Fog Creek Software
Discussion Board




Why the hell is IE so full of security holes?

Well, what do you think?

http://slate.msn.com/id/2103152/

IE is not "old code" like Windows is. So what's the excuse of people like, say, Mr. Raymond Chen?

Praveen
Friday, July 09, 2004

IE is 9 years old. That's not old?

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, July 09, 2004

Because back in 1996, when Microsoft was trying to get the browser marketshare from Netscape, they were adding features like crazy without thinking much of security. There were no ActiveX malware / trojans / whatever back then. The most annoying Internet practive was porn pop-ups that appeared with JavaScript, and there were very few if you didn't look for WareZ.

Eric V.
Friday, July 09, 2004

What I tell clients is that IE itself isn't "bad", but it's a piece of highly standardized and well understood, well known software. IE is so well understood by programmers and hackers that it's relatively easy to hack. 

The comparison I make is, what if almost every house on your street had a front door lock that used the same key to unlock?

I then tell them to consider using Mozilla, and that's when I find out what the difference between an unwashed blind end user and a professional IT person is... they don't realize that they can do something fairly simple to avoid being targeted. 

MS has done one hell of a job of educating users into sublime ignorance and acceptance of problems "because it's a standard product that you're supposed to use."

Support guy
Friday, July 09, 2004

"What I tell clients is that IE itself isn't "bad", but it's a piece of highly standardized and well understood, well known software. IE is so well understood by programmers and hackers that it's relatively easy to hack. "


By that logic, then *all* Open Source software would be just as vulnerable.  Besides, IE is *not* standardized at all.  Look at the individual variations between 5, 5.5, 6, etc.  It has to do with the fact that IE touches other systems *and* can touch the kernel of Windows.

To put this in real-world terms, you wouldn't let someone who is a street thug also be your bank teller.

Why?  Because connecting both of those worlds together cna cause some serious problems.  The bank teller has *way* too much info that becomes dangerous if it falls into the wrong hands.

KC
Friday, July 09, 2004

The security holes are so terrible because it acts like part of the operating system. A breach in the browser breaches the whole machine. If they had partitioned it off, then the breaches would merely be inconvenient.

Remember, in the anti trust case, MS claimed that the browser was an integral part of the OS and could not be removed. It is possible that some of the bad business decisions that lead to this integration were done to make the testimony look less than perjurious.

Peter
Friday, July 09, 2004

"Being part of the operating system" just means that some of the code is in DLLs which are used by other parts of the system.  This is generally accepted software practice, to share libraries which are useful to other applications.

Note that there was just an exploit announced in Mozilla/Firebird which also allows arbitrary code execution on Windows.  So you can't put all the blame on "being part of the OS."  It was simply a product which was not coded with security in mind... a pretty bad idea considering its whole job is talking to the outside world

To the original poster:  When guys like Raymond Chen talk about "old code" in the context of security, I think they are talking about code written before security became a major focus at MS, which was really just a few years ago.  Much of IE certainly predates that.

Mike McNertney
Friday, July 09, 2004

>>Note that there was just an exploit announced in Mozilla/Firebird which also allows arbitrary code execution on Windows. 

Actually, if you look at the exploit it's really a Windows (2000 & XP only) problem that the Mozilla/Firebird people have patched. IE is still unpatched.

The problem is that Windows 2000/XP (not the browsers) define a handler for "shell://". This can be exploited to allow any code to be run.

Mozilla/Firebird's main problem is that they trust the OS to do the appropriate (i.e. safe) thing. Unfortunately, that's bit them in the backside when it comes to Win 2000/XP...

RocketJeff
Friday, July 09, 2004

Also, I just realized that I perpetuated a mistake - it isn't "Firebird", it's "Firefox" (and has been so for several months).

Here's an article with more info on the exploit:
http://software.newsforge.com/article.pl?sid=04/07/08/2327246

RocketJeff
Friday, July 09, 2004

It's FireFox, it sounds like the offspring of FireFox and ThunderBird which are both Mozzila based browsers.

Not happy with any browser!
Friday, July 09, 2004


The Firefox contributors managed to fix that bug in 24 hours...


Isn't it hard to say "Open Source is less secure!!" when issues are addressed this quickly?

KC
Friday, July 09, 2004

Sorry, my point wasn't to claim that FireFox is less secure, or even to excuse IE's security problems.  It was to point out that the claim that IE's security problems are because of it being "part of the OS" are not really the whole story

Mike McNertney
Friday, July 09, 2004

No, the rest of the story is that Windows has plenty of security holes on its own, even without IE.

The fact that IE is a part of Windows and can't really be removed only adds to this fact.

RocketJeff
Friday, July 09, 2004

"What I tell clients is that IE itself isn't "bad", but it's a piece of highly standardized and well understood, well known software. IE is so well understood by programmers and hackers that it's relatively easy to hack. "

You actually advocate security through obscurity?  Eesh...

Joe
Friday, July 09, 2004

*  Recent Topics

*  Fog Creek Home