News

Internet Explorer Problems Explode

With hundreds of millions of lines of code contained in Web browser applications, even the most informed and seasoned developers are bound to overlook a couple of things.

• By Jabulani Leffall
• 12/19/2007

This is the answer many security experts come up with, when asked the question: What's up with Internet Explorer these days?

Even as Redmond lauds its browser security over Mozilla's Firefox browser; even as it investigates a reported vulnerability in IE's Web Proxy Automatic Discovery program; and as it scrambles to rectify a cumulative IE Patch glitch, the software giant on Wednesday continued to play down a new perceived vulnerability related to IE caching that would allow hackers to break into Google Gmail via the Web browser.

Santa Clara, Calif-based security firm Cenzic announced on Monday that improper use of caching directives in IE, combined with incorrect access checks on cached browser files, could lead to such files "being maliciously modified to create a cross-site scripting vulnerability." Such a vulnerability, the firm said, also exposes Gmail account sign-ons, thereby giving hackers an entry point into a system.

In the context of Web browsers, the cache is a block of temporary storage data comprised of information such as browsing history, pre-set e-mail account and private web site passwords. These kinds of attacks would be most common in public or community computing locations such as cyber cafes and computer kiosks found at various airports, hotels and so on.

Cenzic Intelligent Analysis Lab researchers said they notified both Google and Microsoft about the possible bug in November and alerted the Department of Homeland Security's Computer Emergency Response Team (CERT). Cenzic said Microsoft and Google informed Cenzic that they wouldn't be fixing it right away because they didn't think it was too urgent.

Microsoft stated that it has "thoroughly investigated these claims and found that they do not represent a product vulnerability," since an attacker would need physical access to the workstation.

"For this to happen attackers would need authenticated access to the system in order to modify files located in the cache," said a Microsoft spokesperson on Wednesday. "With that level of access, an attacker could indeed install malicious programs that would have more impact than the scenarios described."

For its part, Google conceded that if a hacker is savvy enough, he or she could modify cache data on the local browser on an individual workstation previously used by other people. But this is not unique to Google or Gmail.

Notwithstanding the dismissal of the apparent hole by the two tech titans, Cenzic spokesman Mandeep Khera said in an interview Wednesday that "there's still a long way to go" with the issue and that such a problem can be considerably more bleak when it comes to application security for third-party vendors and smaller ISVs.

"I can understand the explanation that (Microsoft and Google) are giving, but this is still a formidable vulnerability," Khera added. "Because if you're in one of these public places -- a library, a cafe or an airport -- anybody can log right after you and you're still exposed. This makes it an issue that needs to be fixed."

In the meantime, it doesn't appear that Redmond plans to patch this issue -- if at all -- until the next cumulative bulletin for IE, next year.

Eric Schultze, chief technology officer of ST. Paul, Minn.-based Shavlik Technologies, said people doing important work shouldn't be using public kiosks at all, even for something as seemingly harmless as a routine e-mail check. "I don't use public kiosks, period. For something like this to happen, it means whoever set up the computers didn't configure the kiosk correctly."

In the absence of a patch, IT pros as well as individual users should consider disabling caching of pages at the browser level, which will prevent any page from being cached for later viewing.

For multiple workstations, someone operating a public computer lab with Web access should configure the machines to not cache pages using server side language (SSL). SSL executes server side scripting, which in turn is used to provide interactive Web sites a back-channel interface to databases and other storage files.

These workarounds may adversely affect the browsing experience through periodic error messages or slow loading on IE, experts say, but better safe than sorry.

In related news, Microsoft has updated both its Knowledge Base articles and its blog in its efforts to respond to the reported IE Crash issue that came in the wake of December's Patch Tuesday Release.

Sean Moshir, chief executive of CellTrust and a founder of PatchLink, said observers need to remember that IE is still heavily embedded in the Windows operating system and while often viewed as a separate application, that's not really the case, so thorough testing and continual network diagnoses are needed.

"It's a complex issue because when these patches update IE, they also update the many dynamic link libraries (.dlls) and subroutines that affect the operating system and its other applications, so it's all kind of intertwined," Moshir said.

As to the continuing vulnerabilities cropping up on IE, Shavlik's Schultze thinks it's more of a disclosure issue than a fundamental decline in the browser's security and integrity.

"I wouldn't say IE is falling apart, it's just that a lot of companies and individuals have gone public with these issues," he said. "Believe me, there are lots of private notices Microsoft gets everyday for IE and others, and if all those were to go public you wouldn't want to even turn on your computer."