|637 million excuses : 2008 : Frequency-X Blog : Blog : Home|
637 million Excuses
Posted by Gunter Ollmann on July 02, 2008 at 11:11 PM EDT.
It’s been a couple of days since the release of the paper “Understanding the Web browser threat” and it’s been interesting watching the public reception.
Along the way there have been a few questions raised and observations made, and I thought I’d take this time to offer my thoughts on some of them.
The most frequent point of dissent with the paper’s findings appear to involve the fact that Microsoft still supports older versions of their Internet Explorer (IE) browser technology – that is, Microsoft continues to supply new vulnerability patches to IE 5.x and 6.x – so it was “unfair” to single out IE 7 as the most secure version.
As one of the authors of the paper, I can assure you that all the authors thought very hard about this point when writing the paper, and the key reasons for rejecting the older versions as being equal to the security of IE 7 were the following:
Now, there are plenty of legitimate reasons for users (especially corporate users) not upgrading to the most current IE version, and many of those reasons revolve around software compatibility issues with internal Web applications and embedded browser objects. I’ve also seen the same problems result in organizations similarly not updating the Java runtime’s. Irrespective of Microsoft’s determination to support these older browser technologies – making new security patches available where necessary – let’s not stray too far from the fact that these old browser technologies were not designed to protect against many of the threats we encounter today.
So, in that regard, while there may legitimate excuses for not be running the most current IE version, let’s not fool anyone by pretending that users of those older Web browser technologies are just as secure as if they were running IE 7 (or any current-generation Web browser technology).
The Car Analogy
Perhaps it may be worthwhile thinking of Web browsers like cars. Version 2 browsers could be likened to a 1970’s Ford Escort. At the time they were all the rage – at the cutting edge of technology (ok, perhaps not, but you get what I mean) – with all the driving features needed of that era. If you took care and maintained your Escort over the years –patching rust spots, replacing the tires and, well just about everything – you could still have an immaculate and working vehicle, just as “road safe” as it was when new.
However, things have changed. Road safety standards have changed, driving habits have changed, protection technologies have changed. Brakes that were good enough in the 1970’s may now result in that very same Escort running up the rear of any modern ABS-fitted vehicle. Yes, you could upgrade the brakes with newer ones, but what about side impact bars, crumple zones, and air-bags? – all of these are newer features designed to keep the car occupants safe and secure.
Web browser security technologies have also advanced considerably over recent years, and what was good enough in older versions just doesn’t cut it anymore. Patching vulnerabilities in old browser technologies is a bit like keeping the rust at bay – but it isn’t likely to add the newest safety features found in the current generation of Web browser technologies.
He’s an interesting question – How responsible should the users of vulnerable and out-of-date Web browsers be for their actions? E.g. if you know your browser is woefully old and your host then becomes infected and a node of some criminal’s botnet to propagate a crime, is it really your fault?
To be perfectly honest, that’s a question best left to the lawyers, but the way cybercrime laws are developing and getting written in to legislation, I wouldn’t be surprised if in a few years time it might be classed as some kind of “willful negligence” or perhaps “aiding and abetting”.
Within the corporate world, what does it mean if your standard-build workstations (running IE 5.x because of compatibility issues with the corporate expense submission application) are subjected to a mass-attack, compromised and now join some former script-kiddies DDoS botnet empire to take down a popular website portal? I suspect that as long as your lawyers are better than theirs, you’re probably not going to suffer financially, but I’m sure the media would have a field day.
Other Mitigation Technologies
OK, let’s assume that for better or worse you are stuck with running an old and insecure Web browser technology (and you’re stuck with the user permissions you’ve got and can’t turn off scripting). What other technologies do you have at your disposal to help protect your corporate desktop users?
Sure, local host anti-virus technologies also have some value here – but, from previous experience, more as a clean-up technology rather than a protection perspective. Drive-by download malware installation is typically achieved through exploiting vulnerabilities within the Web browser (or plug-ins) and disabling anti-virus product in the shellcode payload before installing the actual malware.