Wayne Frazee.com
Login
24 Hours in the Wild and Chaos is Alleged
  • Home
  • Scribblings
  • Avanade
  • The IE7 Launch and Inaccurate reporting of the alleged first vulnerability

Originally from my corporate blog at http://blog.avanadeadvisor.com/blogs/waynea

Within 24 hours of Microsoft Internet Explorer (MSIE) 7 being released, an exploit was alleged to have been found.  The blogosphere and a few less-technical news sites started in with a passion, Microsoft is at it again, blah blah blah, so much for the security of MSIE 7, here we go again, blah blah blah.

I cant but help sit here and find a certain degree of amusement in the hubbub and side notes to all the MSIE7 release articles (and blog entries).

Understand your Subject

Recently, the use of "Blogs" has exploded, standards have been written, methods of sharing formalized, we have come up with words like "Blog", "Blogosphere", and (most recently) the media has started this concept of "Citizen Journalists", where a blog is used to report news or information in a given format.  One of the first rules to writing effectively about a subject, either as a "Citizen Journalist" or merely accepting your place as a "Blogger" on the internet, is to understand what you are writing about.

The vulnerability discovered and published accross the internet (http://secunia.com/advisories/22477/) relates actually to the windows application model in Windows combined with a flaw in how Outlook Express handles a certain type of Universal Resource Indicator (URI) request not, as is alleged, a flaw that is due to Internet Explorer.  Tests on the Vista RC2 against secunia's demonstration page would indicate that this flaw will not execute correctly against MSIE7 on the Vista platform.

Now, I am not saying that I expect every journalist out there to be an expert on security.  I would not call myself anything close to an expert on security, merely a technologist with a security interest and a little background in the subject.  At the end of the day, the point I am trying to make on this is that when flaws like this come out, it is difficult to take seriously the myraid of sites which are unable to report accurately a subject they do not understand. 

If you do not have someone who can explain something to you accurately with some background in the subject, and you yourself do not understand the subject matter you are writing about, the simple and reasonable path would seem to me just not writing on the particular matter at interest.

For the ease and understanding of those who have any kind of interest in security and would like to understand this sort of thing when vulnerabilities are published, I would encourage you to take a look at the SecurityFocus vulnerabilities database at http://www.securityfocus.com/vulnerabilities .  This particular vulnerability is documented at http://www.securityfocus.com/bid/17717 as an Outlook Express flaw, exploited through most versions of MSIE as an attack vector only.

The Paradigm of a New Security Model

The other thing to understand here, and to keep in mind for the next month or two, is that with MSIE 7, Microsoft made a number of changes to the way that the Internet Explorer product handles certain types of security vulnerabilities.  Any time you revise a security model, you are introducing some short term risk in order to solve some of the larger issues with the software application.  With Microsoft Internet Explorer, this issue is exacerbated considerably by the fact that MSIE is both high-profile to the end user and as a result is high profile to the security community.  According to the Symantec Internet Security Threat Report, September 2006 (availible at http://www.symantec.com/enterprise/threatreport/index.jsp), Microsoft Internet Explorer is the exploit path for 47 percent of all internet attacks in the first half of 2006. 

Understandably, the new code base and accompanying security implementation are going to be under heavy scrutiny for several months.  I have no doubt whatsoever that there will be a number of new flaws found.  Zero doubt.  But that is to be expected.

The real test and judgement for whether or not the new Security Model is going to be worth anything is really an analysis over time compared to previous platforms and also an assessment of the ease of exploitation.  One of the things to keep in mind is that when MSIE 5 and MSIE 6 were released, the sophistication of vulnerabilities was far lower. 

These days I do not believe that any codebase will be completely secure at release but so far, the changes that I have seen with MSIE7 are at least for the better both in terms of usability and in the security features availible to the average end-user.

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.