A
Ablang
Should IE Stay or Should IE Go?
We test Internet Explorer and Firefox for business security issues.
Rodney Thayer, Network World
Monday, March 21, 2005
Don't go ripping out Microsoft's Internet Explorer just yet.
IE certainly has proven vulnerable to attack in the past, and the
constant patching to add the latest security updates can be a
nuisance. The CERT coordination center last year even warned people to
stop using Internet Explorer. And the Mozilla Foundation's Firefox has
been getting a lot of buzz lately--to the tune of 25 million downloads
in fewer than 100 days on the market.
But our testing of both browsers shows that choosing one is not an
easy decision--particularly in an enterprise environment. IE's
vulnerability to attack might in part be because it's rich in features
and thereby presents a larger "attack surface." On the other hand,
Firefox's perceived edge in security comes with a price: fewer
features and a possible inability to access some Windows-based Web
applications.
So before you make a decision about ditching IE, weigh the trade-offs.
One compromise to consider is using IE internally and Firefox for pure
Web browsing.
Security Testing
Our hands-on test focused on security rather than ease of use. Our IE
6.0 implementation ran on a Windows XP client (a WinBook Pentium 4
with 512MB of RAM) with Service Pack 2 and the latest Microsoft
updates. With the help of VMware Workstation, we installed Mozilla
Firefox 1.0.1 on the same system inside its own virtual machine. This
test machine was connected to the Internet through a 384-kbps DSL
line.
We used the browsers side by side for a variety of tasks such as
reading public Web sites, checking e-mail with Microsoft Outlook Web
Access, and accessing our Apache-based Web server to reach internal
resources and management tools. Additionally, we tried surfing to
known hacker Web sites to see how the browsers would behave when under
attack.
Accessing conventional Web sites, such as CNN.com or Yahoo, gave
similar results. Both browsers block pop-ups and offer a variety of
plug-ins to support additional forms of data such as Macromedia Flash
or Adobe PDF files.
However, the key difference is that because IE contains
Windows-related features that are not available in Firefox--ActiveX,
..Net, Active Server Pages--using some Web-based applications with
Firefox is difficult, if not impossible.
Both IE and Firefox have facilities to digitally sign plug-ins.
However, the signature feature is not ubiquitous, and users are quite
likely to accept and execute unsigned and potentially dangerous code.
This is why you should back up your browser with an
intrusion-prevention system or adequate antivirus software (ours was
running F-Secure's Anti-Virus Client Security) that can detect, send
notifications of, and/or block malicious code that arrives through the
browser.
Firefox Fundamentals Better?
So does Firefox's architecture make it fundamentally more secure? We
found that Firefox is not necessarily a more secure browser
implementation. It simply has fewer features to attack.
It supports fewer and less-complex scripting mechanisms, so writing
powerful, dangerous code inside a Web page that can attack it is not
as easy.
It is not tightly integrated with any particular operating
system--there are fewer ways the browser uses operating
system-specific features. That means less of a chance for an exploit
to use the browser as an interface into the underlying OS.
Also, the open-source nature of the code sometimes, but not in a
guaranteed manner, provides more peer review of the code and faster
turnaround for fixes to vulnerabilities.
Business Needs IE
It's not realistic to think that your organization can totally stop
using IE, especially if your users must access servers that employ the
rich features it supports over an internal network or through the
public Internet.
Can you start selectively using Firefox? If you have a purely
browser-based environment, with standards-based scripting and
plug-ins, then you can consider this.
Will it make your environment perfectly secure against browser-based
attacks? No. Firefox--like other browser alternatives--is not perfect,
but the attack surface can be reduced significantly if you use fewer
complex features, such as sites that deliver ActiveX through Web
pages.
If your network comprises thousands of users, then this can be a
difficult change to execute. On the other hand, it makes sense to
compare the cost of securing IE with add-on client security products
or intrusion-prevention devices with the cost of
simplifying/standardizing your browser-based infrastructure.
What to Do?
The risk of a browser-based attack against an enterprise network is
significant. From a risk management point of view, it is definitely a
good idea to look at alternatives to IE purely based on the sheer
number of clients running that browser. But the environment might not
let you remove it, as your organization may have built up access to
necessary internal resources using Microsoft's technology based on IE.
One possible solution would be to mandate the use of Firefox for
external access and to reserve IE for inside-the-enterprise use.
Policy-enforcement tools can help implement this sort of a mandate.
Security measures external to the browser, such as application
firewalls, intrusion-detection and prevention systems, and the use of
policy enforcement systems to ensure that clients access only trusted
Web sites, are also considerations for addressing the browser risk.
Common Attack Scenarios
Attacks against browsers generally fall into three categories. Round
1: protocol attacks against content processed directly by the browser.
Round 2: attacks against active scripting language running within the
browser environment. Round 3: attacks against data delivered through
the browser but processed by a plug-in or other component, such as a
Dynamic Link Library that provides image display services.
Round 1: Slight advantage: Internet Explorer. IE and Firefox are both
potentially vulnerable to attacks via Web site content they process
directly. IE is less vulnerable in this area, probably because
Microsoft has put so much work into securing its browser in response
to all of the hacker activity targeting it. But theoretically, because
they both process essentially the same HTML datastream format, either
browser could be attacked in this manner.
Round 2: Advantage: Firefox. In the second category, IE provides
ActiveX, JavaScript, and many other mechanisms to execute code
delivered through Web pages, such as Visual Basic scripts or Active
Server Page and .Net content. Because there are more ways to write
programs for delivery through the browser, Explorer is more
susceptible to attacks in this manner. This is the downside of all
those sophisticated features that work in a pure Microsoft Web
environment.
Round 3: No advantage. Both browsers support plug-ins, which,
independently of the browser, can be vulnerable to attack. A recent
example is the RealOne plug-in vulnerability. While this vulnerability
was specifically found within Explorer, the problem lies in the
plug-in, and there is no technical reason to assume this sort of
problem will not happen someday with Firefox.
http://www.pcworld.com/news/article/0,aid,120087,tk,dn032105X,00.asp
===
"It made us feel good about our relationship again."
-- Jessica Simpson on the Christmas Special with her & Nick.
We test Internet Explorer and Firefox for business security issues.
Rodney Thayer, Network World
Monday, March 21, 2005
Don't go ripping out Microsoft's Internet Explorer just yet.
IE certainly has proven vulnerable to attack in the past, and the
constant patching to add the latest security updates can be a
nuisance. The CERT coordination center last year even warned people to
stop using Internet Explorer. And the Mozilla Foundation's Firefox has
been getting a lot of buzz lately--to the tune of 25 million downloads
in fewer than 100 days on the market.
But our testing of both browsers shows that choosing one is not an
easy decision--particularly in an enterprise environment. IE's
vulnerability to attack might in part be because it's rich in features
and thereby presents a larger "attack surface." On the other hand,
Firefox's perceived edge in security comes with a price: fewer
features and a possible inability to access some Windows-based Web
applications.
So before you make a decision about ditching IE, weigh the trade-offs.
One compromise to consider is using IE internally and Firefox for pure
Web browsing.
Security Testing
Our hands-on test focused on security rather than ease of use. Our IE
6.0 implementation ran on a Windows XP client (a WinBook Pentium 4
with 512MB of RAM) with Service Pack 2 and the latest Microsoft
updates. With the help of VMware Workstation, we installed Mozilla
Firefox 1.0.1 on the same system inside its own virtual machine. This
test machine was connected to the Internet through a 384-kbps DSL
line.
We used the browsers side by side for a variety of tasks such as
reading public Web sites, checking e-mail with Microsoft Outlook Web
Access, and accessing our Apache-based Web server to reach internal
resources and management tools. Additionally, we tried surfing to
known hacker Web sites to see how the browsers would behave when under
attack.
Accessing conventional Web sites, such as CNN.com or Yahoo, gave
similar results. Both browsers block pop-ups and offer a variety of
plug-ins to support additional forms of data such as Macromedia Flash
or Adobe PDF files.
However, the key difference is that because IE contains
Windows-related features that are not available in Firefox--ActiveX,
..Net, Active Server Pages--using some Web-based applications with
Firefox is difficult, if not impossible.
Both IE and Firefox have facilities to digitally sign plug-ins.
However, the signature feature is not ubiquitous, and users are quite
likely to accept and execute unsigned and potentially dangerous code.
This is why you should back up your browser with an
intrusion-prevention system or adequate antivirus software (ours was
running F-Secure's Anti-Virus Client Security) that can detect, send
notifications of, and/or block malicious code that arrives through the
browser.
Firefox Fundamentals Better?
So does Firefox's architecture make it fundamentally more secure? We
found that Firefox is not necessarily a more secure browser
implementation. It simply has fewer features to attack.
It supports fewer and less-complex scripting mechanisms, so writing
powerful, dangerous code inside a Web page that can attack it is not
as easy.
It is not tightly integrated with any particular operating
system--there are fewer ways the browser uses operating
system-specific features. That means less of a chance for an exploit
to use the browser as an interface into the underlying OS.
Also, the open-source nature of the code sometimes, but not in a
guaranteed manner, provides more peer review of the code and faster
turnaround for fixes to vulnerabilities.
Business Needs IE
It's not realistic to think that your organization can totally stop
using IE, especially if your users must access servers that employ the
rich features it supports over an internal network or through the
public Internet.
Can you start selectively using Firefox? If you have a purely
browser-based environment, with standards-based scripting and
plug-ins, then you can consider this.
Will it make your environment perfectly secure against browser-based
attacks? No. Firefox--like other browser alternatives--is not perfect,
but the attack surface can be reduced significantly if you use fewer
complex features, such as sites that deliver ActiveX through Web
pages.
If your network comprises thousands of users, then this can be a
difficult change to execute. On the other hand, it makes sense to
compare the cost of securing IE with add-on client security products
or intrusion-prevention devices with the cost of
simplifying/standardizing your browser-based infrastructure.
What to Do?
The risk of a browser-based attack against an enterprise network is
significant. From a risk management point of view, it is definitely a
good idea to look at alternatives to IE purely based on the sheer
number of clients running that browser. But the environment might not
let you remove it, as your organization may have built up access to
necessary internal resources using Microsoft's technology based on IE.
One possible solution would be to mandate the use of Firefox for
external access and to reserve IE for inside-the-enterprise use.
Policy-enforcement tools can help implement this sort of a mandate.
Security measures external to the browser, such as application
firewalls, intrusion-detection and prevention systems, and the use of
policy enforcement systems to ensure that clients access only trusted
Web sites, are also considerations for addressing the browser risk.
Common Attack Scenarios
Attacks against browsers generally fall into three categories. Round
1: protocol attacks against content processed directly by the browser.
Round 2: attacks against active scripting language running within the
browser environment. Round 3: attacks against data delivered through
the browser but processed by a plug-in or other component, such as a
Dynamic Link Library that provides image display services.
Round 1: Slight advantage: Internet Explorer. IE and Firefox are both
potentially vulnerable to attacks via Web site content they process
directly. IE is less vulnerable in this area, probably because
Microsoft has put so much work into securing its browser in response
to all of the hacker activity targeting it. But theoretically, because
they both process essentially the same HTML datastream format, either
browser could be attacked in this manner.
Round 2: Advantage: Firefox. In the second category, IE provides
ActiveX, JavaScript, and many other mechanisms to execute code
delivered through Web pages, such as Visual Basic scripts or Active
Server Page and .Net content. Because there are more ways to write
programs for delivery through the browser, Explorer is more
susceptible to attacks in this manner. This is the downside of all
those sophisticated features that work in a pure Microsoft Web
environment.
Round 3: No advantage. Both browsers support plug-ins, which,
independently of the browser, can be vulnerable to attack. A recent
example is the RealOne plug-in vulnerability. While this vulnerability
was specifically found within Explorer, the problem lies in the
plug-in, and there is no technical reason to assume this sort of
problem will not happen someday with Firefox.
http://www.pcworld.com/news/article/0,aid,120087,tk,dn032105X,00.asp
===
"It made us feel good about our relationship again."
-- Jessica Simpson on the Christmas Special with her & Nick.
