Your secrets are (not) safe with mIE

Rik Ferguson — Mon, 06 Sep 2010 13:41:29 +0000

Tweet by Microsoft Security Response team

Microsoft Security Response team posted an interesting tweet at the tail end of Friday afternoon last week. The message itself was relatively low key, but pointed to something possibly more worrying. Enough to make me do some digging anyway…

“We’re aware of a publicly disclosed issue involving Internet Explorer. We’ll continue to investigate over the weekend.”

Hm, publicly disclosed where and by whom? What kind of issue and what kind of effect?

Well it looks like the tweet might be referring to an evolution of a vulnerability that was first made public by Google’s Chris Evans back in December of last year in a post on his Scary Beast Security blog.

Why have I jumped to that conclusion? Well, also on Friday last week, just a couple of hours before the Microsoft tweet, Chris Evans posted the following to the Full Disclosure mailing list

“Hi, In an attempt to get this bug fixed…

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix.

The bug permits — for example — an arbitrary web site to force the victim to make tweets.”

In the mailing list posting Chris goes on to state that there is evidence that Microsoft may have been aware of this bug since 2008 and that the same defect “probably” affects earlier versions of IE too.

The exploit acts by stealing the (supposedly secret) credentials for an already authenticated browser session, in his example Twitter. Those credentials are then abused to send arbitrary forged content.

Embarrassingly Opera, Chrome, Firefox & Safari have all already fixed this vulnerability. Let’s hope Microsoft had a good long investigate over the weekend then eh? With the ever increasing popularity of URL shortening services, vulnerabilities like this are all too easy to exploit.

Which browser is the most secure, is that the question?

Rik Ferguson — Wed, 10 Mar 2010 17:20:02 +0000

Over the past week I have been asked twice now for my opinion on the question “Which browser is the most secure?” Probably as a result of the release of Microsoft’s “Browser Choice” update. In my view, this choice that people are being prompted to make is leading most of us to ask the wrong question entirely. Your browser will not keep you safe, whoever made it, you need to take steps to keep *yourself* safe, whichever browser you choose.

Image: J. Anderson

This update no doubt exposes millions of users to a choice which they may not, in many cases, have even been aware they were able to make; the choice of which application to use when browsing the web. Many alternatives are available when making this important choice; Internet Explorer (natch), Mozilla Firefox, Safari, Opera, Google Chrome and seven others are on offer through the Microsoft pop-up.

Rightly security is many folks’ primary concern when browsing online these days, so they want to know which browser is the safest or will offer them the highest personal security. I’m not convinced though that “Which browser is the most secure?” is really the right question.

Every browser has its flaws, vulnerabilities and patches (or lack of them). In any case attacks are increasingly aimed not only at browsers but at application plug-ins like QuickTime, Flash or Acrobat that can be used in multiple different flavours of browser. Either that or they are simply attacks aimed at the individual using the browser (like phishing, pretexting and other social engineering attacks).

Better (and more useful) advice than “Which browser is most secure?” would be “How can I best secure my browser of choice?” Trend Micro offers free tools such as Browser Guard and the Web Protection Add On for Internet Explorer. Browser Guard detects and blocks popularly used exploit techniques (such as heap spray and buffer overflow as well as looking for shellcode) offering proactive protection against unknown threats. The Web protection Add-On blocksknown malicious sites. Many other tools and plug-ins for many other browsers are also out there such as AdBlock Plus or NoScript for Firefox just for example.

It’s different strokes for different folks and various security tools or techniques require varying degrees of familiarity with the browser, with technology or with threats in general in order to effectively protect you without ruining your Internet experience beyond redemption. Helpfully, different indpendent tests and opinions will give you conflicting advice, of course.

In most cases the best advice is stick with the browser you are most familiar with but take steps to secure it. If you suddenly jump into using a browser with which you are unfamiliar, just as a simple knee-jerk reaction your unfamiliarity may leave you less secure than you were before the change.

CounterMeasures - A Security Blog � internet explorer

Your secrets are (not) safe with mIE

Which browser is the most secure, is that the question?