Hey, Microsoft, Internet Explorer security talk is cheap
Why don't you clam up and do something already?
On Sunday, I asked question "Should you dump Internet Explorer, NOW?" and quickly offered yes as the answer for all versions of the browser. Reaction to the post surprised me. As I write, there are more than 155 comments. Clearly, IE is a sensitive topic with readers -- and also with Microsoft, which has once again taken a "security by PR'' approach to the problem rather than to offer a real solution.
I first started talking about Microsoft's "security by PR" strategy more than five years ago. Rather than manage the problem -- a current zero-day threat affecting Internet Explorer 6, 7 and 8 -- Microsoft is trying to manage the reaction. That simply is the wrong approach to quality customer service or instilling users with confidence about using the Web browser.
Quick recap: On January 12, Google disclosed security breaches, affecting more than 20 companies, that were traced back to China. Two days later, McAfee pegged a previously publicly unknown Internet Explorer exploit as one of the mechanisms used in the attacks, which the security software firm dubbed "Operation Aurora." On January 15, McAfee and Microsoft reported that code for the zero-day exploit was in the wild, potentially putting millions of Windows PCs at risk. Meanwhile, the French and German governments recommended that their citizens switch -- at least temporarily -- to another browser.
Microsoft's security by PR reaction to the exploit is the problem. Quickly summarized before I more throughly explain:
- Microsoft used the Aurora exploit as a marketing tactic, recommending that customers switch from IE6 and Windows XP; what timing with IE8 and Windows 7 as newer available products.
- Early, cleverly-word blogs or statements made it seem like only IE6 is vulnerable to the Aurora exploit, when newer Microsoft browsers are exploitable, too.
- Microsoft tried to diminish the risk by asserting that the Aurora exploit had only affected businesses, which is absurd considering how much more they have to lose than consumers.
- Over the U.S. holiday weekend, Microsoft posted new blogs and videos that offered "duck and cover" fixes. Meanwhile some executives defended IE by blaming other Web browsers.
Security by PR
In comments to my "Dump IE?" post, AnthonySPT defended Microsoft: "How many more years should Microsoft support IE6, when they have released several new replacement versions?" That's a good question. According to Net Applications, IE6 usage share was 20.99 percent in December -- or about the same as IE8 (20.88 percent).
Commenter bourgeoisdude responded: "As they will support Windows XP through 2014 (extended support), and XP came with IE6 installed, they will have to support it that long, unfortunately. Yeah, it sucks."
I, too, find it strange that so many businesses continue using IE6. Based on my conservations with IT staff at companies doing so, legacy dependency, most often some ActiveX controls, is usually the reason. How's that for irony, given how much ActiveX has been an attack vector for IE exploits and how much Microsoft tried to diminish the plug-in architecture's usage in versions 7 and 8. Microsoft and its customers still pay for past security sins.
Blaming IE6. Microsoft could possibly justify blame IE6 if that browser only was vulnerable. The wording of blog posts, different versions of security advisory 979352 and videos about the exploit sure seem to lay all the blame on IE6. From a January 14 blog post: "Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time." Restated in yet another Microsoft security blog post, yesterday: "As we've previously reported, attacks remain targeted to a very limited number of corporations and are only effective against Internet Explorer 6."
But the 979352 security bulletin lists in section "affected software" IE7 and IE8 running on Windows XP, Vista, 7, Windows Server 2003 and 2008. Meanwhile, over the weekend, security researchers reported the Aurora exploit running in IE7 on Windows Vista. Microsoft's response: Hunker down behind IE8. From yesterday's blog post:
We have not seen successful attacks on Internet Explorer 8. We continue to recommend customers upgrade to Internet Explorer 8 to benefit from the improved security protection it offers. Additionally at this time, we have not seen any successful attacks against Internet Explorer 7. However, earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims.
Only businesses affected. In one of the two videos accompanying the aforementioned blog post from yesterday, Jerry Bryant, Microsoft's senior security communications manager, says: "These attacks are not widespread. We have not seen any focused on consumers. In fact, it's only been a very limited number of corporations that have been targeted."
He downplays the Aurora exploit's severity by saying only a small number of corporations are affected. At first glance, this seemingly smart PR spin is anything but. The majority of Microsoft customers are businesses, which have much more to lose if exploited than consumers. If, for example, criminals steal 1 million social security numbers from a single company, the damage is more far-reaching than exploitation of even a few thousand consumer PCs. How would Microsoft executives react if someone stole the source code to Windows 7 or the designs for Natal?
Duck and cover. Besides emphasizing IE6 blame and diminishing IE7 and IE8 risk, Microsoft retreated to its security technology of greatest strength: DEP. The company was right to tell IE7 users to turn on DEP, which is on by default in IE8 (In most, but not all, circumstances). In comments to my earlier post, there has been fierce debate about the effectiveness of DEP, as a security deterrent.
Yesterday, security researcher Dai Zovi generated buzz with tweet: "And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in." In a very good blog explaining the effectiveness and limitations of DEP, Larry Seltzer writes about the tweet: "Dai Zovi is not a black hat and hasn't released his exploit, so don't expect this work to end up hacking innocents any time soon. But this does prove that the IE7 port isn't all that hard. The bad guy versions may be done already."
According to Net Applications, IE 7 usage share is only 15.53 percent, even less than Internet Explorer 6. The question: What about IE8? According to a Security Dark Reading post by Kelly Jackson Higgins early this afternoon: "Chaouki Bekrar, CETO of VUPEN Security, says his team was able to bypass DEP on IE8 and execute arbitrary code."
I will praise Microsoft for telling customers to turn on DEP, but the larger PR maneuverings diminish the guidance. Microsoft should have stepped up sooner with promise to fix the problem. By the way, whether or not that fix is made available for IE8 and Windows 7 will demonstrate whether there was more risk than Microsoft's talk.
Microsoft finally responds
While I was writing this post, Microsoft acknowledged in another blog post that an out-of-band security patch would be coming for the Aurora exploit.
But the reasons are bad and themselves reveal how much Microsoft is stepping up because of public relations. George Stathakopoulos, GM of Microsoft Trustworthy Computing Security, writes: "Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability."
- "The significant level of attention this issue has generated" (Microsoft is trying to fix a huge public relations problem).
- "Confusion about what customers can do to protect themselves" (Microsoft cannot control the PR information).
- "The escalating threat environment" (Microsoft has stopped denying -- at least to itself -- that there is a real problem that will get worse).
Microsoft also didn't give a timeframe for releasing the fix, but presumably it would come before the next Security Tuesday in February.
Wrapping up, two clarifications are in order. I am not asserting in this post that Internet Explorer is any more or less secure than any other browser. My purpose here is only to assess Microsoft's mishandling the messaging by making security by PR the priority. Additionally, my January 17 "Dump IE?" post was written to stir up discussion about the exploit, particularly assertions by Microsoft and some bloggers that Internet Explorer users upgrade from IE6. I took the more extreme position to generate debate, because I see it as a highly effective tool for resolving problems. Likewise, this post is intended to stir up debate about IE security and how Microsoft publicly handles it.