IE Fights Back, Sort Of Security Researcher Claims IE Is More Stable Sean Michael Kerner
Microsoft's much maligned Internet Explorer browser got an unexpected boost this week from a post in the popular BugTraq Security vulnerability posting newsletter.
In the post Security researcher Michal Zalewski claimed that Microsoft's Internet Explorer (IE) may be more secure than its alternative counterparts in certain respects. Zalewski created what he referred to as a "trivial program to generate tiny, razor-sharp shards of malformed HTML." He used the program as a test against Microsoft Internet Explorer, Mozilla, Firefox, Netscape, Opera, Lynx, and Links to feed the bad data (malformed HTML) to each of the browsers.
In Zalewski's test, the alternative browsers did not perform as well as IE.
"All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, [and] sometimes memory exhaustion, taking several minutes on average to encounter a tag they couldn't parse," wrote Zalewski.
In the security researcher's estimation, the results demonstrated that the code quality of the alternatives was not at the same level as that exhibited by IE. That said, Zalewski doesn't specifically state that his tests prove IE to be more secure than its upstart competitors.
"This is of course not to say MSIE is more secure; it does have a number of problems, mostly related to its security architecture and various features absent in other browsers," Zalewski explained. "But the quality of core code appears to be far better than that of its 'secure' competitors."
Scott Stearns, Microsoft's IE test manager, gave credit in a blog post for IE's positive results to a number of initiatives undertaken by the IE team.
"In addition to code quality initiatives, there is a very healthy suite of stress or load run against IE that we still use and extend today when we test," Stearns wrote. "We throw a variety of things at the browser, including good HTML, bad HTML, variety of media, and 'the kitchen sink' to see if we can get it to hang or crash."
Stearns described how, as part of Microsoft's Secure Windows Initiative, the company developed dynamic code inspection tools that look for bad coding and coding practices. In his estimation, the tools called Prefix and Prefast help Microsoft locate 'obscure crashing code paths' that may potentially be missed by a manual code inspection.
Though Zalewski's tests didn't crash IE, Microsoft's Stearns knows that it still can be crashed. According to Stearns, "despite Zalewski's results and our continued effort with Windows Error Reporting, stress testing and code quality tools, I know we can do better as there are places where you can crash IE with certain images or HTML."
IE's potential problems still extend beyond simple crashing, and just last week Microsoft issued its latest round of updates, including a critical fix for a drag and drop vulnerability. On Wednesday, Microsoft confirmed that the "drag-and-drop" vulnerability still exists in IE.
But alternative browsers were hit this week, too. On Wednesday, security firm Secunia revealed that the tabbed browsing feature included in the alternative browsers contains a security flaw that could potentially put users at risk of a spoofing attack.
