12 reasons not to use IE

Discussion in 'other security issues & news' started by datarishik, Jul 5, 2011.

Thread Status:
Not open for further replies.
  1. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Valid reasons, but the same number of things can be said for other browsers.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I feel that (1.) is a poor point. I think most people agree that security through obfuscation is poor security. If the most popular browser were the one that implements the most security features I'd still feel safer with it.

    I also believe that security updates for IE are released separately? I could be wrong... but a critical update will likely not wait for patch Tuesday.

    The others definitely seem valid.
     
  4. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Well, security by obscurity is bad if its your only security... but all other things being equal, I'd choose to be in obscurity.

    Security by obscurity isn't bullet proof, and a lot of people used to walk around thinking it was enough. It clearly is not... but it clearly does make a difference.

    Anyone who leaves port 80 or port 21 open and actually monitors it, will tell you they get weird connection attempts and probably end up auto-banning a lot of IP's. If you happen to have any services running on port 35,670 on the other hand, you will get basically no activity... pretty much ever.

    So its not bullet proof, but it does keep you from being the low hanging fruit. When combined with other security measures, it just makes it that much harder to be a target.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    There are many points in this Neowin thread as to why this guy shouldn't be writing articles.

    Putting his disgusting behavior as a so called "techie" aside here are the more important highlights for people that don't want to read 9 pages and weave through various childish posts to find the knowledgeable responses.

    Post #7
    Post #45
    Post #65
    Post #83
    Post #125

    Take it as you wish as I can't be bothered with what will end up being another firestorm of "my browser is better" which is all a misinformed article like that provokes, hence the 6 pages of comments.

    This.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I agree. Why? What happens when the least used, and with less built-in security, becomes the most used? It becomes the most exploited, and with no built-in security.

    Yes, security through obscurity works just fine, for as long as the application is precisely the least used.

    These are not my statistics. I remember reading an article from an F-Secure article regarding switching PDF readers, due to Adobe Reader being the most used and the most exploited. This article was written way before Adobe released version 10. Anyway, they also mentioned that when people were still using IE6 (most of them, back then), people starting to use Firefox because it wasn't being targeted. Makes sense. But, according to that F-Secure article from the 100% IE6 users, 40% moved on to Firefox. What did this mean? 40% of those 100% attacks against IE6 went to target Firefox as well.

    I don't like security through obscurity. I like to use what I want, and if I can use built-in security the most possible, perfect.
     
  7. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Hah.. I've done that on quite a few occasions. Not sure why its disgusting exactly, in a lot of cases people simply can't grasp the idea that there is another program to browse the web. They will keep clicking on IE no matter what.

    While I agree that an argument could be made that IE is reasonably secure in Vista/7 (more secure than firefox IMO), in Windows XP - IE is a travesty. As far as security goes, its utter garbage and a common component in a lot of malware infections.

    I had a client of mine, a Dr's office nonetheless, where one of it users kept on getting infected (they were using XP). The machine was JUST loaded with the latest versions of java, flash, reader X, etc. I kept on telling the user that they needed to use Chrome, and they kept on insisting they were already using it. I didn't believe them. What I had to do was go down the line in Internet Options -> Securty and just disable everything... making the browser (IE) unusable.

    A day later I get an email from the user saying they couldn't do anything online. I asked them if they were using chrome, and told them that from my end I could see chrome was working fine (I lied). All of a sudden it was "working again", and I haven't had any problems since then..

    TLDR: some times its a good idea to make it so that they can't use IE.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Where have I seen this tactic before? :rolleyes: ;)

    I agree with you, on Windows XP Internet Explorer will never be as safe as on Vista and 7. Reason why IE9 is not available for Windows XP.
    Sure, it's not available for XP, due to business (Windows 7 and 8 $$), but having IE9 on XP would be bad for IE security statistics, IMHO. Which, on its turn would be bad for business as well. No IE, generally speaking, means no Bing... :D It's all business. lol

    I prefer people to have Chrome or Firefox with NoScript and AdBlock Plus on Windows XP. Depends on what they think to be easier for them.
     
  9. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Do we have to repeat the browser wars ? :cautious:

    I'm still using Windows XP and IE. It's working fine.
    Sure, I have changed the default settings.

    But to say that IE is a 'travesty' is nonsense.
    Other browsers (like Firefox) have their own issues.

    A browser is not a security tool. Usually.
     
  10. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I won't disagree that Firefox has its own security problems, but that is why I'm using chrome nowadays... for both the enterprise and personal use. IMO, that is the only secure solution.

    There are plenty of people who attest to not using a virus scanner, or any other security product, and will tell you that its working out great for them. There are people who say they use only IE and its working out great for them. I can only take such testimonials with a grain of salt, as I see plenty of infections on a daily basis caused by drive by's and exploitation of the browser and its plugins.. The most obvious thing you can do is encourage (or even force) people to switch to a browser that doesn't typically encounter these problems. I only replied to your post because you seem to think there is something wrong with this. I think its part of a good security strategy.

    As far as whether IE is truly safe in XP, even if you think its finally safe after all these years, you have to at least concede it has an abysmal track record. Even the latest iterations have seen plenty of usable exploits... Even if you were to assume that it IS safe, I'm not sure there would be any reason to put any trust in Microsoft to keep it this way (especially since they don't seem to be paying too much attention to XP nowadays).

    I'm not usually one to ~Phrase removed~ other people's preferences, but realistically speaking if you were asked "what is the most secure browser you could use right now in XP", would you really answer IE? If you asked this question to security professionals, do you think any of them would answer IE? I think you'd see a lot of people answer chrome / firefox with adblock and noscript. I don't think you'd see anyone would say "IE - there is your ticket to safe browsing".

    Again, I'm not trying to ~Phrase removed~ your browsing preference... but you have to be realistic about the real life threats that exist, and how things have played out in the past.

    I will agree that the browser is not a security tool, which is why I think a lot of us do not rely on any protection mechanisms in the browser. I use sandboxie, and a lot of other people use the same or similar tools. If you go this route, then it probably matters much less whether you use IE, firefox or chrome... unfortunately, most people do NOT use tools like these, and a browser and A/V is all they have.
     
    Last edited by a moderator: Jul 5, 2011
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A browser is a security tool. It's a common attack vector and its security features are going to impact your computers overall security.
     
    Last edited: Jul 5, 2011
  12. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    All browers have their pros and cons.

    Perhaps Lynx is the safest browser. :D

    There is no reason why you'd have to use the default settings of IE. I wouldn't do that anyway.
    I don't trust 'Google' Chrome.

    While the choice of your browser can have an impact on your security, what ultimately counts is the 'total security setup'.
    Sandboxing, virtualization, limited user accounts, imaging and rollback software can help a lot.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    And your browser is a piece of that total security setup. But, of course, even an incredibly weak program can be strengthened with 3rd party applications etc.

    I don't see any reason to trust Microsoft over Google...
     
  14. Hakuna Matata

    Hakuna Matata Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    12
    I tend to go with the "What have you done for me lately?" policy when it comes to browsers :D

    IE9, with ActiveX filtering on, is supposed to be extremely secure. While I agree previous versions have been horrible as far as security goes, the latest one does appear to resolve a lot of that (at least for now).
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    1. You are safer by avoiding software that bad guys target. Mac users benefited from this for years. Windows users can lower their attack surface (be less vulnerable) by avoiding popular software. Internet Explorer is popular, so bad guys exploit known problems with the browser. No thanks.

    I have even used that line a couple of times, for instances when recommending FoxIt PDF Reader over the bulky Adobe PDF Reader. However, been shown time and again that soon as a product gains some popularity, you are potentially at risk, and Google Chrome certainly very popular.


    2. Microsoft fixes bugs in Internet Explorer on a fixed schedule. But, bugs are not discovered on a schedule which means IE users remain vulnerable to know bugs until the next scheduled bug fix roll-out. Neither Firefox or Chrome, my preferred browsers, are locked into a schedule.

    Not true, Microsoft releases critical out-of-cycle patches.


    3. In addition, I get the feeling that Microsoft is just slow in fixing Internet Explorer bugs. The last release of IE patches included a fix to a bug that Microsoft had been told about six months ago.

    I had that feeling too, but I still used Internet Explorer versions without any problems. With IE9 things seems to have improved a lot.


    4. The topic of bugs in popular software brings Adobe's Flash Player to mind. Internet Explorer users with Flash enabled in their browser get notified of new versions of Flash using a very flawed system. And, when they are notified, they need to manually install the new version of Flash.

    In this day and age, this is not acceptable; Flash is too popular and too buggy. Firefox fails here too. As I wrote about recently, I only use Flash from within Chrome which automatically, quickly and quietly updates the Flash player.


    That guy is really digging deep with this one...! Why would a browser be at fault here? Its nice that Google Chrome is handling the updates natively, but any concerns to the way Adobe chooses to update their own products are ones that should be tossed Adobes way.


    5. And speaking of Flash, it exists in Internet Explorer as an ActiveX control. The lack of security in ActiveX is what prompted me to jump on the Firefox bandwagon even prior to version 1.0.

    ActiveX may be locked down a bit more than it used to be, but how many Internet Explorer users understand the security related prompts about running an ActiveX control, let alone the configuration options for ActiveX? To me, a browser that doesn't support ActiveX is safer.


    Chrome and Firefox and other alternative web browsers (that aren’t built on top of IE engine) uses NPAPI (Netscape Plugin Application Programming Interface) based plugin that enables the use of ActiveX controls. And as stated on Wiki - http://en.wikipedia.org/wiki/NPAPI#Security ...

    A popular misconception concerning the NPAPI technology is that a plugin is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. If the host processes have the same privileges, a malicious plugin can do as much damage as a malicious ActiveX control.


    Another bit of favorite information from another reliable source ...

    ActiveX and NPAPI are binary native code modules that can do anything the current user can do. One difference is that in IE, such controls are restricted by Protected Mode, while in other browsers, they have no restrictions. Additionally, IE supports killbits, while other browsers do not have such a mechanism. If other browsers gain in marketshare, their lack of add-on security is inevitably going to bite them." - 29 Jun 2008

    Now browsers like Internet Explorer and Google Chrome introduced sandbox capabilities, not without problems but it helps a lot. And I’ve read some old information, not sure how much of it is still relevant with the updated versions of the browsers.


    * Firefox sandboxes QuickTime, Silverlight and Flash (I don't think Java is sandboxed yet), but they don't remove their privileges IIRC - the sandbox's purpose is to avoid crashes (*cough* Flash *cough*).

    * Chrome sandboxes Flash (but only the version that comes with it) aggressively - no write access and no read access.

    * IE sandboxes all ActiveX controls, but read access to the whole drive is enabled to avoid breaking compatibility with some older controls.
    "


    As I mentioned earlier, about browsers sandboxing capabilities imperfections, read for instance ‘Hackers Subvert Google Chrome Sandbox’ - http://www.informationweek.com/news/security/vulnerabilities/229403162
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't think anyone would be silly enough to say that sandboxing is perfect. But as a feature it's a powerful one. It's helped Chrome a lot and it's helping IE9 too.
     
  17. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    53
    Hi,

    I just wanted to add a quick comment... something I will not make any further comments on.

    Microsoft was informed in December, 2010 by Vupen about a reliable use-after-free exploit that effected IE 7/8/9 and bypassed DEP/ASLR and the sandbox. It took a little over 6 months before Microsoft patched the remote exploit.

    During that time period you could purchase the 'proof-of-concept'.

    -MessageBoxA
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If you in reference to the CVE 2011-1255 vulnerability, where did you get IE9?

    "Although the CVE 2011-1255 vulnerability affects IE6 and IE7 as well as IE8, Symantec has only seen working exploits that target the latter.

    IE9, the browser that Microsoft launched in mid-March, is not affected by the vulnerability"
     
  19. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Awesome stuff.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You disagree?
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    No matter what browser you use, it has vulnerabilities that will be targeted and exploited at some point in time. Your security policy should reflect the fact that all browsers are vulnerable, admittedly some (IE6 for instance) more than others. The browser should be isolated from the rest of the OS and from other apps as much as possible. Options here include sandboxing, virtual systems, and isolation by policy and specific HIPS rules that restrict parent-child permissions. Filtering apps like Proxomitron can be configured to remove a lot of malicious code before it reaches the browser. Unlike NoScript, it works with any browser that allows you to specify proxy settings. Specific firewall rules can prevent the browser from bypassing the filtering proxy. Removing or disabling the browser integration with other apps and the OS itself can prevent a compromised browser from becoming a compromised operating system. Heres and old and now fixed example of that integration being exploited. Yes, the final fix was in the PDF software, but if the PDF app and browser weren't integrated with each other, the POC failed anyway. The PDF app was compromised, but the exploit gained the attacker nothing.

    Regarding Internet Explorer, I do not use or have IE9 and won't be getting Vista/Win-7 and can't comment on those, but with IE5 thru 8, Internet Explorer is integrated into the OS. It was easy for malicious code that exploited IE to gain control over the OS as well because the OS itself effectively became part of the attack surface. That alone was enough for me to stop using Internet Explorer and eventually remove it from every OS I have except one.
     
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    noone particular,

    Since you mentioned 'filtering apps' and Proxomitron I hope you don't mind me asking this.

    As Proxomitron is no longer being developed and most (?) support sites like sidki's had stopped their work I decided to opt for Privoxy. (Win 7 64 bit) I can't do advanced programming.

    I haven't set it up properly -yet.

    Do you believe that Privoxy is an equally effective option ?
    To be honest, I don't understand the very technical stuff - I'm not a geek.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    When it comes to Chrome I don't use any secondary sandboxing, no EMET either. If I used any other browser I would.

    Any other program I make the assumption that it's vulnerable.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I haven't worked with Privoxy enough to compare them. It looks to have the potential to be just as effective. With all of the Privoxy configuration being in text files, it looks to have quite a learning curve just mastering the syntax. Then again, the same could be said for Proxomitron. As for Proxomitron no longer being developed, the parsing engine itself will work until the entire format of the web itself changes. The filters are the limitation, and are limited only by the users knowledge of HTML and javascript. I'm not certain that anyone has ever truly used it to the limits of its potential.

    I think the user will face the same problem with both Privoxy and Proxomitron. Besides the built in configuration files, I'm not sure what else is available for Privoxy or if anyone is making config files or edited sections of them available to others.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    That's just risking it considering the amount of Chrome exploits counted in Q1 of this year alone. There's no reason anyone shouldn't have their browser on EMET.
     
Loading...
Thread Status:
Not open for further replies.