The head of a computer security company is troubled by what he sees as a glaring security hole in Microsoft’s Internet Explorer 9. Todd Feinman, CEO of Identity Finder, says IE 9 needs a master password that protects all other passwords an IE9 user would have stored in the browser. Mozilla Firefox has a “master password,” but Internet Explorer doesn’t.
Firefox, and other browsers, have a save passwords or auto-complete feature that, if you type in the first few characters of your password, the browser will fill in the rest. However, if someone else gains access to your computer, either physically or by hacking, they can easily use those passwords, Feinman said.
“In Firefox if you put a master password on, you have one password that encrypts all your other passwords. IE 9 and previous versions of IE have no concept of that,” he said. “There are known exploits that read what Microsoft calls ‘protected storage’ which is where IE stores your data.”
Identity Finder sells software that scours files stored on a computer network or that are shared online through collaboration programs like Microsoft SharePoint. Identity Finder then can flag potentially sensitive data that needs to be protected, such as credit card or Social Security numbers. Sometimes such data can be inadvertently shared if it is in a column of an Excel spreadsheet that is hidden from the user’s view. The problem, Feinman says, is that the data may be hidden from the user, but it won’t stay hidden for long from a hacker.
“If your computer’s ever stolen or you get a virus, hackers are going to get [sensitive information] because hackers know how to get that stuff,” he said.
I interviewed Feinman last week at RSA Conference 2011 in San Francisco, where the company introduced version 5.0 of its Identity Finder software for e-mail systems and enterprise servers.
In announcing the IE9 Release Candidate Feb. 10 in San Francisco (see photo), Microsoft touted the browser’s security features including the SmartScreen Filter that blocks 99 percent of malware that comes to the browser and allows users to prevent Web sites from tracking their browsing activity.
In response to my questions based on Feinman's comments, a Microsoft spokesperson said its version of a master password is the Windows login screen a user sees when they first boot up. Internet Explorer encrypts stored credentials in the registry using the Data Protection API and your user account information that is protected with TripleDES encryption, a Microsoft e-mail stated. Also, if someone steals someone's hard drive, for instance, they cannot read the passwords unless they know the username and password to log into Windows.
This does beg the question, though, about how easily a hacker could break the Windows username and password. Moreover, selecting a Windows username and password is optional and it would be interesting to learn how many Windows users don’t create a password for the sake of convenience.
But Microsoft adds that the master password protection, as Feinman described it, has its own vulnerabilities.
“If someone is logged into your computer as you, they can easily steal your data (with or without a “master password”) by installing a keystroke logger and waiting for you to enter your master password,” the company stated. Microsoft then included a link to an IE blog with independent research from NSS Labs that compares the malware blocking rates of the top browsers with IE9 at the top.
In response, Feinman directed me to a PC World story about a hacker who pleaded guilty to federal charges in connection with a botnet scheme that hacked into computers, stole passwords and, among other things, raided victims’ PayPal accounts.
“[The attacks] added the compromised systems to a botnet and then stole usernames and passwords stored by Microsoft Corp.'s Internet Explorer browser. IE, like other browsers, will save that information to speed future log-ons,” PC World reported. However, that story was more than three years old and the expectation is that IE security would have improved since then.
But if end point security is left to the end user and they choose convenience over security, they may continue to be vulnerable. Microsoft may have improved security in IE9 but the bad guys never seem to lack for resourcefulness.
Robert Mullins is a freelance journalist based in San Francisco. He has been writing about technology from Silicon Valley for more than a decade. He has covered such beats as network security, servers, storage, software development, telecommunications and, of course, Microsoft, for a variety of publications, most notably the IDG News Service and Network World.