In case you missed it, on July 2, 2004, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) released a "vulnerability note" that said, "There are a number of significant vulnerabilities in technologies relating to [Internet Explorer's] security model.... It is possible to reduce exposure to these vulnerabilities by using a different browser."
The problem, according to experts at CERT, are the security privileges given to the browser when viewing Web pages. Normally, an external agent can't run a piece of software on the machine that is running the Web browser unless specific security clearance is provided. However, in the cross-domain security model that Internet Explorer employs, the security model is fooled into granting the clearance to execute code.
Fooling IE and Windows
According to Rafel Ivgi, the Israeli computer security expert who initially reported the problem in June of 2004, "...there are three relevant domains, or zones, involved when you use Internet Explorer: an Internet zone, a local Internet zone, and a local zone. In ordinary Web browsing of external Web pages, the pages are opened in the Internet zone. This is a safe zone, in that it doesn't allow writing. There's a second zone, the [local] Internet zone. It's used for reading local pages, typically across internal local area networks. It's also a safe zone--no writing."
However, according to Ivgi, the local zone is the most vulnerable in that the operating system trusts both the programs from the browser and the local programs. It allows writing to the user's hard disk. "Once you have broken the zone, you have access to the computer," says Ivgi.
Ivgi explained that the rogue code of the most recent viruses interacts with an HTML tag on a Web page called an "iframe." The malicious Web page creates cross-site scripting by redirecting the iframe into the local zone, thereby breaking the zone restriction. Once the zone is broken, ActiveX controls are used to execute the foreign code on the computer.
Microsoft's Recommendations
Microsoft's recommendation for IE was, initially, to deactivate ActiveX controls on the browser. However, that removes the ability of IE to use many software features that require ActiveX to read the text encoding of HTML.
This has led to a number of different strategies, including switching browsers to one of many third-party alternatives or completely removing ActiveX and other protocols from the Windows machine.
Is Removing IE Really an Option?
According to Art Manion at CERT, however, removing IE is really not much of an option. Why? Because it's too embedded in the Windows OS! "Too much other stuff depends on it--almost anything that renders HTML." This includes the Windows Help system, Outlook and Outlook Express, and other parts of Microsoft Office, too. In addition, a lot of non-Microsoft applications depend upon the HTML rendering engine that is a part of IE.
"What we're suggesting [at CERT]," says Manion, "is that you consider what level of risk you're comfortable with. Your choice of Web browser is important, and you want to think about it.... The tight integration of the browser and the operating system... has considerable security implications."
Switching Browsers Not So Good Either
However, Ivgi thinks switching Internet browsers is not a good solution, because, in his opinion, IE is the best browser.
But though IE still continues to be used by the vast majority of Web surfers, according to some analysts, there has been a 1% drop in the number of its users between July and June. According to analyst group WestSideStory, use of IE between June 4 and July 4 of this year dropped from 95.73% to 94.73%.
The use of other non-Microsoft browsers climbed accordingly, supposedly in response to CERT's advisory note. These browsers include Mozilla, Opera, iRider, and Deepnet Explorer.
Safe Alternatives Still Not Clear
Of course, no Internet browsing program can be 100% secure, but when a single program is in use by more than 90% of all users--no matter how secure (or insecure) it has proven to be--it allows a far greater opportunity for virus crafters to focus on its weaknesses. This appears to be what has happened with IE.
The final question that is on everyone's lips relates to Microsoft's scheduled August release of XP Service Pack 2. This XP-specific service pack takes aim at numerous security holes in the Windows operating system, including IE. The question is whether SP2 will finally put these security threats behind us.
Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.
LATEST COMMENTS
MC Press Online