Schneier on Security
A blog covering security and security technology.
« Airport Security Game |
| Cameras Protecting Other Cameras »
January 31, 2007
How Vulnerable Was Internet Explorer?
The title of the article says it all: "Internet Explorer Unsafe for 284 Days in 2006." Here's a chart.
Posted on January 31, 2007 at 7:21 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Actually, Internet Explorer was vulnerable for 365 days of 2006. Software is not broken when a bug is discovered . It is broken when the bug was first introduced at the time that the code was written.
Using this measure of vulnerability, all software products of non-trivial size are constantly vulnerable, as they all have as yet undiscovered exploitable bugs.
 : http://www.crypto.com/blog/cryptolinguistics/
What is an explorer? LOL. Don't use it, have disabled most of its function in this OS.
"Using this measure of vulnerability, all software products of non-trivial size are constantly vulnerable, as they all have as yet undiscovered exploitable bugs."
That may be the reason why that metric is not actually used.
So, why do so many still use it? Really. I mean in a company envourment where firfox or otherwise can already be installed as far as the workers are concered. No downloads. But windows sysadmins seem reluctant.
If I admin a windows box, I lose IE and outbrake as a first step (more or less) and that takes care of most threats. But getting the PHB (pointy Hair Boss) to aggree is another matter.
I think it's fair to say, for the sake of certain kinds of analysis, that the software is only "vulnerable" if an exploit is known, not just because it exists.
If no attack exists, then the software isn't (yet) "unsafe" as such. I'd agree that it is "broken" right from the start, but anything which isn't under attack is (currently) safe, regardless of whether it could be successfully attacked.
Of course, we don't know that IE had no known exploits on the remaining 81 days: we just know that it did have known vulnerabilities for 284. It's quite possible that one or more vulnerabilities was secretly exploited.
But how useful would a comparative study be which said the following?
Security Research Results
Number days in 2006 on which at least one exploitable bug existed in the source(*):
GNU emacs: 365
GNU less: 365
* All figures estimated, based on estimates of the reliability of code in general. C'mon, it's never bug-free, everyone knows that.
Coming up: Microsoft's designed-in Auto-DOS attacks on its Vista-afflicted customers whose hardware can't "authenticate itself" to the OS, or through the OS to media files.
Soon we'll look back on IE vulnerability duration charts as the Good Old Days.
So many people use IE because it works.
There are a few myths floating around. For instance, the myth that Firefox and Mozilla are bug-free; they're not. There's the myth that Firefox and Mozilla are better; feature-wise, they're approximately the same as IE 7. From an IT perspective, IE is easier to manage, even if much of this reason is that it comes pre-installed and auto-updated through the regular built-in update system.
Part of security is the need to defend something. If I left an unbagged stack of pennies on my driveway, they'd probably stay there until I cleaned them up. No software is bug-free or vulnerability-free. Few attack MacOS or Linux because the number of people using them is insignificant compared to the time required to find a vulnerability; they don't need to be defended. If the Linux community or Apple ever do manage to get enough market share that they're considered commonplace on the desktop, we'll see the troubles they face dealing with the bugs in their products.
Well, the chart is not exactly honest. The very first MS06-001 took about a week (dec 27 - jan 5) to patch but is displayed as 2-month vuln window.
Anyway, I agree with the general idea. MS has a lot of programmers and even more "we are the best" claims, so they really should not left disclosed vulns unpatched for 3+ months.
All OSes are not similarly vulnerable because and Windows is only exploited because it's a bigger target.
The problem that other OSes did to be more secure is separation of security credentials. MacOS and Linux user accounts rarely run as the superuser/root/administrator. But in the Windows world, the default new user account is the Administrator, and this allows exploits to be much more effective than simply attacking a single user account that does not have sufficient privileges, such as watching every keystroke in other applications.
"If the Linux community or Apple ever do manage to get enough market share ... we'll see the troubles they face dealing with the bugs in their products."
An easy counter example to this argument is the security record of the Apache web server...
Unfortunately, Apache is only one application that most home users won't run.
Yes, Apache is a shining example of the potential of Open Source Software. In my experience, however, Apache (and a few other notable projects) is an exception. most OSS doesn't meet Apache's mark.
@Greg: "So, why do many still use it?"
Perhaps because so many companies have outsourced so many services or use third-party
web-apps that _require_ (explicitely or implicitly) IE, to have "full functionality" (that is, work at all).
Worse, these apps/services often require the security setting to be pegged at "total web-slut",
and are often only really runnable on a specific version of IE.
The real fun starts when your job-duties include the use of two web-apps that require two different versions of IE.
Don't even think about what happens to a Linux user in an all-IE shop.
Bah - everyone's always picking on poor Microsoft. Get over it already - IE is great.
It's that nasty word processing software you really need to worry about. There are, at present, 4 unpatched vulnerabilities in Word with publicly posted exploit code. The oldest report has been around at least a couple of months - plenty of time for a security conscious manufacturer to issue a fix to a critical vulnerability.
Oh wait ... Microsoft makes that too? Am I sensing a trend?
I wonder why the article didn't investigate simple steps like running *your browser here* as non-admin and what impact that would have on the overall vulnerability and exploitability of the browser.
After all a hole that exists and can't be exploited is really not much concern, right? Regardless of browser name or company that produces it.
The security arguments around browser usage are rarely containable to just code quality discussions if you want to reach reasonable actions that can be taken to provide protection. Home user vs corporate customer as well as overall systemic security (the client and server as well as transport) will all have to be considered to have a reasonably coherent discussion on security of web browsing.
In the mean time browse as non-admin regardless of your browser choice. Happy browsing!
@SteveJ: "software is only "vulnerable" if an exploit is known"
To a certain degree, that argument is like saying that falling trees don't make a noise if nobody listens.
"it's never bug-free"
That may be true for certain categories, but it's certainly not true in general.
It IS possible to write bug-free software by applying a certain rigor to the design and implementation process. But, as Mr. Schneier occasionally points out, the current economy does not demand or reward bug-free software, just like Ford once thought that a few lawsuits were cheaper to fight than applying more stringent safety standards to the entire line of cars.
@Greg: "So, why do many still use it?"
Because of ActiveX support, which is another can of worms.
Also remember that most consumers really don't care that there are dozens of available browsers and don't want to evaluate them with respect to security every year: They just want to turn on the system and start using what is readily available.
>I think it's fair to say, for the sake of certain kinds of analysis, that the software is only
>"vulnerable" if an exploit is known, not just because it exists.
>If no attack exists, then the software isn't (yet) "unsafe" as such.
How do you measure if an exploit is "known"? By the presence of the exploit code on a security mailing list? How about when the description of the exploit is vague and there is no public code sample yet? (How many people read the description and then wrote their own exploit code and kept it to themselves?)
The assumption that the person who announces the vulnerability on a security mailing list is the first person to find it, and that they do so immediately after finding is, is a dangerous one. It might be "known" to black hats, and in plenty of cases the good guys notice the vuln. because they see an exploit in the wild. In those cases, "if no attack exists" is hard to measure, because it existed *and was being actively attacked* for some unknown amount of time before somebody noticed it and notified the good guys.
I'm with the "nothing is safe" crowd - redefining "safe" to mean "anything not yet publicly proven to be unsafe" is the sort of thing a PR agent would do, not a security analyst.
Even giving windows design/architecture maximal benefit of the doubt with respect to security, the view that windows is more vulnerable because it is more widely deployed is simply wrong, and reflects a very narrow and distorted perspective on the history of computer security.
The fact of the matter is that insofar as _network_ security is concerned (as opposed to floppy-borne viruses), windows came very late to the party, not having even had a built-in TCP stack for a good part of the early history of the Internet (anyone remember winsock?)
Up to the early '90s, the Internet was essentially a Unix(ish) and VMS shop. And security really sucked. It basically had not occurred to the writers of network software that resistance to attack should be a design criterion. That was a lesson learned after literally thousands of holes in ftpd, sendmail, finger, telnetd, etc. etc. were discovered and exploited by morally-retarded but otherwise bright kids.
The community of network software developers was shocked awake by that experience, and serious methodological attention began to be given to security issues in development at that time.
MS and Windows shared in no part of this experience, or in any of the lessons learned. When they realized (belatedly) that the Internet was their future, they went into a frenzied effort to tie everything in their systems to the Internet, in an effort to screw Netscape. They weren't interested in network security, there wasn't time. Many of the bad assumptions about network security embedded in W95/98/XP and friends date from this period, and are extremely difficult to correct, by all accounts.
What it comes down to is, the lessons of network security were learned first, the hard way, in the *nix (and VMS, but who cares nowadays) worlds. MS could have benefited from that experience, but they blew the opportunity, and their most basic acknowledgement that there even exists a security requirement in network software design was retarded by about a decade as a consequence.
Maybe Vista will be better, although right now the signs aren't good.
There has been a known security flaw in IE since 2004, which still hasn't been fixed.
@cdmiler (and mpd):
Saying Apache has no bugs is nothing short of wrong. There are bugs in Apache, there are exploits in it, they're not always corrected as quickly as one would want (partially due to the fact that they're not always reported expediently), and it's not utopian. Further, unless you do the plain vanilla Apache install, you're opening yourself to the possibility of modules you install having bugs and exploits. Simple software is easy to shore up. Useful software that has lots of features... well, not so much.
I don't know how you can say that something that isn't more prevalent isn't more exposed to risk than something that's scarce. Surely you'd agree that the chance the Stonehenge gets hit by an earthquake is smaller than the chance that any location on the planet gets hit by an earthquake.
I fail to see how your argument proves your point: are you trying to say that anything not based on Unix or VMS is intentionally insecure? Microsoft did learn from the holes in Unix services and they exhibited this wisdom by not completely basing their OS on Unix code. They designed it from the ground up, although maybe not the way you would have; any new code has bugs. They fix bugs at a rate and in a manner that's commensurate with the financial gain they see from those fixes. Apparently, this business model is highly successful: Microsoft makes a product that almost everyone in the world wants, they've employed thousands upon thousands of people, they've shared their profits with many (talk to your broker about buying MSFT if you'd like to partake), and the Gates Charitable Foundation keeps lots of underprivileged children happier. While Windows may have some security vulnerabilities, they're clearly not very damaging.
IE's problems are not primarily technical, nor caused by (lack of) code quality.
IE is deliberately 'integrated' into the OS for marketing/legal/ reasons.
Due to this integration into the OS an IE bug is more serious than a FireFox/Mozilla/Safari/ bug.
Interesting that this was the same story as 2005 and 2004.
The architectural flaws remain (shrug).
Yet it has not impacted their business in any significant way.
"Microsoft did learn from the holes in Unix services and they exhibited this wisdom by not completely basing their OS on Unix code"
"any new code has bugs"
And this is a serious security discussion?
"they've shared their profits with many (talk to your broker about buying MSFT if you'd like to partake), and the Gates Charitable Foundation keeps lots of underprivileged children happier"
Oh ok, now I see. It's not.
"Microsoft did learn from the holes in Unix services and they exhibited this wisdom by not completely basing their OS on Unix code"
Certainly not completely, as the (current) OS kernels owe more to VMS (and RSX-11M :-),
but the network stack certainly "smells like" netBSD. Similar bugs, similar default choices, etc. Network fingerprinting finds them remarkably similar.
So they inherrited some of the bugs, but somehow didn't inherit the lesson of VMS (learned from RSX: don't make every useful task require full admin privilege). Well, they inheritted the ability to use fine-grained privilege. Someday they may use it well.
I thought MS admited that they use the netBSD as the starting base?
Have you all forgotten your risk management approach to security so quickly? There is no such thing as safe and unsafe. There is only safer-than and less-safe-than. To arrive at a defintion of safe requires pinpointing the highest acceptable level of risk. This level is going to be different for each customer at least because some of them are ignorant of the dangers or they overestimate the chances of escalation.
As for the debate about software safety metrics, I'm firmly in the camp that says that each time a bug is discovered, its existence can be inferred all the way back to original release, and the risk of that software should be retroactively incremented. The security risk of any object is a function of the process that produced that object, and also of the wider system it is now a part of. It's true of both people and software. We should judge software risk by its development process, experience of the developers, and by the environment it is deployed in. We know we do this instinctively already - it's why Microsoft has a bad reputation for security amongst the Internet crowd.
Admittedly, it is difficult to compare bug counts when new features are being introduced all the time, and when there is no public list of bugs for IE.
Therefore all of the browsers had exploitable bugs for the entire year, but whether this is safe depends on the environment the browsers are deployed in, and a bunch of other factors.
You people (who use and buy Windows XP/Vista) just don't get it, do you?
How many years do you have to endure blue screens, freezes, lock ups, reboots, and countless other bullshit before you switch to something better, like Linux or BSD?
You can stammer and blubber all you like about how secure you've tried to make your Windows box, but the fact remains:
YOU CANNOT AUDIT THE SOURCE CODE OF WINDOWS YOURSELF
Now a few of you will try and trip over this fact with "well who looks at code" "users can't read code anyway" "but I can't read/produce code" bullshit excuses but the fact remains:
YOU BELIEVE SOMEONE ELSE AND WHAT THEY HAVE TO SAY ABOUT YOUR SYSTEM'S SECURITY BUT YOU CANNOT AUDIT IT YOURSELF.
If you continue to reward Microsoft for DRM, other lock-in methods as well as the history of in my opinion excessive remote exploit and other security issues YOU ARE THE PROBLEM!
"YOU BELIEVE SOMEONE ELSE AND WHAT THEY HAVE TO SAY ABOUT YOUR SYSTEM'S SECURITY", well so does each and every user of Linux. I don't believe there is one living person who went over all the code of Linux. As Bruce said repeatedly, especially concerning ballot machines, Open Source makes you safer since it is much harder to deliberately insert trap doors when the code can be reviewed by all, but in the end, you have to trust someone else to do the monitoring job for you.
If I'll stick to the security related part of what you said every software has bugs, including Apache, but the amount of bugs in many of Microsoft's products is especially high. You do not know what a buggy product is until you tried to use the first version of BizTalk. For years, they were under the (correct) impression that any piece of junk they come out with will sell, due to their domination of the market, and their excellent marketing division.
Saying administrators do not install Firefox because it means management is a joke, as more updates are released to other client side products such as Word and Acrobat Reader. The reason is purely a matter of directions from above, and a bunch of non compatible heritage sites. As said before, Firefox is more secure mainly due to objective reasons: it is not part of the operating system, and it does not support the horrible invention called ActiveX (though, unfortunately, there exists a plug-in for it).
As for the rest - Like any other high earning company, I wish Microsoft would have behaved like giant that can afford to compete honorably, instead paying lip service in donations.
For those people claiming that Mac OS X is malware-free only because it has a small market share, consider the fact that Mac OS 9 had hundreds of viruses, way back when it had a smaller market share than Mac OS X.
Mac OS X has been out for 6 years now, with no viruses in the wild. Even with smaller market share there should be at least one, surely?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.