Opinion: New IE Flaw, Same Old Story for Security Managers
Internet Explorer continues to lack any real innovation and treats security as an afterthought. Rest assured, we'll all be dealing with IE vulnerabilities for a long, long time.
While others were lighting fireworks during the July 4th weekend, security managers were getting burned--again--by another flaw in Microsoft's Internet Explorer. The newest IE security advisory, issued the day before the holiday weekend, describes a proof of concept published by research firm SEC Consult that demonstrates how malicious users can take advantage of a flaw that can cause IE 6.0 to exit unexpectedly.
Computers running IE 6.0 on Windows XP with Service Pack 1 and 2 or Windows 2000 with SP 1, 3 and 4 are at risk, according to the advisory, because IE 6.0 doesn't properly handle installations of non-ActiveX COM objects from Web pages. Loading HTML documents with certain embedded CLSIDs (class IDs) can cause null-pointer exceptions or memory corruption. Researchers also were able to exploit this flaw to execute arbitrary code within IE. Ironically, the advisory was issued just two weeks after Microsoft released a "critical" IE security patch to address vulnerabilities that allowed for remote code execution.
Despite dozens of such patches--as well as upgrades that feature flashy imagery and trendy sounds--IE continues to lack any real innovation and treats security as an afterthought. Yet, because of its powerful hold on the browser market--and because many Web developers optimize their code for IE settings--we'll all be dealing with IE vulnerabilities for a long, long time.
Should enterprises dump IE and switch to Mozilla's Firefox? Unfortunately, the answer isn't cut-and-dried. For small shops or individual users--Mozilla's ideal customer base--switching isn't a big deal. From a security perspective, a browser that isn't integrated with the operating system--and is designed to run without ActiveX--is a plus. But vulnerabilities have been found in Firefox, too, and more will likely be uncovered as its popularity increases. Still, those flaws are small potatoes compared with IE's, and Mozilla--unlike Microsoft--is swift to disclose and deal with them. As we go to press, Microsoft has not issued a patch for the latest IE vulnerability, instead advising users to set their IE zone security settings to "High" before running ActiveX controls.
While small companies may reduce their headaches by switching to Firefox, midsize and large enterprises may find that the open-source browser is not quite ready for prime time. For one thing, Firefox lacks a management system, which makes it hard for admins to control how the browser is used. In addition, if your company has several Web-based applications built around IE, migrating to Firefox will mean redevelopment costs--not to mention the cost of installing it on all clients. For the moment, then, most large enterprises will probably stick with IE.
If nothing else, the latest IE flaw should serve as a sharp reminder that no software is 100 percent secure. Patch management should remain a top priority for all applications, not just IE. Microsoft isn't the only vendor struggling with multiple software vulnerabilities--Apple, Oracle and Red Hat are just a few of the big-name companies that have issued frequent advisories, patches and updates. As customers, we should continue to pressure vendors to make their products as secure as possible. As users, we should be wary of flaws in any application we deploy.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.