Internet Explorer: Is it Insecure?

Historically, Internet Explorer has been regarded as the weakest link in the Windows security chain. But recent upgrades (IE11) have introduced a variety of security features that seem pretty impressive to me. I understand that IE11 has a Chrome-like sandbox, for example.

So, what's the deal with IE these days? Still insecure?

(I've been liking IE11 on my tablet, so I was thinking of using it on my PCs.)

 

See here:
https://www.wilderssecurity.com/showpost.php?p=2291164&postcount=41

 

Thanks, Graf. I appreciate the link.

Although, I don't understand why Chrome would necessarily be superior to IE11 when it comes to sandboxing. My understanding is that Chrome uses integrity levels as a key element in its sandboxing, which is also used by IE11. So, it sounds like they should be comparable.

 

You can't really just say "IE11", as it runs differently on Windows 7 than it does on Windows 8.

IE11 is more secure than Chrome on Windows 8, that's because it uses the superior AppContainer rather than just low integrity.

 

I can say IE11 because I'm talking about IE11 on all platforms, including Windows 8.

 

Then you're wrong.

 

That doesn't seem likely. Regardless, the sandbox is about more than permissions set by the OS, not that appcontainer provides anything new.

 

Hungry Man, can you elaborate on the practical differences between the IE11 sandbox and the Chrome sandbox? (I'm referring mainly to Windows 8.)

 

It does hard hooking of function calls from the renderer process, and then intercepts calls, which is an attempt to make local exploitation more difficult. That's just one of a couple features, though not all are sandbox related.

Appcontainer is cool but really not relevant to Chrome's sandbox. It would add little. It's integrity based and object based, but Chrome already restricts everything (with redundancy) that appcontainer would restrict.

 

You're right. Clearly running at "Low" integrity and hooking whatever you feel like (which in itself creates security issues) is better than using AppContainer, a level even lower than "Low"...

The fact that plugins need a special broker process to run in IE11 alone goes to show it is far more restrictive. Don't pretend like you know all about a closed source implementation. I suggest you go search the documentation and the experts that have commented on it.

 

Chrome uses untrusted, not low, and I don't think having a discussion on hard hooking would be very fruitful, since I don't think you know what it is.

 

As always . . . {deleted}

Please keep it civil, differing opinions obviously are encouraged, as long as it's in the spirit of debate. ~ TAS

 

Maybe I'll write about hard hooking on my blog, since I'm usually more motivated to have conversations there. In the middle of two good books though, so don't hold your breath.

 

We can't really say for certain which is the better.. unless you have read official documentations detailing both browser sandbox mechanisms. If one had then it should be fairly effortless task to list some differences between the two.

Windows AppContainer is referred as a "tight sandbox". Not really a lot (officially) breaking it all down for those information hungry folks. Until then this vs. bs is non-sense.

So far nothing said on this topic tells me that Chrome sandbox better than IE or vice-versa.

If this vs. non-sense is going to continue, someone should bring something more to the table.

 

Should I be judged as guilty of summoning a storm?

What about update frequency? Chrome gets updated more often than IE. Any flaws in the software will be patched quicker with more frequent updates.

 

...and flaws show up more frequently in the form of bugs and rendering issues.

Also, flaws getting patched has nothing to do with the update frequency of the browser (i.e. full releases). Chrome will patch flaws ASAP, Microsoft will patch flaws ASAP if deemed important enough/provide a fix-it, or left for the next patch Tuesday for more testing.

 

Even for vulnerability fix?

Which is what I was saying. If Chrome gets updated 3 times in a month while IE gets cumulative security patches twice in a month, then wouldn't it make the attackers to be harder to keep up with? More update frequency = the faster the vulnerabilities to be patched.

I think the OP's question has been answered. While we can't say if Chrome or IE11 is more secure, it's clear that IE11 is not insecure.

 

That's only one of multiple ways of looking at it. For example, why is Chrome having to be updated so frequently? More vulnerabilities are being found it in than in IE, that's why.

You can argue that's because it's currently less secure, you could argue that it is becoming so bloated and complex from the fast release cycle that a lot of code isn't properly reviewed and tested (demonstrated in Chrome 30 with the TLS 1.2 issues needing an update that disabled it), you could argue that because it's open source people are reading it, you could argue that the bug bounty is working extremely well (it is for IE11), or you could argue that products should get more and more secure over time like IE and Windows, yet Chrome somehow isn't.

Positives and negatives.

But that discussion has absolutely nothing to do with the update frequency. I assume what you're ACTUALLY trying to talk about is reaction time of vulnerability patching, which I already answered earlier.

http://secunia.com/vulnerability-review/browser_security.html

"All browser vulnerabilities found in the past 2 years were patched in less than 30 days".

 

Yes.

Okay. At least it's good that critical flaws are patched as quickly as possible for the 3 major browsers (IE, Chrome, Firefox). Can't say anything about Opera and Safari since I don't keep up with their vulnerability fixes.

 

If anyone argued anything other than the fact that it's due to their bounty program being incredibly successful I'd laugh openly at them.

edit: I say this having talked extensively about bug bounty programs with the head of Microsoft's and the head of Mozilla's. They'd both agree.