Internet Explorer 6 - Security Problems

Security Problems

The security advisory site Secunia reported an outstanding 24 unpatched vulnerabilities in Internet Explorer 6 as of February 9, 2010. These vulnerabilities, which include several "moderately critical" ratings, amount to 17% of the total 144 security risks listed on the website as of February 11, 2010.

Although security patches continue to be released for a range of platforms, most recent feature additions and security improvements were released for Windows XP only.

As of June 23, 2006, Secunia counted 20 unpatched security flaws for Internet Explorer 6, many more and older than for any other browser, even in each individual criticality-level, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications.

On June 23, 2004, an attacker used two previously undiscovered security holes in Internet Explorer to insert spam-sending software on an unknown number of end-user computers. This malware became known as Download.ject and it caused users to infect their computers with a back door and key logger merely by viewing a web page. Infected sites included several financial sites.

Probably the biggest generic security failing of Internet Explorer (and other web browsers too) is the fact that it runs with the same level of access as the logged in user, rather than adopting the principle of least user access. Consequently any malware executing in the Internet Explorer process via a security vulnerability (e.g. Download.ject in the example above) has the same level of access as the user, something that has particular relevance when that user is an Administrator. Tools such as DropMyRights are able to address this issue by restricting the security token of the Internet Explorer process to that of a limited user. However this added level of security is not installed or available by default, and does not offer a simple way to elevate privileges ad-hoc when required (for example to access Microsoft Update).

Art Manion, a representative of the United States Computer Emergency Readiness Team (US-CERT) noted in a vulnerability report that the design of Internet Explorer 6 Service Pack 1 made it difficult to secure. He stated that:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

Manion later clarified that most of these concerns were addressed in 2004 with the release of Windows XP Service Pack 2, and other browsers have now begun to suffer the same vulnerabilities he identified in the above CERT report.

Many security analysts attribute Internet Explorer's frequency of exploitation in part to its ubiquity, since its market dominance makes it the most obvious target. However, some critics argue that this is not the full story, noting that Apache HTTP Server, for example, had a much larger market share than Microsoft IIS, yet Apache had traditionally had fewer (and generally less serious) security vulnerabilities than IIS, at the time.

As a result of its many problems, some security experts, including Bruce Schneier, recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead. Several notable technology columnists have suggested the same, including The Wall Street Journal's Walt Mossberg, and eWeek's Steven Vaughan-Nichols. On July 6, 2004, US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites.