Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Why IE is insecure: flawed logical thinking... [RISKS] Risks Digest 23.81

From: David Farber <dave () farber net>
Date: Mon, 28 Mar 2005 16:12:14 -0500

------ Forwarded Message
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 28 Mar 2005 12:16:58 -0800 (PST)
To: <risks-resend () csl sri com>
Subject: [RISKS] Risks Digest 23.81


Date: Thu, 24 Mar 2005 09:29:34 -0700
From: Craig DeForest <deforest () boulder swri edu>
Subject: Why IE is insecure: flawed logical thinking...

IE appears to be insecure in part because of flawed logical thinking by its
development team.

There is currently a debate of sorts in the news between Mitchell Baker
("chief lizard wrangler" of the Mozilla Foundation) and Dave Massy (head
developer of Internet Explorer) over which web browser is more secure.  In a
recent ZDNET article (also covered on Slashdot; see links at end), Baker
points out that, since IE is tightly coupled ot the Microsoft Windows
operating system, it is bound to be less secure than Mozilla, which is well
separated from its host OS.

Dave Massy's reply is very interesting (link at bottom):
   >The issue of not being part of the OS is an interesting one though that
   >is frequently the subject of misunderstanding.  IE is part of [Microsoft
   >Windows] so that parts of the SO and other applicaaitons [sic] can rely
on
   >the functionality and APIs being present.  IE in turn relies on OS
   >functionality to do it's [sic] job.  To be clear there are no OS APIs
that
   >IE uses that are not documented on MSDN as part of the platform SDK and
   >available to other browsers and any other software that runs on Windows.

Dave is making a flawed argument:
  Premises:
    - IE uses a documented interface to the OS
    - The OS interface is available to other software on the OS
  Conclusion:
    - The complexity of our interface is irrelevant to security

The argument is wrong for two reasons: there is a false hidden premise (that
the OS is bulletproof); and the argument itself is invalid (even if the
hidden premise were true, the conclusion would not follow).

One only need read back-issues of RISKS to find case after case of complex,
unanticipated failure modes in complicated interfaces, each element of which
is thought to be secure.  That lesson is at least 30 years old -- I am
thinking of the stories about hidden data channels in Multics.

This is of interest to RISKS readers because it is a stunning example of
poor design by flawed logic: even if the IE coding were flawless at the
subroutine level (we can bet that it isn't), Dave's stated attitude toward
interface security would doom it to be susceptible to attack.

References:
     http://news.zdnet.com/2100-9588_22-5630529.html
     http://blogs.msdn.com/dmassy/archive/2005/03/22/400689.aspx
     http://slashdot.org/article.pl?sid=05/03/24/1352211&tid=113&tid=154

------------------------------

------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: