Friday, November 10, 2006

If You Are Alive, It Is NOT Too Late...

So, I have to admit to a heinous crime against the world's security: I was an IE user, until today (Oh, horror!) I am sure there will be a few of my readers who would just stop reading further after crying out "What an idiot!" and closing their certifiably non-IE browsers :-)

My "excuse" was that I was relying on my ability to configure Internet Explorer securely, at least, securely enough to avoid most-if-not-all common "uglies" and yes, on accepting the risk of being owned via a stray 0day. Yeah, I used tightly-configured Firefox for shadier websites (and Lynx for truly bizarre ones), but stayed with IE for most day-to-day browsing, until today.

However, my whole browser "switching behavior" allowed me to think (and now to blog) a few thoughts about how security works.

So, why did I switch? Isn't IE7 "the best IE ever"? You bet! Does it have the cool and useful features? Yeah. Is it "secure"? Well, hopefully less insecure than its predecessors. I am sure that MS can learn the security lessons and IE did truly become more secure, just like IIS leaped from total rotten "swiss cheese" state of 4.0 times to a relatively safe state of IIS 6.X.

There is, however, a tiny bit of an issue with IE7. It doesn't work! Well, it does work in some cases, but upon hitting the 10th website which rendered with errors in IE7, I said "fuck it" and started using Firefox for everything.

So, here are the thoughts.

Has MS made IE7 so secure that it doesn't work anymore? That is one possible option. Maybe the whole "let's not be shy about breaking functionality in favor of security" them did catch up with them.

But you know what? Users, and my example only proves that, totally hate it. I didn't switch to Firefox after all the years of horrendous spyware infections out there, all the 0day hacks and phishing exploits. But I switched after a few hours of browsing and seeing errors and broken HTML.

So, is security always secondary to functionality? No, that is the wrong question to ask. The truth is that secure functionality is clearly preferred to insecure functionality. However, all the security in the world will NOT make someone switch to something that does not have the needed functionality. Which is, IMHO, an important lesson that we purveyors of security gear should always keep in mind!

1 comment:

Unknown said...

I use IE at work because my own team won't let me (or anyone else) use anything else. :( I violently use anything but IE at home. Since you so graciously explained your story, I'll give you mine. :)

About 4 years ago now, a friend of mine IMd me up and told me to visit a link. I didn't think much of it and clicked on the link, which opened up in IE, of course. ZoneAlarm quickly popped up an alert saying the HTA was attempting to access the Internet. Since I had never seen or allowed that access in the past, I denied it access. The page contents I don't recall, but it wasn't too much later that my friend contacted me out of band and said his IM account had been hijacked.

I told him about his link and he said that wasn't him. I revisited the link and did some research. The author did not hide his work too hard, and I was able to trace down the code to an unpatched (but known) vulnerability in IE's HTA usage. There were about three such vulnerabilities in this component, and I think two never did get patched, or maybe only recently did). Soon after figuring all of this out, I realized the only thing that saved me from being attacked was my firewall. IE would have happily allowed the resultant code to dig into my registry at will and lift out my AOL IM credentials and upload it to the attacker.

Nicely enough, the attacker logged on again the next day and I actually spoke with him over IM for a while, during which he explained he meant no real harm and was just mostly doing a non-obfuscated attack to raise awareness. My friend got his account back in a few days.

But in the following days and weeks, Microsoft never did patch all of those holes. That was the last week I voluntarily used IE unless absolutely necessary for some sites. I just couldn't trust it anymore, and I couldn't condone supporting a browser that was such a risk. (Incidentally enough, adware/spyware started rising in frequency, partially backed by coders getting better at abusing holes like the HTA exploit, shortly after my experience.)

Dr Anton Chuvakin