Should you dump Internet Explorer, NOW?
D`oh, now there's a redundant question.
Yesterday, ZDNET blogger Ed Bott asserted that "it's time to stop using IE6." I s-o-o-o-o disagree. For many organizations and all consumers, it's time to stop using any version of Microsoft's browser -- IE6, IE7, IE8 and forget someday releasing IE9. Less than a week ago, the German government told its citizens to switch from Internet Explorer. This is good advice for you, too.
On Thursday (Jan 14), McAfee pegged a previously publicly unknown Internet Explorer exploit as one of the mechanisms used to invade computers or networks among more than 20 U.S. companies. On Tuesday (Jan. 12), Google disclosed the security breaches, which were traced back to China. McAfee dubbed the attacks "Operation Aurora." On Friday (Jan. 15), McAfee and Microsoft reported that code for the zero-day exploit was in the wild, potentially putting millions of Windows PCs at risk.
Bott singled out IE6, presumably because of Microsoft's cleverly worded Thursday blog post, security bulletin and statements to the press. From Thursday's blog post: "Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time." Bott writes: The entry point? According to Microsoft, it's IE6."
I found the IE6-only assertion puzzling since the early version of McAfee's blog post, credited to CTO George Kurtz, explains: "Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7." McAfee later updated the post to say that to date the attacks targeted IE6. Nowhere did Kurtz say that only IE6 was vulnerable to the exploit.
Betanews' Scott Fulton made the right observations early Thursday evening: "One may reasonably ask, just who at Google -- the maker of Chrome, its own Web browser -- would be a potential target who also would happen to be running IE6 on Windows 7 -- a system which, by default, installs IE8?"
Yes, who at Google would run IE6 on Windows 7? Easy answer: A developer looking to ensure IE6 compatibility with new Google services. But even that's a stretch. More likely: IE7 and IE8 are vulnerable to to exploit. On Friday, Microsoft acknowledged this circumsatnce in yet another blog post, and Bott responsibly noted this in his ZDNet post. According to Microsoft: "Newer versions of Internet Explorer are affected by this vulnerability." Updated Microsoft Security Advisory 979352 qualifies the extent of vulnerability in IE7 and IE8 under "mitigating factors." Not everyone is safe, regardless of Internet Explorer version.
The Problem with Mitigating Factors
I've long accused Microsoft of conducting "security by PR" campaigns instead of clearly disclosing security risks. Security by PR seeks to minimize the real risk while disclosing information about a vulnerability. With respect to the Aurora exploit, Microsoft was quick to warn of the risk -- after there had been some disclosure by Google and later McAfee's release of the attack vector's schematics. Initially, Microsoft singled out IE6. In the second blog post and updated 979352 bulletin -- released after it was widely reported that other browser versions are vulnerable -- did Microsoft really come clean; that is creditworthy.
Bott is a responsible journalist, who also knows his way under the hood of Microsoft operating systems. But he also is sometimes too much the Microsoft cheerleader (Whereas I am accused of being a Microsoft critic). In my reading of the updated bulletin, he overlooks like the broader IE risks. Bott writes: "Under the 'Mitigating Factors' heading, the Microsoft Security Response Center specifically notes that the exploit used in this case does not run under IE7 and IE8 in Windows Vista or Windows 7." Perhaps Bott didn't see the v1.1 of the 979352 bulletin before posting.
In the "affected software" section, Microsoft lists IE7 and IE8 running on Windows XP, Vista, 7, Windows Server 2003 and 2008. The "mitigating factors" is downright scary reading, so let's have a Sunday scare and go through them:
1. The MSRC bulletin observes that DEP, Data Execution Protection, is enabled on IE8 running on Windows Vista, XP and 7. Fine, but what about IE7? For December, according to Net Applications, IE 7 browser usage share was a seemingly meager 15.53 percent. IE6 and IE8 were neck and neck with usage share of 20.99 percent and 20.88 percent, respectively. IE usage share for all versions was 62.69 percent in December, meaning that the majority of people weren't automatically protected by DEP. The feature can be manually enabled in IE 7, but how many people will realistically do this? It's on by default in IE8 for a reason.
2. "Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability." Key word is "limits." Protected mode doesn't protect against the attack but only limits it.
3. "An attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability." That's pretty damn self explanatory.
4. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user." The bulletin rightly observes that "users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights." Right, and with the majority of PC users running Windows XP, which default privilege is administrator, how many are likely running as something less? Many larger businesses will limit rights, but most consumers and small businesses won't know the difference. There's a reason why Microsoft lowered default privileges in Windows Vista and 7.
5. According to the MSRP bulletin, the default security setting for IE running on Windows Server 2003 and 2008 is "high." As it should be. But the better security measure is obvious: Never use a Web browser on a server behind the corporate firewall.
6. "By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone." It's a good feature and one that would greatly minimize risks posed by mitigating factor #3. Problem: People will stupidly change this setting because they want to see pretty e-mail and run scripts or ActiveX controls. Microsoft put in the right mechanism, it's too bad some users will create security risk by flipping the switch that allows remote images and scripts to load.
Update: In a blog posted about eight-and-a-half hours after this one, George Stathakopoulos, Microsoft's GM of Trustworthy Computing Security, writes: "The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time."
Interesting, because McAfee has been quite deliberate in its general identification of Internet Explorer, which fits with the MSRC bulletin's identifying IE7 and IE8 as also being vulnerable. Yesterday, Kurtz blogged: "This attack is especially deadly on older systems that are running XP and Internet Explorer 6." He didn't write only affects IE6 or even insinuate it. In a follow-up post today, he writes: "Internet Explorer users currently face a real and present danger due to the public disclosure of the vulnerability and release of attack code, increasing the possibility of widespread attacks."
Is Microsoft unleashing another security by PR tactic to diminish the negative public relations effect? Or perhaps is McAfee over-emphasizing the threat to sell more security software? Those are questions best answered in a follow-up to this post. But if you've got an opinion, please share it in comments.
Choose Your Browser Wisely
Some Betanews readers will ask why the Aurora exploit should be reason to dump Internet Explorer? After all, there have been plenty of other exploits. Why now? Answer: The large number of exploits. The newest zero day exploit is yet just another reason to dump Microsoft's browser. Based on declining IE usage share, many Internet users clearly see IE as an anachronism, a browser which belongs to an aging PC-centric business model. According to Net Applications, IE usage share dropped from 69.23 percent to 62.69 percent between February and December. During the same time period, Firefox continued its steady climb, going from 22.58 percent to 24.61 percent. Meanwhile, Chrome soared from 1.54 percent to 4.63 percent usage share -- little more than a year after being released in beta.
There has been plenty of punditry about why Google developed its own browser. It's not rocket science: Internet Explorer. The company's business is all about the Web, where a modern, standards-based browser would be the better way to consume Google products or services. Something else: Internet Explorer 7 and 8 are too complex, offering all kinds of prompts and warnings -- the majority of which deal with privacy or security. By comparison, Chrome and Firefox use simpler, less-prompted approaches that hide security complexity from users. Generally, there only prompts when there is real risk, like trying to navigate to known malicious sites.
Some of that complexity makes IE7 and IE8 dangerous browsers to use. The complexity creates two flipside-of-coin problems:
1. Users become dumb to the prompts and develop click-thru behavior. Who really reads those security prompts or browser bar warnings? It's easy enough to click thru the security warning popup or browser bar prompt blocking some script, ActiveX control or file download. When end users develop the habit of clicking through, they can mindlessly click thru nefarious popups, thus downloading unwanted malware.
In fairness, IE7 and IE8 pack some nifty safety tricks, like "Protected Mode." But couldn't these work silently without other security features teaching users bad habits? The better approach would be to prompt only when there is high risk, so that people pay attention. Google and Mozilla take this more sensible approach.
2. IE7 and IE8 complexity lead to false senses of security. If there's no prompt or warning, then users can feel the Website is safe. The Aurora exploit demonstrates attack is still possible without warning. Users aren't safe. This is the flipside of Microsoft's problem of offering IE users too many prompts.
The point: Ed Bott is right to assert that "any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice." But should anyone run IE7 or IE8? I say absolutely not. Microsoft has hoisted big usability and ongoing security problems onto Internet Explorer users. Two reasons why:
- Backwards compatibility is one of Microsoft's top design priorities
- Microsoft has too much invested in legacy Internet Explorer to start over
But start over, with a WebKit based browser, is what I recommended in September. It's particularly sensible in the mobile device market, where between November and December, Web surfing from Android handsets rose 54 percent, according to Net Applications. Windows Mobile didn't even make the Top 5, which included Java ME.
I often have wondered why Microsoft hasn't produced a decent mobile browser, and plenty of other technophiles have voiced confusion about this matter, too. What if security is a major reason -- that Microsoft is finding it hard to release a decent mobile browser without all the desktop baggage? Surely, Microsoft's mobile leadership can't be that incompetent not to realize how important the mobile browsing market is becoming. There must be another reason why Microsoft can't release a decent mobile browser.
This long post ends with two simple questions: What is your primary Web browser? If the answer is some version of Internet Explorer, why? I switched to Chrome, after so expectantly hoping Microsoft would fix in IE8 the usability problems pervasive in IE7.