11:25 AM
Connect Directly

Opinion: New IE Flaw, Same Old Story for Security Managers

Internet Explorer continues to lack any real innovation and treats security as an afterthought. Rest assured, we'll all be dealing with IE vulnerabilities for a long, long time.

While others were lighting fireworks during the July 4th weekend, security managers were getting burned--again--by another flaw in Microsoft's Internet Explorer. The newest IE security advisory, issued the day before the holiday weekend, describes a proof of concept published by research firm SEC Consult that demonstrates how malicious users can take advantage of a flaw that can cause IE 6.0 to exit unexpectedly.

Latest Issue of Secure Enterprise Magazine


Computers running IE 6.0 on Windows XP with Service Pack 1 and 2 or Windows 2000 with SP 1, 3 and 4 are at risk, according to the advisory, because IE 6.0 doesn't properly handle installations of non-ActiveX COM objects from Web pages. Loading HTML documents with certain embedded CLSIDs (class IDs) can cause null-pointer exceptions or memory corruption. Researchers also were able to exploit this flaw to execute arbitrary code within IE. Ironically, the advisory was issued just two weeks after Microsoft released a "critical" IE security patch to address vulnerabilities that allowed for remote code execution.

Despite dozens of such patches--as well as upgrades that feature flashy imagery and trendy sounds--IE continues to lack any real innovation and treats security as an afterthought. Yet, because of its powerful hold on the browser market--and because many Web developers optimize their code for IE settings--we'll all be dealing with IE vulnerabilities for a long, long time.

Should enterprises dump IE and switch to Mozilla's Firefox? Unfortunately, the answer isn't cut-and-dried. For small shops or individual users--Mozilla's ideal customer base--switching isn't a big deal. From a security perspective, a browser that isn't integrated with the operating system--and is designed to run without ActiveX--is a plus. But vulnerabilities have been found in Firefox, too, and more will likely be uncovered as its popularity increases. Still, those flaws are small potatoes compared with IE's, and Mozilla--unlike Microsoft--is swift to disclose and deal with them. As we go to press, Microsoft has not issued a patch for the latest IE vulnerability, instead advising users to set their IE zone security settings to "High" before running ActiveX controls.

While small companies may reduce their headaches by switching to Firefox, midsize and large enterprises may find that the open-source browser is not quite ready for prime time. For one thing, Firefox lacks a management system, which makes it hard for admins to control how the browser is used. In addition, if your company has several Web-based applications built around IE, migrating to Firefox will mean redevelopment costs--not to mention the cost of installing it on all clients. For the moment, then, most large enterprises will probably stick with IE.

If nothing else, the latest IE flaw should serve as a sharp reminder that no software is 100 percent secure. Patch management should remain a top priority for all applications, not just IE. Microsoft isn't the only vendor struggling with multiple software vulnerabilities--Apple, Oracle and Red Hat are just a few of the big-name companies that have issued frequent advisories, patches and updates. As customers, we should continue to pressure vendors to make their products as secure as possible. As users, we should be wary of flaws in any application we deploy.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 26, 2014 and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.