The disclosure of a handful of critical security holes reported in Microsoft’s Internet Explorer Web browser is conjuring up an old debate about the process of reporting security vulnerabilities as well as the usual concern over hacker attacks and compromised computers.
The five scripting vulnerabilities, described as “extremely critical” by Danish security company Secunia, were reportedly uncovered by Chinese researcher Liu Die Yu. While so-called “proof of concept” exploit code is available on the Internet, Microsoft has yet to provide a patch or a workaround for the holes.
Gartner vice president Richard Stiennon — who agreed that the holes were very critical, particularly for heavy browser users who visit “unknown or untrusted sites” — told TechNewsWorld that the Explorer holes demonstrate the downside of Microsoft’s new monthly updates.
“This is the drawback to the announcement Microsoft made,” he said. “To only announce vulnerabilities once a month may make it easier and more manageable for you and me, but that doesn’t account for all the vulnerabilities announced without Microsoft’s early involvement.”
Seizure by Site
Secunia indicated that the Explorer vulnerabilities — which could involve redirection of the browser and the ability to run script that would execute code by a malicious attacker — could be used in concert to compromise affected systems.
“It appears it would allow attackers to execute arbitrary code — the idea is they can do what they want using this,” iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.
Secunia said the vulnerabilities were found in Internet Explorer 6.0, but added that other versions might also be affected “and have been added due to the criticality of these issues.”
Referring to earlier versions of Internet Explorer, Gartner’s Stiennon agreed that each version of Internet Explorer could be vulnerable to the problem.
Microsoft, which last released a monthly security update on November 11th, said it is investigating “new public reports of possible vulnerabilities in Internet Explorer” and would take appropriate action to protect customers.
However, Microsoft security program manager Stephen Toulouse said in a statement that the company is concerned that the reported vulnerabilities were “not disclosed responsibly, potentially putting computer users at risk.”
Dunham, who remarked that none of the Secunia advisory information or site links led back to Microsoft, said the issue highlights the need for responsible reporting and a program that promotes it. The iDefense program, for example, pays for information about security vulnerabilities, which the company then forwards to the vendors responsible for patching, Dunham said.
“There is an inherent responsibility to the greater good of the Internet to communicate to vendors and give them a chance to address things,” Dunham said. “Microsoft and other vendors do have a vested interest in knowing about new vulnerabilities first.”
Similar to previous workarounds, the current workaround to keep using the browser will render it almost useless, analysts agreed, because users would have to disable scripting, which most major Web sites use. Analysts said that alternatives — such as Netscape, Opera and Mozilla — were becoming increasingly necessary because of Internet Explorer being targeted so frequently.
“Because of the widespread exploitation of active scripting components and zero-day attacks, we strongly recommend, when feasible, to use an alternative browser,” Dunham said, referring to vulnerabilities disclosed before a patch is developed or released.
Stiennon praised the other browsers, but said that installing them is “a large download and a huge task” for most users, adding that he does not envision corporations switching from Internet Explorer in large numbers.
Stiennon said enterprise computers are less at risk while waiting for a patch because of the security measures that most companies already have in place and also because of more conventional browsing activities. Still, the analyst indicated that Microsoft and other software makers will be forced to respond quickly to the increasing number of threats that are known to attackers, but not to vendors.