Wednesday, April 1, 2009

Firefox vs. Internet Explorer security

I'm hard on Microsoft when it comes to browser security. They really are paying attention to security, and with the odd exception, they're much, much better about having decently security software.

For example, the latest "worm from hell" - Conflickr - has been a total fizzle today. It was supposed to wake up and wreak havoc today (April 1), but Microsoft's free Windows Update service and Malicious Software Removal tool has gotten it pretty much under control. So well done to the folks in Redmond.

Unfortunately, Internet Explorer is irredeemably broken, security-wise. Worse, this is architectural breakage - you can't patch it, because it's an inherent weakness in how it works.

Two recent bits of security news highlight how you simply cannot use Internet Explorer and be safe.

In the first bit of security news, a Firefox vulnerability announced at the CanSecWest "pwn2own" contest has already been fixed by the Firefox team - ahead of schedule, in fact. Firefox has not only a very responsive software development team that emphasizes rapid turnaround for security bugs, it has an automatic update mechanism that lets these get distributed to millions of users. Transparently. So well done to the folks in Open Source Land.

Unfortunately, one of the upshots of the Microsoft-Netscape browser battle of the 1990s was "Internet Explorer is an inseparable part of the Operating System." This puts Internet Explorer security updates onto the once a month "Patch Tuesday" release schedule. Firefox will always be faster to patch the browser, and usually a lot faster.

But this isn't the worst; the second bit of security news is. Internet Explorer uses something called "ActiveX", which is executable code that can be downloaded and executed directly by Internet Explorer. IE is the only browser that allows this, which is why some web sites only work with IE.

ActiveX has a really broken security model. All it does is verify that the ActiveX Control (program) came from a known source. For example, Windows Update uses an ActiveX Control that has been digitally signed by Microsoft - this gives the user some sense that they're getting it from a trusted source.

What they do not know is that they're getting trusted code. There can be security bugs in an ActiveX Control, and this happens all the time. Even worse, there's no easy way to distribute updated controls. Worst of all, any old web site can cause ActiveX controls to be loaded and executed. Vulnerable ActiveX Controls can be downloaded and run, at the web site's discretion.

Last week, there was a vulnerability announced in an ActiveX Control from IBM:
IBM's eGatherer Access Support ActiveX controls are designed to automate support for the IBM PCs. There is a buffer overflow vulnerability in this ActiveX control, which is provided by "IbmEgath.dll", while parsing input supplied in the "GetXMLValue()" method. A malicious webpage or an HTML email may exploit these controls to silently execute arbitrary code on a client system. There is no patch provided by the vendor as of now, so a workaround until then is to set a kill bit for the following CLSID: {74FFE28D-2378-11D5-990C-006094235084}. Successful exploitation can lead to arbitrary code execution.
This is about as bad as it gets. If the user has checked the box saying "Always trust content signed by IBM" - a reasonable scenario - than J. Random Malicious Website can cause this control the be silently loaded, run an exploit against it, and execute any code it wants on the target computer. It's an important bit of code, used to support IBM hardware. There's no patch, and Windows Update doesn't fix it. Internet Explorer doesn't fix it. You need to grovel your way through CLSIDs (don't ask) to set the right bits to keep yourself from being exploited.

Fail.

And so listen to the LOLCat: Use Firefox, k? Iz safer, k? I meanz it.

1 comment:

wolfwalker said...

It was supposed to wake up and wreak havoc today (April 1),

Well, not exactly. What it was supposed to do was contact one of a list of servers for new instructions, and then ... well, nobody really knows because nobody has been able to fully reverse-engineer it yet. But there was never any solid evidence that it was supposed to "wake up and wreak havoc."