Opinion: New IE Flaw, Same Old Story for Security Managers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
Commentary
7/20/2005
11:25 AM
Commentary
Commentary
Commentary
50%
50%

Opinion: New IE Flaw, Same Old Story for Security Managers

Internet Explorer continues to lack any real innovation and treats security as an afterthought. Rest assured, we'll all be dealing with IE vulnerabilities for a long, long time.

While others were lighting fireworks during the July 4th weekend, security managers were getting burned--again--by another flaw in Microsoft's Internet Explorer. The newest IE security advisory, issued the day before the holiday weekend, describes a proof of concept published by research firm SEC Consult that demonstrates how malicious users can take advantage of a flaw that can cause IE 6.0 to exit unexpectedly.

Latest Issue of Secure Enterprise Magazine

Read more >>

Computers running IE 6.0 on Windows XP with Service Pack 1 and 2 or Windows 2000 with SP 1, 3 and 4 are at risk, according to the advisory, because IE 6.0 doesn't properly handle installations of non-ActiveX COM objects from Web pages. Loading HTML documents with certain embedded CLSIDs (class IDs) can cause null-pointer exceptions or memory corruption. Researchers also were able to exploit this flaw to execute arbitrary code within IE. Ironically, the advisory was issued just two weeks after Microsoft released a "critical" IE security patch to address vulnerabilities that allowed for remote code execution.

Despite dozens of such patches--as well as upgrades that feature flashy imagery and trendy sounds--IE continues to lack any real innovation and treats security as an afterthought. Yet, because of its powerful hold on the browser market--and because many Web developers optimize their code for IE settings--we'll all be dealing with IE vulnerabilities for a long, long time.

Should enterprises dump IE and switch to Mozilla's Firefox? Unfortunately, the answer isn't cut-and-dried. For small shops or individual users--Mozilla's ideal customer base--switching isn't a big deal. From a security perspective, a browser that isn't integrated with the operating system--and is designed to run without ActiveX--is a plus. But vulnerabilities have been found in Firefox, too, and more will likely be uncovered as its popularity increases. Still, those flaws are small potatoes compared with IE's, and Mozilla--unlike Microsoft--is swift to disclose and deal with them. As we go to press, Microsoft has not issued a patch for the latest IE vulnerability, instead advising users to set their IE zone security settings to "High" before running ActiveX controls.

While small companies may reduce their headaches by switching to Firefox, midsize and large enterprises may find that the open-source browser is not quite ready for prime time. For one thing, Firefox lacks a management system, which makes it hard for admins to control how the browser is used. In addition, if your company has several Web-based applications built around IE, migrating to Firefox will mean redevelopment costs--not to mention the cost of installing it on all clients. For the moment, then, most large enterprises will probably stick with IE.

If nothing else, the latest IE flaw should serve as a sharp reminder that no software is 100 percent secure. Patch management should remain a top priority for all applications, not just IE. Microsoft isn't the only vendor struggling with multiple software vulnerabilities--Apple, Oracle and Red Hat are just a few of the big-name companies that have issued frequent advisories, patches and updates. As customers, we should continue to pressure vendors to make their products as secure as possible. As users, we should be wary of flaws in any application we deploy.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll