IE Fights Back, Sort Of

In a public post on the popular BugTraq Security vulnerability posting newsletter,
Microsoft’s maligned Internet Explorer got an unexpected boost this week.

According to a post by security researcher, Michal Zalewski,
Microsoft’s Internet Explorer (IE) may be more secure than its alternative counterparts in certain respects.
Zalewski created what he referred to as a, “trivial program to generate tiny, razor-sharp shards of malformed HTML.”
He used the program as a test against Microsoft Internet Explorer, Mozilla, Firefox, Netscape, Opera,
Lynx and Links to feed the bad data (malformed HTML) to each of the browsers.

In Zalewski’s test, the alternative browsers did not perform as well as IE.

“All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer
references, memory corruption, buffer overflows [and] sometimes memory exhaustion, taking several minutes
on average to encounter a tag they couldn’t parse,” wrote Zalewski.

In the security researcher’s estimation, the results demonstrated that the code quality of the alternatives
was not at the same level as that exhibited by IE. That said, Zalewski doesn’t specifically state that his
tests prove IE to be more secure than its upstart competitors.

“This is of course not to say MSIE is more secure; it does have a number of problems, mostly related to
its security architecture and various features absent in other browsers,” Zalewski explained. “But the
quality of core code appears to be far better than that of its ‘secure’ competitors.”

Scott Stearns, Microsoft’s IE test manager, gave credit in a blog post for IE’s positive results
to a number of initiatives undertaken by the IE team.

“In addition to code quality initiatives, there is a very healthy suite of stress or load run against IE
that we still use and extend today when we test,” Stearns wrote. “We throw a variety of things at the browser,
including good HTML, bad HTML, variety of media, and ‘the kitchen sink’ to see if we can get it to hang or crash.”

Stearns described how, as part of Microsoft’s Secure Windows Initiative, the company developed dynamic code inspection
tools that look for bad coding and coding practices. In his estimation, the tools called Prefix and Prefast
help Microsoft locate ‘obscure crashing code paths’ that may potentially be missed by a manual code inspection.

Though Zalewski’s tests didn’t crash IE, Microsoft’s Stearns knows that it still can be crashed. According
to Stearns, “despite Zalewski’s results and our continued effort with Windows Error Reporting, stress testing
and code quality tools, I know we can do better as there places where you can crash IE with certain images or HTML.”

IE’s potential problem, still extends beyond simple crashing, though just last week Microsoft issued its
latest round of updates, including a critical fix for a drag and drop vulnerability.
On Wednesday, Microsoft confirmed
that the “drag-and-drop” vulnerability
still exists in IE.

But alternative browsers were hit this week, too. On Wednesday, security firm
Secunia revealed that the tabbed browsing
feature included in the alternative browsers contain a security flaw that could potentially put users at risk
of a spoofing attack.

News Around the Web