Thursday, 20 September 2012

Should you ditch Internet Explorer?

There is a very new software flaw in Internet Explorer, one of the world's most popular web browsers.

Microsoft has not yet fixed this security hole and, as a result, the German government is warning people (in German) to switch to another browser.

The press release says, in translated form, "A security update from the manufacturer [Microsoft] is currently unavailable. The BSI recommends all Internet Explorer users choose an alternative browser for internet use until the manufacturer has released a security update."

This advice has been repeated in the mainstream and technical press over the last 24 hours, while security companies have also been proponents of dumping Internet Explorer (IE).

Lazy advice?

But is this good and realistic advice, or is it a short-term and lazy approach to security, that at best will only affect a small number of very interested users?

Anti-virus firm F-Secure says that the problem is so severe that even users of its own anti-virus software, which it says prevents this specific threat from infecting systems, should change browsers anyway.

McAfee takes a different view saying, "The advice to stop using IE is only valid if you don’t have any protection from exploits." Naturally McAfee also claims its products defend against such things.

Advising the switch from Internet Explorer to another browser brings a number of problems.

For such an approach to work the following needs to be true:
  1. Users need to know about this issue.
  2. Users need to understand something about software vulnerabilities and exploits.
  3. They also need to care about these things, and understand the consequences.
  4. Users need to know what a web browser is.
  5. Users need to know what brand and version of web browser they are using.
  6. Users need to know how to install, run and use new software.
  7. The bad guys need to retain their focus on Internet Explorer and ignore the browsers to which most users switch.
I don't believe that many of the points above are true for the majority of web users. However, let's assume that every internet user in the world is as savvy as you and I (despite the fact that I write a computer security blog and you are reading one, whereas most don't).

Let's also assume that we are talking about consumers and not people using business computers, which may be under the control of an IT department.

So, take the last point in the list above.
The bad guys need to retain their focus on Internet Explorer and ignore the browsers to which most users switch.
The bad guys want to access computers and the data on those computers. To achieve this they often access systems through popular software vulnerabilities using exploits.

The people who find and exploit the vulnerabilities first tend to target the most popular software, because that is the most efficient approach. Why focus on some obscure application when everyone else is using something else? If everyone switches from Internet Explorer to Browser X, the bad guys will inevitably start work on exploiting Browser X.

You could end up switching browsers every few weeks just to stay ahead. That is not a practical approach to the problem.

Day Zero

Every time a new vulnerability is found, and an exploit for it is developed, a zero-day is found. Zero-day threats are basically just new exploits that are not generally known about. This makes them very attractive to hackers and the media.

Renowned security researcher David Litchfield responded to Germany's advice by saying, "If we stopped using software because it is exposed to a zero-day flaw we'd be left with just a big, grey paperweight."

In the case of Internet Explorer the threat is now known so really it is not a zero-day any more. Nevertheless, Internet Explorer remains vulnerable unless you apply a special fix from Microsoft, This will not be installed automatically, as with normal security updates, so it's safe to predict that the majority of normal people on the internet will ignore it.

A History of Vulnerability

Avast's Jindrich Kubec maintains that it is worth ditching Internet Explorer because of its history of flaws. He says that despite a steep learning curve involved for normal people, the losses will be "minimal" and "none of the [other browsers have] the same 'history'"

I thought that was an interesting observation. Windows and particularly Internet Explorer has a bad reputation when it comes to security, so I checked the the National Vulnerability Database to see which browsers had the most known vulnerabilities. Does Internet Explorer have a terrible security history, at least in recent months?

The following results are from searches I ran for browser vulnerabilities in the last 12 months (September 2011 to September 2012), for all versions of each browser, on all platforms and with all levels of threat (low to high):

Microsoft Internet Explorer
Eight vulnerabilities (seven of which were 'high')
[ref.]

Mozilla Firefox
139 vulnerabilities (80 high)
[ref.]

Google Chrome
275 vulnerabilities (152 high)
[ref.]

Those figures indicate that there have been nearly twice as many vulnerabilities for Google Chrome than for Internet Explorer and Firefox combined. Internet Explorer itself has had far fewer than Firefox.

So, after all that should you ditch Internet Explorer?

If you want to be immune to the current single threat under discussion then the answer is obviously yes. Alternatively, if you've read this far, you're probably willing and able to install Microsoft's fix, so do that instead.

Having done either of these things don't assume that your new or fixed browser will remain free from vulnerabilities.