US Department of Agriculture Chooses Internet Explorer
Department of Agriculture Chooses Internet Explorer
This morning I encountered a news item that caused me to do a double take. The US Department of Agriculture (DoA) announced that it will allow only the Internet Explorer (IE) browser to be used. Five or six years ago, this would have been virtual suicide. This snippet from a paper that I published in Computer Fraud and Security five years ago sums up the prevailing attitude at that time:
“The Web is still very much a dangerous place, now to a large degree because of a myriad of vulnerabilities in Web browsers, particularly in Microsoft’s Internet Explorer (IE). The average number of announced vulnerabilities in IE per month is virtually unparalleled, with nearly three per month in IE6 over the last two years, according to Secunia. Perhaps worse yet, of the announced IE vulnerabilities, 14 percent have been rated as extremely critical and 34 percent have been rated highly critical. Although IE is currently the most widely used Web browser, the regular stream of Microsoft and other bulletins describing yet more IE security vulnerabilities and media accounts of real-life incidents in which IE vulnerabilities have been exploited have hurt the popularity of IE considerably. Attacks on systems in which IE vulnerabilities are exploited are commonplace and are growing at a rapid pace.”
Then Microsoft “got with it” and started to improve security in IE. Recent versions such as IE 7 have had some impressive security features and capabilities, some of the most notable of which include:
• IE 7 Protected Mode, a special mode that helps reduce previous software vulnerabilities in browser extensions by eliminating the possibility of using them to install malicious software or change system files without a user’s knowledge or consent.
• ActiveX Opt-in— a function that disables all controls that are not explicitly allowed by the user.
• Cross-site scripting attack protection, which provides obstaces that help limit the ability of malicious Web sites to exploit cross-site scripting vulnerabilities in other Web sites.
• A phishing filter that compares addresses of Web sites that a user attempts to visit with a list of reported legitimate sites stored on the user’s computer. It analyzes Web sites that users visit by checking them for characteristics common to phishing sites and sends the address of a Web site that a user visits to a Microsoft on-line service that checks site against a constantly updated list of known phishing sites.
• User interface Privilege Isolation (UIPI), a function that keeps lower-integrity processes from reaching higher-integrity processes.
IE 8 offers several additional security features and capabilities such as
• Improvements in protected mode that allow medium-integrity applications to access low-integrity cookies without the user having to intervene and the new capability for users to control browser behavior even when the browser is started by a medium integrity process.
• New RSS functions, including enabling the Windows RSS Platform to perform authentication without user involvement and assigning an effective ID based on the hash value to every feed item to check and, if necessary, synchronize information regarding whether or not an item stored on multiple computers has been read or not.
• Protection against clickjacking.
• Improved protection against cross site scripting attacks.
The advantages resulting from the new and effective security features and functions in recent versions of IE are lamentably offset to a large degree by the large number of vulnerabilities that are still being found in this browser. However, IE cannot be singled out as the browser with the most vulnerabilities any more. According to numerous studies, Firefox has approximately the same number of vulnerabilities, and Chrome, while relatively new, has also had more than its fair share of vulnerabilities.
I’m not endorsing any particular browser. What I am trying to say is that five years ago if you used IE, you certainly did not choose security as one of your more important criteria. But IE has gotten better as far as its security capabilities go, and given that IE allows the ability to manage multiple browsers from a single point, there are also some practical advantages to using this browser. So despite the fact that the DoA will probably never win any awards for excellence in information security, this department has at least made a very justifiable decision when it standardized on the IE browser.