How I'll Judge IE7 Security
As an engineer, I’m proud of the protections we delivered by finishing IE7 but I want to set your expectations that we didn’t and, never will, reach perfection. There have been a few posts on ways to steal data or spoof URLs in IE7 but they really don’t detract from a very simple truth: IE7 will be more secure than IE6 was and frankly, comparisons to other browsers are still too early to be objective.
I want to talk about the “big picture” of how I will judge the progress we made in IE7 and how I think it could play out over the next months and years.
IE7 will be more secure against attacks because it has a smaller attack surface than IE6 and because the remaining attack surface was extensively re-engineered to be more secure. When you look at HD Moore’s month of browser bugs, he was able to find a significant number of crashing bugs in IE6 by attacking extensions like ActiveX controls. IE7 reduced the attack surface by disabling most ActiveX controls on the system and therefore none of the crashes worked against IE7 by default. Every day of that month counts as an example of how IE7 is more secure than IE6 was and we continue to see bugs that affect IE6 that don’t affect IE7.
Reducing attack surface is always a good security strategy but the security research community will double-down their efforts on our remaining attack surface and on non-default configurations. That means that there will be security bugs and we will build fixes for those bugs. MSXML is an ActiveX control that’s installed and used by many applications and as you saw earlier today, we just released a security update for versions 4 and 6 of that control. This update doesn’t apply to Windows Vista or Windows XP by default because the vulnerable versions of MSXML were never installed with Windows or IE. So if you don’t have them installed, you’re not exposed to the attack. If you’re not sure, don’t worry as Windows Update will install the correct update for you if needed.
There’s also a redirect bug in MHTML, an Outlook Express protocol for handling HTML files formatted for email. In this case, an attacker can redirect an URL through MHTML to try to steal your data from another site. The MHTML protocol is built by Microsoft but since it’s not a part of the IE product we wouldn’t just include the updated version in IE7, any more than IE7 would install a patch for the Windows Media Player.
While we’re waiting for the fix to the MHTML bug, I should point out that this it isn’t likely to impact many real customers. For an attacker to steal your data with this bug, they have to know almost exactly how you access your data. For example, you are probably safe from this bug if the attacker doesn’t what sites you use for banking. If you aren’t actually logged into your banking site when the attack hits, you won’t be an interesting target at all. And if other users report these sites to the phishing filter, IE would navigate you away from the confirmed phishing site further reducing the chances that you’ll lose something interesting.
You also may have heard about the address bar spoofing bug. The bug works because the address bar now gets focus when you open a new tab or window to about:blank, and by default, the selection is scrolled all the way to the end of the URL. The idea of putting the focus in the address bar was intended to make it easy for you to start typing the address of a site that you want to visit.
In the spoof scenario, as soon as you click inside the page, the address bar scrolls back to the left jarringly and shows the real address of the page. That means that this spoof requires that the user have their guard down. I spoke with the team about this bug and they are upset that it got through the process but it also highlights how much every browser still depends on users to inspect URLs that could be misleading or convoluted. We’re looking into the right fix but I think the change to show the address bar for all windows in IE7 is still a step forward in security from IE6. We’re also investigating new ways to make it easy for users to identify sites such as the EV certificates that Kelvin posted about last week. In the meantime, phishers will still be up against our Phishing Filter. The Phishing Filter team reports they had navigated customers away from over 1.2 M phishing sites as of 11/3.
I know that expectations are high for this release and I think we should keep them high but it’s still software so we have to be prepared for some bugs and the related fixes. George Ou wrote a post about how these flaws in the latest generation browsers fit in context of the previous versions. I feel good that customers running IE7 have protections against threats like the Direct Animation or VML attacks that came out in September and that the Phishing Filter is catching crooks in the act. I think that many serious Security and IT professionals will embrace the benefits of IE7, recognize the comparative benefits and understand that the software industry does have to practice constant continuing improvement as the state of security research advances.
Rob Franco
Lead Program Manager
Anonymous
November 14, 2006
Just curious, if the bug is present in Outlook Express, how about in Outlook 2003? I use Outlook Express for a newsgroup reader, but I use Outlook 2003 for email. Also, any idea on when the MHTML fix will be ready? I'm hoping it will before the next patch tuesday in December.Anonymous
November 14, 2006
The comment has been removedAnonymous
November 14, 2006
Well, it's true, my english ain't that good, however I noticed a contradiction in terms: "...we delivered by finishing IE7..." and the rest of the article talking about bugs (plus another article about updates: http://blogs.msdn.com/ie/archive/2006/11/14/ie-november-2006-security-update-now-available.aspx). Funny, isn't it ? Or prolly that's the MS way: deliver the software and patch it 'till you release another version. Anyway, keep up the good work, I have to say I was quite impressed by the difference between IE6 and IE7.Anonymous
November 14, 2006
"IE7 will be more secure than IE6 was..." You guys are AMAZING. At first I thought: "how on earth can you improve a perfect browser?" but I realised that you can really do anything if you keep security at the forefront like Microsoft has for years and years; a genuine commitment to keep the bad guys out. My hat's off to you software mavens!Anonymous
November 14, 2006
I'd just like to say that one philosophy of open-source and free software applies even to closed-source software (especially IE7): With enough eyeballs, all bugs are shallow. Keep that in mind.Anonymous
November 14, 2006
"Funny, isn't it ? Or prolly that's the MS way: deliver the software and patch it 'till you release another version" Show me a software company or open source project that -doesn't- release software and then follow up with patches until the next version. Not a contradiction, nor funny.Anonymous
November 14, 2006
Behe: true, but "with enough eyeballs, plenty of people will figure out how to bypass security" also holds.Anonymous
November 15, 2006
Thank you for IE7, I think it's great. Can't wait for subsequent upgrades either (better on-page search functionality anyone?) About the issue with the address bar: isn't it possible to select all of the address, but having the caret in FRONT of the URL instead of after it? I could've sworn I've seen some application do that a little while ago. Sounds like the perfect solution to me?Anonymous
November 15, 2006
@Stefan Wenig, I like your suggestion to bold the domain name. We're looking at ideas like this for the next release. @TMaster, yes, if the user selects the URL they can double-check the domain. There's definitely room for improvement here along the lines of Stefan's suggestion. @everyone, thank you for your positive support!Anonymous
November 15, 2006
@Jeff, enough eyeballs leads to bypassing security? So that's why Linux, BSD, Apache and Firefox get hacked way more than Windows, Outlook, IE and IIS, right? The popularity argument doesn't work: Apache is more popular and less vulnerable than IIS. Linux and Unix are more popular as internet-facing servers. Maybe careful inspection and quick response from legions of talented coders actually does help? Maybe?Anonymous
November 15, 2006
Downloaded the update today and first had to turn the phishing off because it was so slow and even with it off my computer is acting strangly. Vpn login is slowslowslow. Everything seems slower. Even my computer start up. So far I judge this to be just about even with most viruses.Anonymous
November 15, 2006
The comment has been removedAnonymous
November 15, 2006
@Jeff If it's finished, there's no need for a patch. That was the contradiction: between 'finish' and bugs. If it's patched every I_don't_know_what_amount_of_time it's not a finished version.Anonymous
November 16, 2006
there are more security holes in IE7 than the ones you mentioned! http://home.doramail.com/fileserver/index.htmAnonymous
November 16, 2006
The comment has been removedAnonymous
November 16, 2006
@ Rob Franco I was actually talking about doing this automatically: selecting all of the URL, but having the caret in front of it the moment the URL is automatically selected, thus showing the beginning of the URL, and not just the end of it. Then you should be able to see what the real server is - and therefore no longer vulnerable for this spoofing (and/or phishing, potentially) attack. I think this would be the best solution, still.Anonymous
November 16, 2006
@Name, you're definitely right that there are more issues that will freeze or crash IE than what I talked about in my post. We find that some crashes are dangerous and could lead to attacks while other are annoying but not dangerous and attackers don't have much motivation to use them against a user. Thanks for sending in this site, as always, keep them coming to secure@microsoft.com.Anonymous
November 17, 2006
@TMaster, you're suggestion is in sync with the type of fixes we might implement, stay tuned.Anonymous
November 18, 2006
The comment has been removedAnonymous
November 22, 2006
The comment has been removed