Why Internet Explorer

Why Internet Explorer's not as secure as you think

Robert Vamosi,
Senior Associate Editor,
CNET/ZDNet Reviews
Wednesday, December 11, 2002

I can't imagine why Microsoft makes it so hard for the average person to secure Internet Explorer. Considering all the noise Redmond's made about its Trustworthy Computing initiative, this is truly reprehensible--not to mention hypocritical.

Last week Microsoft bungled yet another security issue for its popular Web browser. It released on Dec. 4 (and re-released on Dec. 6) a cumulative patch that fixes a few flaws. But that patch could have done a lot more and protected a lot more people.

THE PATCH, MS02-068, ostensibly fixes an object-caching flaw that could allow a malicious user to execute rogue code on your computer. Security researcher Andreas Sanblad first demonstrated this flaw in November and later discussed it on ZDNet's Virus and Security Alert forum.

His exploit and others demonstrated how a malicious user could use a shortcut in HTML Help to reformat a floppy disk in a remote computer by sidestepping Internet Explorer's security zones. Similar techniques could also be used to reformat a hard drive remotely.

On Nov. 20, shortly after Sanblad's postings, Microsoft issued a cumulative patch for Internet Explorer, MS02-066, which among other things suggested it would resolve exploits such as Sanblad's. Or did it? Part of the controversy surrounding MS02-066 was its deliberately vague wording.

For instance, MS02-66 originally stated: "This [flaw] could enable the web site operator to read, but not change, any file on the user's local computer that could be viewed in a browser's window." This is widely believed to have been Microsoft's indirect response to Sanblad's demonstration.

ON NOV. 27, Microsoft quietly changed the wording of the original bulletin, yet didn't reissue it. The revised bulletin acknowledges the severity of the flaw and adds additional information to resolve the object-caching problem.

The relevant passage reads: "In the worst case, this [flaw] could enable the web site operator to load malicious code onto a user's system. In addition, this could also enable an attacker to invoke an executable that was already present on the local system. However, a registry key setting discussed in Microsoft Knowledge Base article 810687 disables shortcuts in HTML help, which significantly reduces the scope of these vulnerabilities."

The referenced article instructs you on how to change the Windows Registry settings to restrict the functions allowed in HTML Help. In case you don't know, editing Registry files is a potentially hazardous operation not recommended for the average user. Professionals can do it; some amateurs can do it, but by and large the vast majority of us don't want to be messing around with the Registry.

WHEN A REVISED version of the MS-068 bulletin came out on Dec. 6, I was surprised to find these Registry changes still orphaned as a side article. If these steps solve the underlying problem with HTML Help, Microsoft should have included them in the text of the technical bulletin. Better yet, I don't see why Microsoft didn't just fold these Registry changes into the patch itself, so everyone would be protected.

As it happened, the vastly simplified end-user version of MS02-068 doesn't mention the Registry fix at all. While I understand that Microsoft didn't want to encourage average users to change Registry files, it means that most people have a lower level of protection than they could have.

So should you download this latest cumulative patch for Internet Explorer? Yes. But understand that MS02-068 could have been a lot more thorough. Perhaps Microsoft needs to hear from us that it isn't good enough, so this sort of thing doesn't keep happening. Who knows? Maybe public pressure will cause Microsoft to reissue the patch again--and finally get it right.

<<Back>>

Other Related Links