Last week, an expert from Verizon, nee Cybertrust, posted a note about the Active Template Library (ATL) security vulnerability over on the Verizon Business Security Blog. For home users, the phone company now advises you to use a different browser, ostensibly because IE and ActiveX are inherently insecure. I felt that quite missed the point that (a) browsers are software, and (b) all software has vulnerabilities, and (c) extension technologies in browsers add functionality, which (d) is implemented in the form of software, and therefore (e) introduce additional vulnerabilities. Just because Internet Explorer's extension technology is called ActiveX does not mean it inherently has any more, or less, vulnerabilities than the extension technologies in other browsers. ActiveX received a, deservedly, horrible reputation when it first came out about ten years ago. Since then Microsoft has actually put a lot of effort into securing the user's browsing experience, but for some reason, people keep dragging up old vulnerabilities from many years ago as proof that Microsoft does not care about security. Doing so is unfair and denigrates what is probably most comprehensive software security program in the industry.
So, I decided to try to make that claim in the comments. That generated a response from "Nathan Anderson," who did not bother really reading what I wrote, used a flawed interpretation of data to "prove" that Firefox and Chrome are far more secure than IE, ignored Low Rights IE, and concluded by, in essence, calling me an idiot.
My comment also generated a response from Dave Kennedy, who appears to have been the original poster, and who thinks I went too far.
At this point, I'd probably do better to ignore the discussion, but Mr Kennedy posited a very interesting question, and I thought I'd like to explore it a little. Here it is:
"How many millions of dollars have been lost and thousands of individuals have become the victims of identity fraud that can be laid squarely at the feet of criminal exploitation of vulnerable ActiveX controls?"
I don't know. How many? And how does it compare with the number of millions of dollars lost because users click on things they shouldn't, while running as admins? How does it compare with the number of millions of dollars lost due to vulnerable versions of Flash and Acrobat; which are vulnerable on all browsers? All of those would be fantastic statistics to have. If anyone has them, I'd love to see them.
To the Nathans of the world: I never said Firefox and Chrome are less secure than IE. All I pointed out was that they do not benefit from a sandbox the way IE does on Vista and Win7. They could. Easily. Stripping privileges out of a token and setting an integrity level is quite simple. The difficult part is really just to build an escalation method to be able to perform tasks outside the sandbox. It is just that their respective manufacturers have chosen not to implement this functionality. I really wish they had. It would greatly improve the difficulty of exploiting either browser.
In addition, Firefox, etc, may not have ActiveX, but they have other extension mechanisms, and a vulnerable extension is a vulnerable extension, whether it is ActiveX or not. It is correct that Chrome has fewer vulnerabilities than either Firefox or IE, but a reasonable argument can be made that it is because of how long it has been out and the amount of attention from security researchers it has received so far. Chrome is not yet a year old. In that time, Chrome 1.x and 2.x have racked up 9 advisories (12 vulnerabilities), according to Secunia. I included both versions because of how fast they were released. It provides a more accurate measure of the impact on the end user. Chrome 3.x is still considered a preview release as far as I can tell, so I excluded it. Firefox 3 (the only supported Firefox version for most of the one-year timeframe) had 9 advisories in 2009 so far, and an additional 5 in late 2008. Internet Explorer 7 in that timeframe has 6.
Based on these figures, I would submit there is no statistically significant difference between the three browsers. I am not trying to minimize the ATL vulnerability, which was sloppy in the extreme, and I am not trying to denigrate either Firefox or Chrome, as I use and enjoy both, although mostly Firefox, which I used to write this post. I am simply saying that all software has vulnerabilities, and that the attackers will be opportunistic enough to exploit any or all of them if it is necessary to meet their needs.
Vulnerability counting misses the point entirely though. All the bad guys need is one unpatched vulnerability. Furthermore, that vulnerability can reside in the browser, or in anything else running in the browser.The common add-ins, such as Flash and Acrobat, have vulnerabilities regardless of which browser they are running in. Even if the user has a fully patched and non-vulnerable browser, all the attacker needs is one unpatched add-in. Adding a new browser requires adding new add-ins, so now you have two copies of Flash to maintain, two copies of Acrobat to maintain, and another browser.Simply adding more software to maintain does not make people more secure. Most users would probably be far better off maintaining only one browser and spending the additional effort on learning how to browse more securely.
Finally, whether a computer is fully patched or not; whether a browser or its extensions are full of holes or not; the most vulnerable part of any system is almost always the user. Humans are still at v. 1.0 and there have not been a single security patch issued for them yet. There has been no Trustworthy Computing Initiative to stamp out security vulnerabilities in people. Therefore, the easiest way to hack anything is almost always to ask a legitimate user to do it for you. Simply present the user with something he values more than an intangible and incomprehensible security benefit, and your job is done. Many of the attacks today do not even use software vulnerabilities. It is more reliable and less expensive to exploit the user directly.