2010-01-06

Why I don't allow Internet Explorer to run on any of my machines

In this our first article on Security, I thought it would be a good idea to help readers close the biggest vector (direction of vulnerability) through which they can be attacked by malware.

What I am referring to of course is the Internet Explorer (IE) browser, which is installed on every Windows machine.
"Using IE is like driving a car without brakes."
ator1940 on zdnet.uk
Looking at the issue a bit more objectively, we see IE's problems are three-fold, partly of its own making, partly because of its popularity, and partly the fault of Windows itself.

IE's fault:
  • There was little-to-no concern for security in the early versions.
  • Active X:
    • Delivers executable code to the browser, and depends on the typically unsophisticated end-user to give it permission to run.
    • Once code is given the ok, (usually always) there is no sandboxing, or no restriction on what the program may do.  (See * below)
  • Every new version adds safeguards, but patching and refactoring the flawed design of such a complex program will take years, and may never be finished.
  • In 2009, eight years after IE 6 was first released there were still multiple critical patches released every month and the pace hasn't slowed.

Popularity:

The most widely used browser.
  • Monoculture:  Huge numbers of machines with identical software may be simultaneously crippled by a single piece of malware.  There's no safety in numbers here.
  • If you were malware author would you target?
    • An easy to exploit, homogeneous platform that 80% of people use, or
    • A more difficult, heterogeneous one 10% use.
    This is why 99.9% of malware is written for IE on Windows.
Windows:
  • Historically:
    • Users Running as Administrator (*)
    • XP itself a security disaster until SP2 installed.
    • MS's idea of filesystem security:  "Don't look here!" instead of permissions.
  • Has made great improvements in default settings in new versions, but there is much work still to be done.
  • Would have been much easier if proper multi-user paradigms had be used from the start, as on professional operating systems from the 70's onward.
  • Critical patches continue to released every month.
  • Most desktops are still running older versions.

And there we have it, dear readers the recipe for disaster that was, and to a large extent still is IE.  Kaboom!  It's not nicknamed "Internet Exploder" for nothing.

To be fair, all browsers and operating systems developed with C+/C++ have these security issues, and while improving every year, this will be the case for a long time.   There is no guarantee another browser might not be compromised.  Nevertheless, this is the first step in proactively reducing your exposure, rather than hoping an inefficient security suite will save you after the fact.

By doing something as simple as switching to another browser, you sidestep two of three main security issues above.  You remove yourself from the largest group of at-risk users, and join a smaller crew of more difficult to attack geeks.  Speed boosts, improved standards support, and usability improvements are just icing on the cake.

The question that remains to be answered is whether IE8 on Windows 7 can be trusted.  Certainly the situation has improved, but given the track record of MS in this area, I'm not inclined to place confidence in them until several more years of observation and a service pack have passed.

To add insult to injury, since IE 7, the program has its toolbar above the menu bar, which can't be moved.  I don't know which genius had this stroke, but this alone might be a good reason not to use it.  Add the fact that even IE 8 is one of the slowest browsers, and one of the worst in standards support, and the prosecution rests.

Recommendation:

Disable Internet Explorer.
  1. Make sure you are up to date on all patches through Windows Update.
  2. Install any of the other great browser choices available today.
  3. Disable the use of IE through the "Set Program Access and Defaults" applet or "Default Programs" Control Panel.
  4. On the rare occasion IE is needed (for step one) access it through the Windows Update icon in the Start Menu.

Further reading:

No comments:

Post a Comment