armed Services classified networks, don't allow their computers to connect to the Internet. If you want to eliminate the risk of an Internet browser attack, don't install an Internet browser or don't allow connectivity to the Internet. But if you simply want to minimize risk as you and your end users browse the Internet, then the rest of this chapter is for you.

image from book
INTERNET EXPLORER NO LONGER REQUIRED IN VISTA

In previous versions of Microsoft Windows, IE was tightly integrated with Windows. Even if you installed an alternative browser, IE was often used as the browser of choice by many applications and applets. IE's functionality and components were a central part of Windows that you could not disable. Pragmatically, this meant that even if you used another browser, you still had to keep IE up to date patched and secure. And if you have to do that anyway, why run another browser?

Per Microsoft, starting with Windows Vista, IE is truly an optional component. This is good for the anti-IE crowd (and I think a correct choice for Microsoft). Still, most of the world's Web sites and applications expect IE to be the client browser. If you choose another browser besides IE, you could run into compatibility problems. But at least now users have a true choice.

image from book


Previous page
Table of content
Next page
Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Information Dashboard Design: The Effective Visual Communication of Data
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy