Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

From: Thomas C. Greene (tcgreene_at_verizon.net)
Date: 07/07/04

  • Next message: security-bugtraq_at_marketshark.net: "Can we prevent IE exploits a priori?"
    Date: Tue, 6 Jul 2004 18:09:25 -0400
    To: <bugtraq@securityfocus.com>
    
    

    Drew, you make some valid points. However, i believe your conclusion is off
    the mark nonetheless. Admittedly, IE's vast installed user base and MS's
    arrogance regarding security (and many other matters) have influenced the
    number of bugs that come to light. No argument there. However, there *are*
    valuable security advantages inherent to the more platform-independent
    development style of a product like Mozilla, and inherent to the fact that
    it's open source as well.

    Developing across platforms leads to a more modular product, with the effect
    that a security vulnerability in one component will not typically extend into
    another. In this situation, bugs can be patched without fuss, and simple
    workarounds are often available. It is the highly interlaced, interdependent
    architecture of Windows and its apps and clients, and the way they're
    designed to interact, that often makes patching so time consuming and
    difficult, and so deplorably slow, as you noted. A browser that doesn't have
    as much access to the guts of the system is simply more secure by design.
    It's less of a threat to begin with, and it can be patched more easily.

    Also important is the simple fact that it's open source and therefore
    transparent: anyone is welcome to review the source code and see for himself
    exactly what it does and how it works. There are no secrets in Mozilla.

    On the other hand, Internet Explorer and Outlook Express (and Netscape and
    Opera) are closed-source products. Microsoft doesn't permit consumers to look
    under the hood, so to speak. All we're told about these products is what's
    stated in the documentation, but Microsoft has for decades included
    undocumented functions in many of its products. Obviously, any software
    containing secret functions is an obstacle to good security.

    Furthermore, Mozilla offers users more control over potentially risky features
    like JavaScript. It doesn't run ActiveX controls, a dangerous, powerful
    gimmick with which Microsoft is much enamored. It offers superior user
    privacy with better management of the URL history, page cache, cookies,
    plugins, and passwords. It doesn't store data traces in the Registry, or clog
    up the system with index.dat files, thereby making data hygiene easier and
    more certain. And it doesn't use MS's preposterous security 'zones' that are
    so confusing to novices, and easily exploitable with scripts anyway. It's
    ludicrous to expect users to know which Web sites they can trust. Any site
    can be malicious, and even a 'trustworthy' one can be compromised. Scob
    showed people how essentially stupid the 'zone' scheme is, just in case
    anyone was fool enough to doubt it.

    Finally, Mozilla is produced by people who *wish* to work on it, not people
    who have merely been commissioned to work on it. The developers care about
    what they're doing, and it shows. Firefox and Thunderbird are even better, as
    you noted, though some users prefer a more feature-rich product. For them,
    Mozilla is vastly a superior replacement for IE and OE.

    Your memo was indeed factual, as promised; but your facts failed to support
    your conclusion that Mozilla is no more secure than IE and OE. It's immensely
    more secure. And that's a fact ;-)

    chrz,
    tom

    ==============
    Thomas C. Greene
    Associate Editor
    The Register
    http://basicsec.org
    http://theregister.co.uk

    -------------------------
    There has been a great deal of talk about people
    switching to Mozilla because of this recent Internet
    Explorer issue.

    This is a serious misunderstanding about security
    that comes about because of people's ignorance and
    because they "believe the hype" but do not look at
    the details.

    An example:
    http://slate.msn.com/id/2103152/

    ***
    In less than a day, Internet administrators sterilized
    the infection by shutting down the Russian server that
    hosted the spyware. But not before a barrage of scary
    reports had circled the world. "Users are being told
    to avoid using Internet Explorer until Microsoft patches
    a serious security hole," the BBC warned.

    <..>

    Scob didn't get me, but it was enough to make me ditch
    Explorer in favor of the much less vulnerable Firefox
    browser.
    ***

    The issue has been found not to utilize the zero day spyware
    worm we have seen of late, but utilizes a known and patched
    IE bug. Previous attacks used this same vulnerability before
    it was patched, this is true. That attack and the latest spyware
    zero day attack were both unreported. The latest attack was
    way over reported and there was a great deal of wrong information
    in a lot of these news stories.

    Disclaimer: * I like Mozilla. I use it nearly daily for Usenet. I
    use it as a secondary browser. I used it as a primary mail client
    for years. I have worked at an open source company and have been
    involved in several major open source security projects over
    several years. *

    [Primary Caveat to what I am about to say: Microsoft has an atrocious
    record of fixing bugs. They routinely take six months to fix security
    issues given to them. Some issues they simply leave open with
    absolutely no explanation, such as the adodb stream issue which
    has been used in all of the latest IE attacks. There is absolutely
    no excuse for this kind of behavior, and people should consider
    leaving Internet Explorer for this kind of reason... not because
    because bugs were found.]

    This said, people should not change browsers "because of the Scob",
    nor should they assume Mozilla is more secure. Change because of
    the features or to support Open Source. But, don't change any
    software because someone found a bug in it... unless that bug
    was horribly stupid to find.

    Very often I see people saying "Because of this recent security
    hole, I am changing to Mac, they are safer". The same argument
    remains true.

    Mozilla is safer in some regards. Its' lack of activex is not
    really the reason, though. For one thing, it has "plug ins". This
    is how Shockwave runs on it. One of the Shockwave bugs I found
    also worked in Mozilla. Maybe others did -- I did not even bother
    to test it.

    Here are some facts:

    -> Bug finders want attention. Bug finders want to find bugs that
    will affect the systems they use and the systems everyone else uses.

    -> Internet Explorer, for several years, has had 94% of the browsing
    population. That is everyone. It may not be the most visible majority,
    but it is definitely the majority. If you have ever managed a large
    site, you - like me - have likely seen the very same stats. This is
    a huge majority of the Internet population.

    -> The very same people are finding these big bugs. It is not like
    there are a whole ton of unexperienced people finding these bugs. These
    are the best. They are experts at finding them. They may not always
    be cognizant of this themselves, the act of finding them may not
    seem difficult to them, but it is -- and this is clearly shown by
    the fact that the same people keep finding these bugs.

    So, what I am saying is: it could be Internet Explorer or it could
    be Mozilla. Whichever is more popular, ultimately. If these bugfinders
    spend their time trying to break it, it will be broken.

    Professional QA and open source QA can not find security bugs
    like security researchers can. If you want to break an application,
    you do not hire QA to do it. You hire hackers to do it, people
    with proven experience.

    -> It is true. A lot of top IE bugfinders have it in with Microsoft.
    Liu Die Yu was ripped off by them in China. One top bugfinder had
    a very bad experience with them as a new computer user. Guninski was
    viciously attacked by them for a long period of time -- I watched
    as he became slowly more and more anti-Microsoft until it became
    an obsession for him.

    So, Microsoft's PR campaign has made them some pretty hardened
    enemies. This is true. Companies like Netscape tend to not do this
    kind of thing because they are used to getting free help and
    appreciating it.

    -> Using a Mac used to be far more secure then it is now, because
    now it is based on the BSD kernel and is far more accessible. Using
    a Commodore 64 or an Apple II or a TI-99/4A - if these things were
    possible - would be the most secure of all. This is "security by
    obscurity".

    -> Applications which have less foothold, less code, will have less
    bugs. Applications which have more code and more "landscape" will
    have more bugs. It does not matter who is developing it. There may
    be some freaks out there, mutants, who can write flawless, absolutely
    safe code. But, most of us are human beings.

    -> Anyone that has worked in the software development field
    knows and understands that applications have bugs. This is a fact
    of life in these fields. End users are extremely buffeted from this
    fact of life because everything that goes into selling the products
    tries to keep that from them. Yet, what end user could forget just
    how often their application crashes or their system?

    It happens all the time. And, if you are using a certain application
    or OS all the time, you may think it only happens to you and only
    with this software.

    This is not true.

    (It may be true that some users on some OS's do experience less bugs,
    but they well know they do not do the kinds of things which require
    software with more "foothold" or code for which bugs might happen -- you
    shouldn't expect to see a lot of bugs in your experience if all you
    use is notepad.)

    Conclusion: Mozilla may be better. I think there is some strong
    chance of that. But only marginally. It has had bugs. It has a lot
    of features, which means a lot of potential for security issues. They
    have kept their browser more conservative then Microsoft has kept
    Internet Explorer. Traditionally, Mozilla developers have been
    far more "RFC compliant" - as the saying goes then Microsoft.


  • Next message: security-bugtraq_at_marketshark.net: "Can we prevent IE exploits a priori?"

    Relevant Pages