Criticism of Internet Explorer

From Wikipedia, the free encyclopedia

Internet Explorer is a web browser that is subject to many criticisms. Most of the criticism concerns its security architecture and its degree of support of open standards.

Contents 1 Criticisms regarding security 1.1 Component Object Model 1.2 Patches 2 See also 3 References 4 External links

[edit] Criticisms regarding security

Internet Explorer comes under heavy scrutiny from the computer security research community, in part due to its sheer ubiquity. Exploitation of Internet Explorer's security holes has earned IE the reputation as the least secure of the major web browsers.^{[citation needed]}

As of June 23 2006, security advisory site Secunia counted 20 unpatched security flaws for Internet Explorer 6, many more and older than for any other browser, even in each individual criticality-level, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications.^[1]

See computer security for more details about the importance of unpatched known flaws.

On June 23 2004, an attacker using compromised Internet Information Services 5.0 Web servers on major corporate sites used two previously undiscovered security holes in Internet Explorer to insert spam-sending software on an unknown number of end-user computers.^[2] This malware became known as Download.ject and it caused users to infect their computers with a back door and key logger merely by viewing a web page. Infected sites included several financial sites.

Probably the biggest generic security failing of Internet Explorer (and other web browers too) is the fact that it runs with the same level of access as the logged in user, rather than adopting the principle of least user access. Consequently any malware executing in the Internet Explorer process via a security vulnerability (e.g. Download.ject in the example above) has the same level of access as the user, something that has particular relevance when that user is an Administrator. Tools such as DropMyRights are able to address this issue by restricting the security token of the Internet Explorer process to that of a limited user. However this added level of security is not installed or available by default, nor does it offer a simple way to elevate privileges ad-hoc when required (for example to access Microsoft Update)

Art Manion, a representative of the United States Computer Emergency Readiness Team (US-CERT) noted in a vulnerability report that the design of Internet Explorer 6 Service Pack 1 made it difficult to secure. He stated that:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.^[3]

Manion later clarified that most of these concerns were addressed in 2004 with the release of Windows XP Service Pack 2, and other browsers have now begun to suffer the same vulnerabilities he identified in the above CERT report.^[4]

Microsoft has addressed this problem in two distinct ways with Windows Vista: User Account Control, which forces a user to confirm any action that could affect the stability or security of the system even when logged in as an administrator, and "Protected-mode IE", which runs the web browser process with much lower permissions than the user.^[5]

Many security analysts attribute Internet Explorer's frequency of exploitation in part to its ubiquity, since its market dominance makes it the most obvious target. However, some critics argue that this is not the full story; the Apache HTTP Server, for example, had a much larger market share than Microsoft IIS, yet Apache has traditionally had fewer (and generally less serious) security vulnerabilities than IIS.^[6] In an October 2002 interview, Microsoft's Craig Mundie admitted that Microsoft's products were "less secure than they could have been" because it was "designing with features in mind rather than security."^[7] IIS 6 has changed this, however; Secunia has only two vulnerabilities listed for the first three years since its release,^[8] compared with 15 for Apache 2.0 in the same time period.^[9]

As a result of its many problems, some security experts, including Bruce Schneier, recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead.^[10] Several notable technology columnists have suggested the same, including the Wall Street Journal's Walt Mossberg,^[11] and eWeek's Steven Vaughan-Nichols.^[12] On July 6 2004, US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites.^[13]

[edit] Component Object Model

A number of IE's security issues are related to components based on Component Object Model (COM).^{[citation needed]}

More recently, other experts have noted that the dangers of ActiveX have been overstated and there are safeguards in place. In an April 2005 eWeek opinions column, Larry Seltzer stated:

While there has been a striking lack of actual evidence that ActiveX is unsafe, there has been no shortage of baseless assertions and cheap shots against it. My favorite was the "Internet Exploder" incident in which Sun actually paid someone to write a malicious ActiveX control. The test system brought up all the warning dialogs about the program that you usually get and the Sun employee actually had the nerve to keep whacking on the enter key quickly so they would close as quickly as possible and didn't mention that there were any such warnings. Meanwhile, they also didn't mention that a signed Java applet could also perform dangerous privileged operations and would provide similar warnings. Most ActiveX criticism is simply uninformed, but this example was hypocritical and dishonest.^[14]

Other browsers that use NPAPI as their extensibility mechanism are suffering the same problems.

The forthcoming Windows Defender monitors Browser Helper Objects in Internet Explorer on Windows XP, Windows Server 2003, and Windows Vista and will warn the user before a new BHO is installed.

[edit] Patches

Another common criticism related to the security of Internet Explorer is the speed at which fixes are released after discovery of the problems, and that in some circumstances, the problems were not always completely fixed. For example, after Microsoft released patches to close holes in its Windows NT line of operating systems on February 2 2004, 200 days after their initial report, Marc Maifrett, Chief Hacking Officer of eEye Digital Security, is quoted in a cNet article as saying:

If it really took them that long technically to make (and test) the fix, then they have other problems. That's not a way to run a software company.^[15]

The same article quoted @stake's Chris Wysopal, vice president of research and development as saying:

Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter. It is definitely in the multimonth category because of how many versions of the operating system and the big applications that they had to test.

The Register criticized Maifrett for publicizing a security hole leading to the creation of the Code Red worm, arguing that:

had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems. … When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.^[16]

Microsoft attributes the perceived delays to rigorous testing. The testing matrix for Internet Explorer demonstrates the complexity and thoroughness of corporate testing procedures. A posting to the Internet Explorer team blog on August 17 2004 explained that there are, at minimum, 234 distinct releases of Internet Explorer that Microsoft supports (covering more than two dozen languages, and several different revisions of the operating system and browser level for each language), and that every combination is tested before a patch is released.^[17]

[edit] See also

• Internet Explorer
• Criticism of Microsoft

[edit] References

[edit] External links

• End 6! Campaign to stop use of Explorer 6
• Just what has Microsoft Been Doing for IE 7.0? (Slashdot)
• A 30-day relevation of a sequence of IE vulnerabilities
• Secunia – Vulnerability Report – Microsoft Internet Explorer 6.x
• Explorer Exposed!
• The Door Is Ajar — An "anti-IE" article by a Sun Microsystems technology director Tim Bray.
• Why You Should Dump Internet Explorer — An "anti-IE" article by a MCSE Daniel Miessler.
• Browse Happy — An "anti-IE" campaign by the Web Standards Project
• Drip — A utility to detect and measure IE's memory leaks.
• IE Leak Patterns — Microsoft's analysis of IE's memory leak problem.
• Internet Explorer Exploits
• Rendering problems in Internet Explorer
• How the web was almost won — Just how close did we come to a Net ruled by Microsoft? The "server wars" show a grim counterpart to the browser wars
• What's wrong with IE?
• Crash Internet Explorer
• The Internet Explorer Hatelisting
• Internet Explorer is EVIL!zh:对Internet Explorer的批评