In a public post on the popular BugTraq Security vulnerability posting newsletter, According to a post by security researcher, Michal Zalewski, In Zalewski’s test, the alternative browsers did not perform as well as IE. In the security researcher’s estimation, the results demonstrated that the code quality of the alternatives “This is of course not to say MSIE is more secure; it does have a number of problems, mostly related to Scott Stearns, Microsoft’s IE test manager, gave credit in a blog post for IE’s positive results Stearns described how, as part of Microsoft’s Secure Windows Initiative, the company developed dynamic code inspection Though Zalewski’s tests didn’t crash IE, Microsoft’s Stearns knows that it still can be crashed. According IE’s potential problem, still extends beyond simple crashing, though just last week Microsoft issued its But alternative browsers were hit this week, too. On Wednesday, security firm
Microsoft’s maligned Internet Explorer got an unexpected boost this week.
Microsoft’s Internet Explorer (IE) may be more secure than its alternative counterparts in certain respects.
Zalewski created what he referred to as a, “trivial program to generate tiny, razor-sharp shards of malformed HTML.”
He used the program as a test against Microsoft Internet Explorer, Mozilla, Firefox, Netscape, Opera,
Lynx and Links to feed the bad data (malformed HTML) to each of the browsers.
“All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer
references, memory corruption, buffer overflows [and] sometimes memory exhaustion, taking several minutes
on average to encounter a tag they couldn’t parse,” wrote Zalewski.
was not at the same level as that exhibited by IE. That said, Zalewski doesn’t specifically state that his
tests prove IE to be more secure than its upstart competitors.
its security architecture and various features absent in other browsers,” Zalewski explained. “But the
quality of core code appears to be far better than that of its ‘secure’ competitors.”
to a number of initiatives undertaken by the IE team.
“In addition to code quality initiatives, there is a very healthy suite of stress or load run against IE
that we still use and extend today when we test,” Stearns wrote. “We throw a variety of things at the browser,
including good HTML, bad HTML, variety of media, and ‘the kitchen sink’ to see if we can get it to hang or crash.”
tools that look for bad coding and coding practices. In his estimation, the tools called Prefix and Prefast
help Microsoft locate ‘obscure crashing code paths’ that may potentially be missed by a manual code inspection.
to Stearns, “despite Zalewski’s results and our continued effort with Windows Error Reporting, stress testing
and code quality tools, I know we can do better as there places where you can crash IE with certain images or HTML.”
latest round of updates, including a critical fix for a drag and drop vulnerability.
On Wednesday, Microsoft confirmed
that the “drag-and-drop” vulnerability
still exists in IE.
Secunia revealed that the tabbed browsing
feature included in the alternative browsers contain a security flaw that could potentially put users at risk
of a spoofing attack.