Internet Explorer: Is it Insecure?

Discussion in 'other security issues & news' started by Keter, Nov 5, 2013.

Thread Status:
Not open for further replies.
  1. Keter

    Keter Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    12
    Location:
    USA
    Historically, Internet Explorer has been regarded as the weakest link in the Windows security chain. But recent upgrades (IE11) have introduced a variety of security features that seem pretty impressive to me. I understand that IE11 has a Chrome-like sandbox, for example.

    So, what's the deal with IE these days? Still insecure?

    (I've been liking IE11 on my tablet, so I was thinking of using it on my PCs.)
     
  2. guest

    guest Guest

  3. Keter

    Keter Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    12
    Location:
    USA
    Thanks, Graf. I appreciate the link.

    Although, I don't understand why Chrome would necessarily be superior to IE11 when it comes to sandboxing. My understanding is that Chrome uses integrity levels as a key element in its sandboxing, which is also used by IE11. So, it sounds like they should be comparable.
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    You can't really just say "IE11", as it runs differently on Windows 7 than it does on Windows 8.

    IE11 is more secure than Chrome on Windows 8, that's because it uses the superior AppContainer rather than just low integrity.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I can say IE11 because I'm talking about IE11 on all platforms, including Windows 8.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Then you're wrong.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That doesn't seem likely. Regardless, the sandbox is about more than permissions set by the OS, not that appcontainer provides anything new.
     
  8. Keter

    Keter Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    12
    Location:
    USA
    Hungry Man, can you elaborate on the practical differences between the IE11 sandbox and the Chrome sandbox? (I'm referring mainly to Windows 8.)
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It does hard hooking of function calls from the renderer process, and then intercepts calls, which is an attempt to make local exploitation more difficult. That's just one of a couple features, though not all are sandbox related.

    Appcontainer is cool but really not relevant to Chrome's sandbox. It would add little. It's integrity based and object based, but Chrome already restricts everything (with redundancy) that appcontainer would restrict.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    You're right. Clearly running at "Low" integrity and hooking whatever you feel like (which in itself creates security issues) is better than using AppContainer, a level even lower than "Low"...

    The fact that plugins need a special broker process to run in IE11 alone goes to show it is far more restrictive. Don't pretend like you know all about a closed source implementation. I suggest you go search the documentation and the experts that have commented on it.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome uses untrusted, not low, and I don't think having a discussion on hard hooking would be very fruitful, since I don't think you know what it is.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    As always . . . {deleted}

    Please keep it civil, differing opinions obviously are encouraged, as long as it's in the spirit of debate. ~ TAS
     
    Last edited by a moderator: Nov 8, 2013
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Maybe I'll write about hard hooking on my blog, since I'm usually more motivated to have conversations there. In the middle of two good books though, so don't hold your breath.
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    We can't really say for certain which is the better.. unless you have read official documentations detailing both browser sandbox mechanisms. If one had then it should be fairly effortless task to list some differences between the two.

    Windows AppContainer is referred as a "tight sandbox". Not really a lot (officially) breaking it all down for those information hungry folks. Until then this vs. bs is non-sense.

    So far nothing said on this topic tells me that Chrome sandbox better than IE or vice-versa.

    If this vs. non-sense is going to continue, someone should bring something more to the table.
     
  15. guest

    guest Guest

    Should I be judged as guilty of summoning a storm? :D

    What about update frequency? Chrome gets updated more often than IE. Any flaws in the software will be patched quicker with more frequent updates.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    ...and flaws show up more frequently in the form of bugs and rendering issues.

    Also, flaws getting patched has nothing to do with the update frequency of the browser (i.e. full releases). Chrome will patch flaws ASAP, Microsoft will patch flaws ASAP if deemed important enough/provide a fix-it, or left for the next patch Tuesday for more testing.
     
  17. guest

    guest Guest

    Even for vulnerability fix?

    Which is what I was saying. If Chrome gets updated 3 times in a month while IE gets cumulative security patches twice in a month, then wouldn't it make the attackers to be harder to keep up with? More update frequency = the faster the vulnerabilities to be patched.

    I think the OP's question has been answered. While we can't say if Chrome or IE11 is more secure, it's clear that IE11 is not insecure.
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    That's only one of multiple ways of looking at it. For example, why is Chrome having to be updated so frequently? More vulnerabilities are being found it in than in IE, that's why.

    You can argue that's because it's currently less secure, you could argue that it is becoming so bloated and complex from the fast release cycle that a lot of code isn't properly reviewed and tested (demonstrated in Chrome 30 with the TLS 1.2 issues needing an update that disabled it), you could argue that because it's open source people are reading it, you could argue that the bug bounty is working extremely well (it is for IE11), or you could argue that products should get more and more secure over time like IE and Windows, yet Chrome somehow isn't.

    Positives and negatives.

    But that discussion has absolutely nothing to do with the update frequency. I assume what you're ACTUALLY trying to talk about is reaction time of vulnerability patching, which I already answered earlier.

    http://secunia.com/vulnerability-review/browser_security.html

    "All browser vulnerabilities found in the past 2 years were patched in less than 30 days".
     
    Last edited: Nov 7, 2013
  19. guest

    guest Guest

    Yes.

    Okay. At least it's good that critical flaws are patched as quickly as possible for the 3 major browsers (IE, Chrome, Firefox). Can't say anything about Opera and Safari since I don't keep up with their vulnerability fixes.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If anyone argued anything other than the fact that it's due to their bounty program being incredibly successful I'd laugh openly at them.

    edit: I say this having talked extensively about bug bounty programs with the head of Microsoft's and the head of Mozilla's. They'd both agree.
     
    Last edited: Nov 7, 2013
Loading...
Thread Status:
Not open for further replies.