David A. Wheeler's Blog

Sat, 06 Aug 2005

Internet Explorer: So insecure, it’s only safe 7 days a year?!?

I recently learned some amazing — unbelievable — shocking data. It turns out that there were only 7 days in 2004 that you could have somewhat safely used Internet Explorer (it was October 12-17), even assuming that attackers only used publicly-known attacks, and that you were only worried about the worst kind of attacks. What does that mean? Let me set the stage first… and I’ll conclude what to do at the end.

In my article how to secure Microsoft Windows (for home and small business users), I give advice for people who want to keep using Windows but have some security. One piece of advice: stop using some of the most vulnerable programs, such as Internet Explorer (IE) and Outlook, and instead more secure alternatives (such as the freely-available Firefox and Thunderbird). It should be self-evident that replacing insecure programs with more secure programs will make you more secure! But let me deal with two complaints: (1) why should I change, and (2) is Internet Explorer (IE) really so much worse?

First - why should you change to using more secure software? Because if you’re not willing to select a more secure program, then you are part of the problem — you are causing everyone to have insecure programs, as well as causing your own misfortune. Why? Because vendors will not make secure products unless customers prefer them. “The marketplace” decides what’s successful, and you are part of it. I’m tired of hearing “my machine is full of spyware”; if you chose to use a product that is known to have that problem, then you need accept the consequences of your choices. You can’t claim ignorance at this point, the news has been circling for a long time. Sure, the attackers should be convicted. But since there are prowlers in the alleyway, please don’t invite them into your house, and then act surprised when they take the silverware. Yes, you can’t spend all your time on securing things, and you need to have useful (not just secure) products, but it’s easy to replace these programs with perfectly good alternatives.

And second — IE really is worse. This isn’t just a random opinion, and it’s not Microsoft-bashing. There is lots of evidence that, in particular, Internet Explorer has become a malware delivery system. See, for example, David Hammond’s comments on Internet Explorer.

But I’m blown away by one particular study I just learned about, which shows the problem is even more serious than I thought. Scanit’s Browser Security Test group “A Year of Bugs” analyzed the vulnerability reports in 2004 for three popular browsers: Microsoft’s Internet Explorer, Mozilla-based browsers (including Firefox and Netscape), and Opera. Since not all vulnerabilities are equal, they only considered the especially dangerous “remote code execution” vulnerabilities, i.e., defects that allow a “malicious web page or e-mail message to execute arbitrary code or OS commands on the viewer’s computer.” They then compared the time from the “public announcement of the vulnerability to the time when the fix is available to the general user population.” They had an incredibly simple metric: every day there’s a publicly-known vulnerability, for which there is no patch available from the vendor, is an unsafe day. That’s a metric anyone can understand: how many days are you vulnerable to the worst attacks that are (1) known worldwide but (2) there’s nothing you can do about it?

Their results: there were only 7 days Internet Explorer was safe to use in the entire year of 2004. That means that 98% of the year, Internet Explorer was not safe to use. Is it any wonder people like me say “please don’t use it?”

Let me quote their study: “there was only one period in 2004 when there were no publicly known remote code execution bugs - between the 12th and the 19th of October - 7 days in total.” That means that someone who diligently kept their installation patched every day of the year (do you install the latest patches every day?) was still known to be vulnerable 98% of the time in 2004. The rediculous excuse “well, it wasn’t exploitable” doesn’t work, either; they found that for “200 days (that is, 54% of the time) there was a [known] worm or virus in the wild exploiting one of those unpatched vulnerabilities.” And that only counts known attacks. Frankly, 2004 was a disturbing year for IE; at the beginning of the year there were two known unpatched vulnerabilities, and 2004 ended with an “unpatched HTML Help ActiveX control vulnerability and [the worm] Trojan.Phel using it to install a backdoor.” And remember, this is only the publicly-known attacks, of the worst kind.

Now let’s not let alternatives off the hook; Mozilla-based programs and Opera had unsafe days too. But compared to IE’s “98% unsafe” value, Opera had unsafe days only 17% of the time, and the Mozilla/Firefox were only unsafe 15% of the time (and about half of that 15% only affected MacOS users). Let’s look at the details:

On June 28, 2004, Microsoft’s Bill Gates told Australians that while other operating system vendors took 90-100 days to release a security patch, Microsoft had this time “down to less than 48 hours.” And Microsoft has clearly stated that IE is part of their operating system. Yet ZDNet found that Microsoft had failed to fix a critical known IE vulnerability for nearly nine months Things got so bad that in late June 2004, the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (CERT) recommended using browsers other than Microsoft Corp.’s Internet Explorer (IE) for security reasons. (That’s not exactly how they officially worded it… but I think many people correctly realized that that was the subtext). And even after all that, IE still had unpatched vulnerabilities for the worst kind of vulnerabilities through most of the rest of the year.

Let me throw in an aside about reporting vulnerabilities. Some companies try to convince vulnerability reporters to “keep quiet” until they fix the problem… and then just never fix it. The vulnerability is still there, though it’s officially not publicly known… and if one person can find it, others will too. That head-in-the-sand approach used to be common, but our systems are just too important to allow that to continue. That’s why I think it’s a good idea for vulnerability reporters to give suppliers 14 days to fix the problem, with a few more days if there’s a really good reason to allow unusual delays. Fourteen days should be more than enough time to fix a critical problem in the vast number of cases, but it puts the supplier on notice that leaving its customers permanently vulnerable to a known weakness is unacceptable. Certainly 30 days should be plenty for even complex problems. If your supplier can’t normally turn around patches for critical fixes in 14 days or less — and certainly by 30 days — perhaps you need a new supplier. Gates says 48 hours is enough, half of the Mozilla problems had one-day turnaround times, and all the Mozilla problems (even the complex ones) were fixed within 30 days of a confirming report.

I will say, with relief, that Microsoft is finally going to release a new version of Internet Explorer, with some attempt at fixing the security problems. But the reports worry me. CERT’s July 2, 2004, notification noted some of the major design decisions that make Internet Explorer so easy to exploit: “There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX.” Yet everything I’ve read suggests that they will not fundamentally change all of these major design decisions, so at least some of their fundamental design weaknesses will probably still be there. Disabling ActiveX completely by default for all sites would be a help, for example: The “zone” model doesn’t work (it’s too easy to fool), a massive number of signed or pre-installed ActiveX components are vulnerable, and people just click “ok” when another ActiveX component is sent that ActiveX is a synonym for “send me malware”. I really hope that IE is much more secure, but we’ll see. The past does not necessarily predict the future.. but it’s usually a good way to bet.

And the next version of Internet Explorer will still not support the Internet standards. This was reported by Paul Thurrott in Windows IT Pro, among others. So many standards-compliant web sites will still be inaccessible to Internet Explorer users.

But even worse… the next version of Internet Explorer is only going to go to XP Service Pack 2 users. Microsoft has various excuses for this. That’s rediculous; why does everyone else, who already paid for Internet Explorer, have to suffer? Unless you pirated Windows, Internet Explorer was part of the purchase price of your machine or included in a separate license; it’s actually possible you paid for Windows several times. But most Microsoft Windows users don’t use XP Service Pack 2; even many XP users haven’t installed Service Pack 2 because of the legion of incompatible changes and machine lockups it caused many. A vast number of people do not have Windows XP; Windows 2000 is in widespread use, and even Windows 98/ME have significant use (25% by some measures). It’s not true that a secure browser requires Service Pack 2; other browser makers manage it.

Don’t use the current versions of Internet Explorer normally, and wait a number of months before thinking about using the new version. In particular:

  1. If you use Windows XP, upgrade to Service Pack 2, and upgrade Internet Explorer when the new one becomes available. But for heaven’s sake, don’t use the new version of Internet Explorer in normal operation until it’s been proven to be relatively safe by many months of relatively safe operation. You probably shouldn’t use Internet Explorer at all until it adds better standards support, too; hopefully Internet Explorer version 8 or so will do so.
  2. If you use any version of Windows other than Windows XP, or won’t use Service Pack 2, then abandon hope of ever using Internet Explorer (except to download a better browser). For those machines, there doesn’t seem to be much hope that you will every be able to use Internet Explorer safely, it’s been just one problem after another and the vendor will not even offer a replacement that they hope is safer.
  3. If you use a site that requires IE, try to change to someone who accepts alternatives. If it’s a company-internal site, then you could certainly consider using IE for just that site. In the meantime, continue to use an alternative (like the freely-available Firefox) for all other browsing.
  4. If your bank or other security-critical site actually requires IE, switch to a bank that takes the security of your money and identity seriously, now, and make sure they know why. See Can You Bank on IE Security? from Bankers Online, a magazine for bankers. They say, “No longer are the major organizations suggesting that users merely download the latest patches, check their security settings, and scan their systems for viruses, this time the advice is - CHANGE TO A DIFFERENT BROWSER! And the advice is not coming from any lightweight organization with a bias. This is coming from the most respected international security watchdog organizations. [including CERT, SANS, NIPC]”
  5. If you develop a website, make sure that it’s standards-compliant so that any standards-compliant browser can view it. Internet Explorer has been losing marketshare to other web browsers (such as Mozilla Firefox) since mid-2004, so customers may start avoiding your site because they will probably increasingly not be using IE. It really makes no sense to tie your website to any browser; it’s unnecessary, and creates a situation where your customers may be unable to securely use your website.

Note: I don’t make any money no matter what web browser or operating system you choose. I suggest preferring advice about this topic from others who can say the same. And obviously I’m speaking only for myself, not anyone else, though it’s clear that many, many others have come to the same conclusions.

path: /security | Current Weblog | permanent link to this entry