Trustworthy Computing must include browsers

By on
Trustworthy Computing must include browsers

What is Microsoft thinking of? The company’s laudable goals of Trustworthy Computing have seen great strides made in much of its software, its patching process is improving and security-specific products like ISA Server are getting steadily better. But the firm seems to be having huge difficulty fixing fundamental flaws in Internet Explorer, flaws that are being actively exploited by criminals, and is now considering abandoning standards in what appear to be increasingly desperate attempts to secure the browser.

The chief flaw is the malformed URI bug, which abuses the ability to pass usernames to remote servers (see p9). Microsoft, unable to deliver a real fix, now says it might just remove this functionality.

The syntax of Uniform Resource Identifiers (URIs) was set down by Tim Berners-Lee in RFC 2396, and includes facilities for users to identify themselves to remote servers. Breaking this RFC cannot be a good idea. What standards will be next to fall by the wayside, in Microsoft's scramble to close holes its programmers cannot? Other browsers handle this problem easily enough.

To be fair, very few sites use this particular facility, and nearly all the instances the average user will experience are going to be scams.

Removing the ability to handle usernames in URLs will not affect many people. But excising inconvenient parts of standards, rather than finding more flexible ways of addressing the issue, is at best a messy kludge, and might encourage similar standards-breaking shortcuts in the future.

Microsoft has been working to address criticism over its support for standards. This latest move does not look like a step forward.

There's more trouble in the wings too. Another recent bug allows an attacker to conceal file names, making an apparently innocent download, such as a pdf or text document, able to hide executable malware. Coupled with domain redirection courtesy of the URI flaw, this is a devastating combination: a URL claiming to be a government or BBC site, for example, with a 'pdf' of the Hutton report, would likely claim many victims.

Other security flaws are also outstanding, and the company's attempts to deal with them are becoming ever more bizarre. A knowledgebase article even goes so far as to recommend that users no longer click on URLs, but type them in manually instead, to avoid falling victim to spoofed sites.

Microsoft has been upfront with its intention to cease development of IE as a standalone browser, moving to a fully integrated environment with Longhorn. In the meanwhile, that has meant competing browsers such as Opera, Mozilla, Safari and Firebird have streaked ahead in features, but the company must take responsibility for securing the current version if its "Trustworthy Computing" project is to be taken seriously.

Jon Tullett is the UK and online editor of SC Magazine


Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?