|
Criticisms regarding security
Internet Explorer comes under heavy scrutiny from the computer
security research community, in part due to its sheer ubiquity.
Exploitation of Internet Explorer's security holes has earned IE the
reputation as the least secure of the major web browsers.
As of January 2, 2007, security advisory site Secunia counted 18
unpatched security flaws for Internet Explorer 6, many more and older
than for any other browser, even in each individual criticality-level,
although some of these flaws only affect Internet Explorer when running
on certain versions of Windows or when running in conjunction with
certain other applications.
See computer security for more details about the importance of unpatched
known flaws.
On June 23, 2004, an attacker using compromised Internet Information
Services 5.0 Web servers on major corporate sites used two previously
undiscovered security holes in Internet Explorer to insert spam-sending
software on an unknown number of end-user computers. This malware became
known as Download.ject and it caused users to infect their computers
with a back door and key logger merely by viewing a web page. Infected
sites included several financial sites.
Art Manion, a representative of the United States Computer Emergency
Readiness Team (US-CERT) noted in a vulnerability report that the design
of Internet Explorer 6 Service Pack 1 made it difficult to secure. He
stated that:
“ There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, local file system (Local
Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in
particular, proprietary DHTML features), the HTML Help system, MIME type
determination, the graphical user interface (GUI), and ActiveX. … IE is
integrated into Windows to such an extent that vulnerabilities in IE
frequently provide an attacker significant access to the operating
system. ”
Manion later clarified that most of these concerns were addressed in
2004 with the release of Windows XP Service Pack 2, and other browsers
have now begun to suffer the same vulnerabilities he identified in the
above CERT report.
Microsoft has addressed this problem in two distinct ways with Windows
Vista: User Account Control, which forces a user to confirm any action
that could affect the stability or security of the system even when
logged in as an administrator, and "Protected-mode IE", which runs the
web browser process with much lower permissions than the user.
Many security analysts attribute Internet Explorer's frequency of
exploitation in part to its ubiquity, since its market dominance makes
it the most obvious target. However, some critics argue that this is not
the full story; the Apache HTTP Server, for example, had a much larger
market share than Microsoft IIS, yet Apache has traditionally had fewer
(and generally less serious) security vulnerabilities than IIS.[6] In an
October 2002 interview, Microsoft's Craig Mundie admitted that
Microsoft's products were "less secure than they could have been"
because it was "designing with features in mind rather than
security."[7] IIS 6 has changed this, however; Secunia has only two
vulnerabilities listed for the first three years since its release,[8]
compared with 15 for Apache 2.0 in the same time period.
As a result of its many problems, some security experts, including Bruce
Schneier, recommend that users stop using Internet Explorer for normal
browsing, and switch to a different browser instead. Several notable
technology columnists have suggested the same, including the Wall Street
Journal's Walt Mossberg, and eWeek's Steven Vaughan-Nichols. On July 6,
2004, US-CERT released an exploit report in which the last of seven
workarounds was to use a different browser, especially when visiting
untrusted sites.[13] In December 2004, Pennsylvania State University
issued an alert to students and staff telling them to drop IE and use an
alternative.
|