News
Commentary
7/20/2005
11:25 AM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Opinion: New IE Flaw, Same Old Story for Security Managers

Internet Explorer continues to lack any real innovation and treats security as an afterthought. Rest assured, we'll all be dealing with IE vulnerabilities for a long, long time.

While others were lighting fireworks during the July 4th weekend, security managers were getting burned--again--by another flaw in Microsoft's Internet Explorer. The newest IE security advisory, issued the day before the holiday weekend, describes a proof of concept published by research firm SEC Consult that demonstrates how malicious users can take advantage of a flaw that can cause IE 6.0 to exit unexpectedly.

Latest Issue of Secure Enterprise Magazine

Read more >>

Computers running IE 6.0 on Windows XP with Service Pack 1 and 2 or Windows 2000 with SP 1, 3 and 4 are at risk, according to the advisory, because IE 6.0 doesn't properly handle installations of non-ActiveX COM objects from Web pages. Loading HTML documents with certain embedded CLSIDs (class IDs) can cause null-pointer exceptions or memory corruption. Researchers also were able to exploit this flaw to execute arbitrary code within IE. Ironically, the advisory was issued just two weeks after Microsoft released a "critical" IE security patch to address vulnerabilities that allowed for remote code execution.

Despite dozens of such patches--as well as upgrades that feature flashy imagery and trendy sounds--IE continues to lack any real innovation and treats security as an afterthought. Yet, because of its powerful hold on the browser market--and because many Web developers optimize their code for IE settings--we'll all be dealing with IE vulnerabilities for a long, long time.

Should enterprises dump IE and switch to Mozilla's Firefox? Unfortunately, the answer isn't cut-and-dried. For small shops or individual users--Mozilla's ideal customer base--switching isn't a big deal. From a security perspective, a browser that isn't integrated with the operating system--and is designed to run without ActiveX--is a plus. But vulnerabilities have been found in Firefox, too, and more will likely be uncovered as its popularity increases. Still, those flaws are small potatoes compared with IE's, and Mozilla--unlike Microsoft--is swift to disclose and deal with them. As we go to press, Microsoft has not issued a patch for the latest IE vulnerability, instead advising users to set their IE zone security settings to "High" before running ActiveX controls.

While small companies may reduce their headaches by switching to Firefox, midsize and large enterprises may find that the open-source browser is not quite ready for prime time. For one thing, Firefox lacks a management system, which makes it hard for admins to control how the browser is used. In addition, if your company has several Web-based applications built around IE, migrating to Firefox will mean redevelopment costs--not to mention the cost of installing it on all clients. For the moment, then, most large enterprises will probably stick with IE.

If nothing else, the latest IE flaw should serve as a sharp reminder that no software is 100 percent secure. Patch management should remain a top priority for all applications, not just IE. Microsoft isn't the only vendor struggling with multiple software vulnerabilities--Apple, Oracle and Red Hat are just a few of the big-name companies that have issued frequent advisories, patches and updates. As customers, we should continue to pressure vendors to make their products as secure as possible. As users, we should be wary of flaws in any application we deploy.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.