Tuesday, 16 December 2008

No such thing as a Secure Web Browser

The big security story in the main stream news today, has of course been the security vulnerability with Microsoft's Internet Explorer web browser (Serious security flaw found in IE) The vulnerability can be exploited by deliberately engineered or compromised regular websites, allowing the attacker to invisibly access the host PC system, from which point a whole series of further possible attacks can be run, such as stealing website usernames and passwords. At this time Microsoft aren't saying when they will be releasing a patch to fix this issue, which is really unfortunate, as this vulnerability has been known about for at least week from my own knowledge.

The solution to problem being eagerly suggested on TV and radio news, is to download, install and then use different web browser, as they are not affected by this flaw (which is completely true), and are safe & secure. I have problem with the latter, which I heard said and implied on several occasions today, this is a highly misleading statement, as there is no such thing as a "secure web browser".


A couple of weeks ago I spoke with some nice chaps from OWASP (Open Web Application Security Project), a non-profit making and "The" world recognised authority on web application / website security. At the time I was taken back and found it astonishing that at their last OWASP "brain storming" event, which was attended by some of the world's leading web (site) application experts, not one of the web browser companies or organisations sent a representative, despite them all being "VIP" invite to the event. OWASP rightly recognise the architects and developers of web browsers play a key role with the overall security of web sites (web applications) on the internet, and the big flaw discovered with IE really highlights this.

The leading used alternative web browser on Windows systems at this moment is Mozilla Firefox (click here to download it), which is completely free to download and pretty easy for any novice to install and start using. Personally I switched from using Internet Explorer (IE) to Firefox several few months back, mainly because I found it was generally a better web browser to use than IE, and I particularly found the array of security related browser plug-ins extremely useful. So I'm a Firefox convert, but I think it would be a completely wrong and dangerous statement for anyone to state or suggest Firefox is more secure an Internet Explorer, all web browsers by their nature, open source or not, are bound to have vulnerabilities present which are currently unknown and are yet to be exploited. You cannot ever get 100% security, and this law especially applies to software applications.

So what's my advice to IE users? Well I'm not quite going to be a sheep and bleat what I've heard others are advising the masses today, which was to just switch to another web browser application, and hey I'm certainly neither pro nor anti Microsoft either...

My advice is if you are using Internet Explorer, make sure you have "PROTECTED MODE" ENABLED (IE7 or 8 with Vista) and set the Security Zone to "HIGH".

And then make sure you are taking the usual security measures on your PC, such as enabling the local (Windows) firewall, applying all Windows patches & updates, and installing and keeping up-to-date anti-virus / anti-spyware software. Until a patch is released, be especially cautious when browsing "dodgy" type websites, setting the security zone to high, allows you to accept or deny any scripts being executed through the web browser, which is how this and other vulnerabilities are exploited.

Sure, this could an opportunity to give Firefox or another web browsers such as Safari, Opera, Chrome a try out. Using a different web browser will fully protect from this particular flaw, but do not assume your new web browser is any more secure than using Internet Explorer. We tend to know a great deal about the security issues and weakness with IE, mainly due to it being the worlds most popular, therefore the most attacked web browser. Firefox has also had (no doubt will have further) it's fair share of serious security vulnerabilities too - Mozilla Foundation Security Advisories, but these tend not to get same level media coverage, and to be fair here Firefox vulnerabilties have tended not to be exploited to the same high degree as IE vulnerabilties at present, but if everyone switched to Firefox and it became the worlds most popular browser...

So if you are Firefox user (like me), make sure you exercise all the usual security precautions on your PC, firewall, patches, security software etc. And for any techie who is truly paranoid, you could do what I do when researching the real dodgy websites, which is to run your web browser in a Virtual Session.

Finally I have no doubt Microsoft will release a patch for this issue in the next few days anyway, it's just a real disappointment they couldn't of patched the problem last week as part of the usual security patch release cycle.

EDIT 17-Dec-08: Since the original post, Microsoft has released a patch for this vulnerability - http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

3 comments:

Brian Honan said...

Microsoft have announced they will release an out of cycle patch for this issue. The patch will be released on the 17th December 2008.

Microsoft will host two webcasts to address questions on the patch. The first is scheduled for 13:00 Pacific Time (US Canada) on the 17th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448Culture=en-US.

The second is scheduled for 11:00 AM Pacific Time (US Canada) on the 18th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449Culture=en-US

More details on this out of patch band are available at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

I agree wholeheartedly with your post and in fact spoke earlier today to Irish media, press and radio, about this issue and that switching browsers is no gaurantee

Dave Whitelegg CISSP said...

Cheers for the extra info and those useful links Brian. Looks like I'll have a busy couple of days in the "corporate world" ensuring the patch is quickly applied.

Good to hear we are in agreement and great work in delivering the proper messaging out with the media.

Dave Whitelegg CISSP said...

The Microsoft IE patch has been released, if you are not done so and are a IE users, go get it ASAP http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx