A spate of Internet Explorer (IE) zero-day vulnerabilities in 2014 has forced Microsoft to repeatedly scramble to secure its Web browser, posing new questions about the software's overall security in an increasingly competitive browser landscape. Experts caution that enterprises shouldn't shun IE based solely on its recent problems.
On May 21, Hewlett-Packard Co.'s Zero-Day Initiative (ZDI) released details of an Internet Explorer zero-day vulnerability, resulting from the way version 8 of Microsoft's browser handles CMarkup objects. Originally uncovered in October 2013, the 7-month-old vulnerability is notable not only for Microsoft's reluctance to patch it after repeated warning from ZDI, but also that the same library was exposed earlier this year in a separate IE zero-day.
You've got to look beyond just vulnerabilities to the overall risk.
research director, NSS Labs
The ZDI flaw came on the heels of Microsoft's rapid effort last month to issue an out-of-band patch for CVE-2014-1776, an IE use-after-free zero-day vulnerability that was spotted being exploited in the wild by FireEye Inc.
IE11, the latest version of Microsoft's browser, was also taken down twice at this year's Pwn2Own competition, with one of the previously unknown vulnerabilities -- uncovered by the French firm VUPEN security -- yet to be patched. Brian Gorenc, manager of vulnerability research for Hewlett-Packard's Security Research group, told SearchSecurity that ZDI has notified Microsoft of several more IE zero-days that have yet to be publicly disclosed.
Gorenc noted that a large percentage of the IE bugs submitted to ZDI fall into the category of use-after-free vulnerabilities, which is a type of memory flaw common in Web browsers that allows attackers to corrupt valid data and execute arbitrary code.
Accounting for recent IE zero-days, Gorenc said that the browser still commands a large percentage of the overall market share -- and particularly among high-value targets like enterprises and government agencies where attackers would be most likely to deploy a zero-day attack -- which drives interest among both attackers and researchers.
"These facts make Internet Explorer an attractive target for attackers to go after," said Gorenc, "as any vulnerabilities discovered have a good return on investment."
What the zero-days say about Internet Explorer security
Beyond IE's market share, there are several factors behind the recent wave of IE zero-day vulnerabilities, according to Wolfgang Kandek, chief technology officer for Redwood City, California-based vulnerability management vendor Qualys Inc., though they don't speak directly to the browser's overall security posture.
First and foremost, Kandek said, more people make a living in the field of cybercrime than ever before and those criminals tend to be smarter and better paid than previous generations. Combined with a growing number of "white hat" security researchers, Kandek said it's no surprise that all browsers, not just IE, are having holes poked in them.
Researchers that rely on sandboxing techniques to uncover browser exploits also tend to focus more on IE than other browsers, according to Kandek, partly due to the market share aspect mentioned by Gorenc. Kandek said that raises questions on whether there are indeed greater quantities of zero-days unearthed in IE.
"That's really a self-fulfilling prophecy there," said Kandek.
Randy Abrams, research director for Austin, Texas-based independent testing firm NSS Labs, warned that focusing on zero-day vulnerabilities -- often only exploited in targeted attacks against high-value targets -- does not provide a true picture of IE and its security features, which he said are on par or better than other browsers.
In fact, NSS Labs released the results of its browser security comparison in March that showed IE -- which now includes Microsoft's SmartScreen filtering technology -- being clearly the most effective browser for blocking socially engineered malware, a high-risk threat that the report described as using a combination of factors such as "social media, hijacked email accounts, false notification of computer problems and other deceptions to encourage users to download the malware."
IE had an average block rate of 99.9%, faster average times to block malware and lead in all key areas of the NSS Labs' test. In comparison, Chrome's average block rate fell to 70.7% from the previous mark of 83.17% set in an earlier test, while Firefox and Apple's Safari browsers -- both of which use Google's Safe Browsing API -- each saw their average block rates fall from the previous NSS Labs test, to 4.2% and 4.1% respectively.
Abrams said that blocking such malware is important because they, not vulnerabilities, make up the bulk of attacks experienced by enterprises.
"You've got to look beyond just vulnerabilities to the overall risk," that users are exposed to by a browser, said Abrams. "When it comes down to social engineering protection, Internet Explorer actually does a good job of protecting users."
The best browser for enterprises?
While Kandek and Abrams agreed that a recent spate of zero-days doesn't necessarily speak to any underlying vulnerability in IE, enterprise IT teams that need to standardize on a single browser are still left to answer the question: Which browser provides the best security for users?
Kandek said a number of factors can come into play when selecting a browser for an enterprise environment. For one, the update schedules of the three most-used browsers -- IE, Chrome and Firefox -- differ dramatically.
The out-of-band IE patch in May notwithstanding, Microsoft mostly adheres to its monthly Patch Tuesday schedule to address IE vulnerabilities -- and as was seen with both the Pwn2Own competition and the vulnerability that was publically disclosed by ZDI, flaws can sometimes linger for months without being fixed.
On the other hand, Kandek said, Google and Mozilla take great pride in patching their respective browsers on an aggressive schedule. While a whopping four zero-day vulnerabilities were uncovered in Firefox at Pwn2Own 2014, for example, Mozilla managed to patch all four bugs just a week after the competition wrapped. Google beat Mozilla to the punch when the company fixed the Chrome zero-days used at Pwn2Own two days earlier.
Abrams, who worked for Microsoft for more than a decade, said that IE patches tend to take longer to bake when compared to Google and Mozilla because Microsoft has many more products it must maintain -- meaning more vulnerabilities to prioritize fixing -- and because more testing is needed to ensure IE updates don't break enterprise environments, where the browser is more firmly entrenched than competitors.
Kandek agreed on both points, but with Microsoft taking longer to issue patches and older versions of IE tending to hang on longer -- recent statistics from research firm Net Applications show Internet Explorer 8, the oldest supported version of the browser, accounts for 20% of the IE install base, more than any other version -- enterprise users may be more exposed to security risks running IE unless companies adopt aggressive patching schedules.
The reality from the attackers' perspective, Kandek said, is that IE is an easier target because there are more outdated, vulnerable versions of the browser in use than with other browsers.
"It's not like people don't find vulnerabilities in Chrome and Firefox," Kandek said, "but as an attacker, I probably wouldn't go after them unless I had to."
Beyond potential negatives for IE, Kandek touted the positives of its competitors. He pointed specifically to Chrome's integrated PDF-reading capabilities as a potentially huge boon for enterprise security, particularly in light of the security issues that persistently dog Adobe's market-dominant Reader software.
"I don't think people look to the PDF reader as an advantage and I think that is wrong," said Kandek. "Imagine you didn't have Adobe Reader installed and you were using Google's PDF reader. Most PDF attacks aren't going to work [without Reader installed]."
To further secure his own browsing experiences, Abrams noted that he uses a sandboxing program called Sandboxie -- now owned by virtualization vendor Invincea -- which he said may not work across an enterprise environment as the sandboxes need to be manually deleted on a regular basis.
Abrams emphasized that no browser will ever be perfect from a security perspective. Enterprises should seek to reduce risk related to a browser-based attack, namely by transitioning away from the now unsupported Windows XP platform if they haven't already done so, segment networks properly, deploy endpoint security products against exploits and malicious URLs and utilize technologies to help identify suspicious traffic on a network. These measures, Abrams said, will help block a majority of the non-targeted attacks any given company will experience.
"If a highly motivated attacker wants in, they're going to get in," said Abrams. "But do what you can to plug up the gaps."