IE - A Single Point of Failure



The news this weekend of yet another Microsoft Internet Explorer Zero Day vulnerability and working exploit has been met by the IT community with the usual disdain.

It was followed on Monday morning and much of Tuesday by frantic activity to update or completely remove Adobe Flash player (needed by the current exploit to prepare memory prior to the installation of drive-by-Malware), and by the unregistering of VGX.DLL which provides support for Vector Markup Language (VML). Combined these activities are believed to thwart would-be attackers using the currently known exploit, until such times that Redmond can come up with an official patch.

The known exploit can be executed by Remote Code Execution. A user need not do anything more risky than simply visit a booby-trapped web page or view an image file that has been compromised to trick Internet Explorer into installing Malware or other executable code from the Internet. No dialog, no warning, no sign what-so-ever that a system has just been infiltrated!

The issue is not just that this is another zero day exploit - (one for which there is no readily available patch which with to remediate and protect), although that’s bad enough in itself.

The issue is not just that the vulnerability affects every current version of Microsoft Internet Explorer from version 6 to the latest release of Version 11. Or that it affects nearly every current computer operating system that runs Windows - PCs, laptops, AND more worryingly servers.

The issue is not even that a large number of Windows systems will never be patched by Microsoft since Redmond just withdrew support for Windows XP, which by some estimates still accounts for nearly 40% of computers in use globally.

The issue is with corporate IT and a double dependency with the computer systems that run business enterprises and much of industry the world over, nearly all of which have built a reliance upon Windows and its virtually uninstallable web browser, Internet Explorer.

After a series of lawsuits and hefty fines in the late 1990s and early 2000s from the European Community and other countries for anti-competitive behavior following Microsoft’s bundling of its web browser with copies of Windows and the subsequent ridding of competition, Microsoft tightly bound Internet Explorer into the core of its operating systems as a defense against future law suits, claiming that it was vital to the operating system, furthermore that is was in fact PART of the operating system and therefore inseparable. With the demise of competition (until recently), the result has been a near total dominance of Internet Explorer in the workplace and on enterprise managed PCs despite the rise in use of other browsers at home.

The trouble with this is that IT departments along with many of the world’s leading business software vendors, have written their applications to run solely on Internet Explorer, using proprietary functionality built by Microsoft into its web browser rather than following WC3 cross browser standards - an international body setup to govern the growth of the World Wide Web.

Many internal applications written by IT departments along with the customized implementation of leading ERP systems and other business applications such as SAP, simply won’t work on Firefox, Chrome, Safari, Opera or any non-Microsoft web browser. Many IT departments don’t even give their users a choice of web browser so everyone is stuck with the company approved version of Internet Explorer. A web browser as we have already noted that is at present, totally open to drive-by attacks. This in turn could infect and severely impact, (or totally impede), corporate networks just as other vulnerabilities have done in the past. Corporate IT now finds itself up the preverbal creek and without a paddle!

The dilemma for corporate IT is how does it engineer its way out of the single point of failure currently holding company application infrastructure hostage via an unhealthy dependance on Internet Explorer? It will no doubt take time, lots of money and effective governance to ensure that all current and future applications are (re)written to cross-browser W3C standards - something that they should be been written to all along. At least then, business users will have a choice and IT will be able to either disable vulnerable applications like Internet Explorer till safe, or request that users employ other web browsers till patches can be applied to remove risks.

The dilemma for others however is less clear-cut, particularly the further you get away from Redmond, WA and those who for whatever reason have not upgraded hardware and operating systems to support a currently accepted patch-receiving Windows platform.

With so many millions of Windows systems now unlikely to ever receive another patch, the prospect for future safe and efficient Internet usage for the rest of us is very much in doubt.

There is a very real and present danger of a Zombie computer army consisting of up to 40% of the world’s computer systems managed by command and control centers owned by nefarious players that could hold the entire Internet to ransom or bring everything to its knees. That includes business and business applications as well as the web surfing public.

An ethical and political question should be raised to Microsoft. Is it really acceptable to the rest of us for Microsoft to withdraw the patching of vulnerabilities in its code of older and still very popular Windows XP systems, when failure to patch known vulnerabilities could have such far-reaching impact on everyone, including those who have paid for Microsoft’s latest systems?

Many companies can not afford to upgrade tens of thousands of workstations running Windows XP and the associated work involved in re-writing hundreds of applications to run on newer operating systems from Redmond or elsewhere.

Many poorer countries have no intention of purchasing new computer hardware to support Microsoft’s current and more demanding operating systems. Nor do they have the money to purchase new versions of Windows even at hugely discounted local prices. These systems will remain unpatched and unprotected for years to come not just against this critical threat, but also against the no doubt hundreds or thousands of other vulnerabilities and potential exploits which will be discovered in Microsoft code over the next decade.

With so many of its users excluded from support, what responsibility should Microsoft bear to ensure that common shared resources such as the Internet are not negatively impacted by computers running its abandoned operating systems?

Governments and most individuals widely consider there to be an economic utility in population health. If the person next to me on a crowded plane, train, office or school is sick with a communicable disease then the chances are I may be infected, so its in my best interest to ensure that everyone is as healthy as possible. Should not the same rules of population health and economic utility then apply to communicable diseases (viruses, Malware, etc.) in computer systems?