While others were lighting fireworks during the July 4th weekend, security managers were getting burned--again--by another flaw in Microsoft's Internet Explorer. The newest IE security advisory, issued the day before the holiday weekend, describes a proof of concept published by research firm SEC Consult that demonstrates how malicious users can take advantage of a flaw that can cause IE 6.0 to exit unexpectedly.
Computers running IE 6.0 on Windows XP with Service Pack 1 and 2 or Windows 2000 with SP 1, 3 and 4 are at risk, according to the advisory, because IE 6.0 doesn't properly handle installations of non-ActiveX COM objects from Web pages. Loading HTML documents with certain embedded CLSIDs (class IDs) can cause null-pointer exceptions or memory corruption. Researchers also were able to exploit this flaw to execute arbitrary code within IE. Ironically, the advisory was issued just two weeks after Microsoft released a "critical" IE security patch to address vulnerabilities that allowed for remote code execution.
Despite dozens of such patches--as well as upgrades that feature flashy imagery and trendy sounds--IE continues to lack any real innovation and treats security as an afterthought. Yet, because of its powerful hold on the browser market--and because many Web developers optimize their code for IE settings--we'll all be dealing with IE vulnerabilities for a long, long time.
Should enterprises dump IE and switch to Mozilla's Firefox? Unfortunately, the answer isn't cut-and-dried. For small shops or individual users--Mozilla's ideal customer base--switching isn't a big deal. From a security perspective, a browser that isn't integrated with the operating system--and is designed to run without ActiveX--is a plus. But vulnerabilities have been found in Firefox, too, and more will likely be uncovered as its popularity increases. Still, those flaws are small potatoes compared with IE's, and Mozilla--unlike Microsoft--is swift to disclose and deal with them. As we go to press, Microsoft has not issued a patch for the latest IE vulnerability, instead advising users to set their IE zone security settings to "High" before running ActiveX controls.
While small companies may reduce their headaches by switching to Firefox, midsize and large enterprises may find that the open-source browser is not quite ready for prime time. For one thing, Firefox lacks a management system, which makes it hard for admins to control how the browser is used. In addition, if your company has several Web-based applications built around IE, migrating to Firefox will mean redevelopment costs--not to mention the cost of installing it on all clients. For the moment, then, most large enterprises will probably stick with IE.
If nothing else, the latest IE flaw should serve as a sharp reminder that no software is 100 percent secure. Patch management should remain a top priority for all applications, not just IE. Microsoft isn't the only vendor struggling with multiple software vulnerabilities--Apple, Oracle and Red Hat are just a few of the big-name companies that have issued frequent advisories, patches and updates. As customers, we should continue to pressure vendors to make their products as secure as possible. As users, we should be wary of flaws in any application we deploy.