Security Holes Sinking IE

Internet Explorer's ActiveX, JavaScript loyalty isn't winning Microsoft fans.

If there is one constant in the security community, its the ready supply of controversies available to rile the troops. The mere mention of open-source security or the hype surrounding intrusion prevention systems is enough to generate pointed, Opinionated feedback in many circles.

Perhaps no issue is drawing as much attention and engendering as many heated debates these days as the question of whether enterprises should abandon Microsoft Corp.s Internet Explorer and seek more secure alternatives such as The Mozilla Foundations Mozilla or Opera Software ASAs Opera. In a throwback to the days of the original "browser wars," during the 1990s, supporters on both sides of the question are lighting up message boards, mailing lists and online forums with arguments smacking of religious fervor.

The latest round of sermonizing is the result of new attacks on IE that take advantage of known vulnerabilities to install Trojans and other malware on users machines. At the center of the argument is IEs reliance on ActiveX and JavaScript. One recent attack uses a flaw in IE to download a malicious piece of JavaScript code onto users PCs, and that code is then used to run further nefarious operations.

Although theyre currently the hot topic, questions about the security of ActiveX controls and other types of active scripting are hardly new. As far back as 2000, the CERT Coordination Center at Carnegie Mellon University, in Pittsburgh, held a workshop to address the issue of ActiveX security.

For years, client-side active scripting tools such as ActiveX, VBScript and JavaScript have drawn the ire of security experts who see them as unnecessary at best and inherently dangerous at worst. Although users can disable any or all of these technologies in IE, most people—especially inexperienced home users—dont understand the potential dangers or dont know they have the option of turning these tools off.

"Lets get one thing straight here: Nobody has the right to spontaneously execute code on my machine without my approval," said Joseph Newcomer, a security consultant and founder of FlounderCraft Ltd., also in Pittsburgh. "Some sites on the Web become completely inaccessible with these technologies disabled. I find this offensive. Why do they need active scripting? As far as I can tell, there is no apparent need for active scripting. There is no question here: Unrestricted client-side active scripting is the future of virus delivery, industrial espionage and cyber-terrorism."

While IE has been the dominant browser—holding more than a 90 percent market share, by most accounts—since it vanquished Netscape Communications Corp.s Navigator nearly a decade ago, there has been a significant, vocal minority using other browsers for numerous reasons. Included in this group is a large number of security specialists and IT managers, many of whom feel that IE simply has too many security issues to be used safely.

/zimages/6/28571.gifThe recent rash of security problems related to Windows-based Web browsers has led some to ask if the browsers themselves are to blame—or is Windows itself just not safe? Click here to read a debate on the subject.

"Any browser tied in so close to the OS will always be a slightly higher security risk than the others. IE proves this when I remove everyone but administrator from even reading, let alone executing, iexplorer.exe. But I can still use it by opening My Computer and typing a URL in the address bar," said Jacob Bresciani, systems analyst at the University of Alberta, in Edmonton. "The chance of Microsoft finally listening will hopefully be enhanced by the recent announcements against IE from [the Department of] Homeland Security recommending [Mozillas] Firefox over IE. And if Microsoft still wont listen, at least we can hope that [the warnings] will open the eyes of the public."

Microsoft officials said that ActiveX controls are not inherently dangerous and that users have to bear some of the responsibility for securing their own environments.

"In the end, its up to the customer to not install any ActiveX control that they come across. [IE] does a good job of warning users," said Gary Schare, director of Windows security product management at Microsoft, in Redmond, Wash. "Where you run into problems is with sites accessing controls and using them in ways they werent designed to be used."

Microsoft officials said they are hoping that the changes they are making to IE in Service Pack 2 for Windows XP will help alleviate some concerns about the security of the browser. SP2, due next month, will lock down the Local Machine zone in IE to prevent malicious scripts from running and will give users better controls and interfaces to help stop malicious ActiveX controls from running on their machines.

/zimages/6/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/6/19420.gif