Seeds of Disaster, 2004-11-29
Internet Explorer's problems can be traced to Microsoft's shortsightedness during the browser wars of the 1990s. Is the company sowing tomorrow's security woes today?
“
They are paying the price for making security a low priority in the past, but they are also making a reasonable effort to try and fix the product.
”
Around my yard, I space the trees and plants as if they were already full grown. Why do I do this? Because I am a security consultant.
As a security consultant, I constantly see others planting the seeds for future disasters. I see people making the very same mistakes over and over. Up to now, it has been somewhat excusable: much of the software codebase we use every day was written long before we trained developers about things like buffer overflows and canonicalization. Much of the software we have now grew from the extremely competitive environment of an explosive decade of growth where killer apps were the killer app.
Look at Internet Explorer for example. Internet Explorer versions 3 and 4 introduced concepts like client scripting, streaming audio, DHTML, ActiveX support, content channels, and an endless list of other cool features. Security certainly wasn't high on that list because back then no one switched browsers for security purposes. Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features. As a result, in the first 24 hours after the release of IE 4, users downloaded one copy every six seconds -- ten terabytes of downloads. IE quickly secured its place as the dominant browser, a title that it still holds today.
But today people do switch browsers for security purposes and Microsoft is losing customers to competing browsers such as Mozilla Firefox, a browser with a smaller feature set but with better perceived, if not real, security. Users quickly lose confidence in a product that always seems to have some new critical threat.
Coding for the Future
Nevertheless, Microsoft is apparently learning the lesson. Despite seemingly endless public reports of security flaws in IE, I imagine that Microsoft has also quietly fixed hundreds if not thousands of other potential security flaws before anyone else discovered them. They are also improving default security settings and adding features such as pop-up blocking and add-in management. They are paying the price for making security a low priority in the past, but they are also making a reasonable effort to try and fix the product.
It may not yet be where it needs to be, but at least they are moving, and in the right direction.
But I wonder what measures they have in place to prevent future problems. Will they take a step back and instead of fixing a specific URL spoofing vulnerability ask themselves why it is even possible to spoof a URL in the first place? Or will they question the strategy of such tight OS integration? Will the code they write today stand up to the threats of tomorrow and beyond, the threats that we cannot even imagine today? I'll put up with the IE flaws for now, but show me you are planting the right seeds for the future.
One might ask, how do you code for these future threats if you don't even know what they are. The answer is simple: you follow basic best practices for security and never, ever divert from them. In all the history of security vulnerabilities, many issues were foreseeable and could have been avoided by following basic best practices. Follow the fundamentals and you worry less about the major threats. You worry about them less because you have so many layers of protection they either don't exist, or their impact is small.
Even if I had gone out and warned my neighbor about the tree, I doubt he would have dug it up and moved it. He's just not that kind of person. So the tree grows there, and actually looks quite nice for now. But I'm a security consultant and the tree bothers me every day I look at it.
