Security alerts fire up Web browser and server wars

Criticizing Microsoft for security problems has become rather like shooting fish in a barrel. The fact is that Microsoft’s continuing problems with the security of its Web products has created a very dangerous situation for many organizations and consumers.

Part of the problem is that today, Microsoft’s Internet Explorer and Internet Information Server (IIS) have huge, and in the case of IE, dominant market shares. Consumers are locked in to IE by the millions. Compounding the lock-in are many large businesses that use IE-specific functionality such as downloaded ActiveX components in Web pages making it always difficult and sometimes impossible to view their content with any other browser.

And as if that weren’t bad enough, Microsoft’s IIS also has major security problems. These problems have resulted in exploits that allow IIS servers to run code that can compromise clients running IE. As of July 8, one codenamed Scob, Download.Ject, Toofer, and Webber.P had attacked 100 sites running IIS 5.0 or 6.0 (see story link below).

If this sounds like a huge problem to you, you are right – it is. In fact, it is a gigantic problem that could have serious national and possibly international economic consequences. 

Imagine what could happen if a scenario like that operated in stealth mode for, say, three months while as many servers and clients as possible are compromised. Then when the payload goes active, as many files as can be found are deleted or corrupted.

Because of these security problems there appears to be a growing public opinion that Microsoft Web products are fundamentally flawed.

And throwing gasoline on the fire is the Computer Emergency Readiness Team, CERT (a project run by Carnegie Mellon University – see links below). On July 8, CERT issued Vulnerability Note VU#713878 titled “Microsoft Internet Explorer does not properly validate source of redirected frame.”

This note discusses a critically serious flaw: “Microsoft [IE] does not adequately validate the security context of a frame that has been redirected by a Web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.”

The conclusion is worrying: “Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability. Any program that hosts the WebBrowser ActiveX control or used the IE HTML rendering engine (MSHTML) may be affected by this vulnerability.”

The note continues: “By convincing a victim to view an HTML document (Web page, HTML e-mail), an attacker could execute script in a different security domain than the one containing the attacker’s document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.”

The solutions offered by CERT are interesting but the last one is the most interesting: “Use a different Web browser. There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX.”

And this is not the first time CERT has recommended this solution. A search of its Web site shows that this advice has been included in seven vulnerability notices since June 1 this year.

But before you jump from the IE ship you should be aware that the other browsers aren’t in the clear. A July 1 advisory from security firm Secunia discussed the issue that a “6-year-old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of Web sites.”

This is essentially the same problem that CERT discussed in its Vulnerability Note VU#713878, which concerned IE only. Secunia notes that this vulnerability has been confirmed in Opera 7.51 for Windows, Opera 7.50 for Linux, Mozilla 1.6 for Windows, Mozilla 1.6 for Linux, Mozilla Firebird 0.7 for Linux, Mozilla Firefox 0.8 for Windows, Netscape 7.1 for Windows, Internet Explorer for Mac 5.2.3, Safari 1.2.2 and Konqueror 3.1-15redhat.

So could we be on the verge of a new round of Web browser and server wars and even though it appears everyone has issues, might Microsoft lose ground because of the sheer scale of its undeniable product weaknesses?

The next year will see some major changes and my money is on Microsoft’s market share for both browsers and Web servers diminishing but not crashing simply because of corporate and consumer inertia.

Drop me a note at webapps@gibbs.com and let me know your thoughts and your plans for managing your Web risk.