UK Gov't Says "No Evidence" IE Is Less Secure

aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"

Probably true, even.

[toQDuj]

That's very likely true, as the stupidity of the user remains the weakest factor in security.

Re:Probably true, even.

[MichaelSmith]

That's very likely true, as the stupidity of the user remains the weakest factor in security.

And this is a constant in the UK Government?

Re:Probably true, even.

[BikeHelmet]

But the trend of users getting infected seems to indicate IE is worse. User stupidity hurts, but so do unpatched remote code execution flaws.

Microsoft likes to tout how insecure other browsers and OS's are because they receive more security updates, but I'm not convinced. It's a poor measurement of security.

There's no way to know how many landmine exploits are in IE. I consider Firefox more secure, because as its market share goes up, the number of ITW exploits doesn't seem to be exploding.

Re:Probably true, even.

[Daengbo]

I might actually believe that a fully patched IE8 is on par with other browsers, but the UK gov't will undoubtedly take the Home Office's decision to mean that IE6 is OK, too. That's scary.

Re:Probably true, even.

The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.

That most attacks come through plugins is exactly why Firefox is better than IE

Re:Probably true, even.

[Geirzinho]

Users are the weakest link in the security chain. And the least trained users are normally those on the de facto standard of Windows with IE, which implies a higher infection rate on thos systems.

If we substitute eg. Firefox for IE as the default browser in Windows, unskilled users will still remain unskilled users. They will still follow any shady link they come over, some of which will undoubtedly manage to poke a hole in FF's security.

The challenge and solution to security in the current environment is to educate the "average person."

Re:Probably true, even.

[palegray.net]

The fundamental issue here actually is "security through obscurity," although not in the context that you use it (instead, referring to the traditional context). With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done. Microsoft has a terrible track record in this department; more times than I can count I've become aware of a security issue they were alerted to weeks or months late.

With Firefox, there is generally a very high degree of transparency when it comes to security problems. Additionally, fixes are pushed out quickly. Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.

Re:Probably true, even.

[roscocoltran]

I loled at this fake, then I type "windows for warships" in google... We are living in a strange world.

Re:Probably true, even.

[Geirzinho]

Let's assume for a second we've educated each and every single user and made them security conscious on the Internet. An educated user browses a site which contains an image that is constructed to exploit a security flaw in the browser without the user ever doing anything but viewing the image. Unknowingly the user's browser is compromised and in the hands of the attackers despite the fact that the user is well educated and security conscious, which means education alone is not the solution. Better software is the solution.

Absolutely. But what we stated was that, as of right now, users are the weakest link in the security chain. By educating users, you strengthen that link and make another link the weakest. Even so, you have by training improved the security of the system.

To get exploited in your scenario, assuming the user now sticks to "honest" sites and doesn't follow all email links) would require something like a web server exploit such a XSS. This is more difficult than simply tricking the user into executing a trojan.

Normally to safely cross the street you only need to look left and right to check for traffic, you don't have to look up for falling objects, you don't have to check the road for mines, tripwires or other booby traps, you don't have to check for sniper fire

We should not ignore software security just because the user is the weakest link. But to borrow your analogy: the problem today is that pedestrians don't look left and right before crossing the street. Training them to do this would save more lives than any piano transportation safety regulation.

Re:Probably true, even.

[darthflo]

Bullshit. Being able to choose what port a request is directed to is covered by specifications, expected to work and built on in several real-world situations. Most commonly, configuration interfaces: If you're using some kind of shared hosting, chances are they might be running Plesk (defaults to alt-https, i.e. 8443) or ispCP (defaults to https on 81) or a similar project. Use webmin? The httpd that runs the config interface requires permissions you wouldn't want the http that serves your normal pages to have.
Going on, ever used CoralCDN? That's .nyud.net:8080 (alt-http) or 8070 for you. Maybe you'd like to configure an irc daemon or bouncer? Another non-standard port there. Most application servers don't run on port 80, either. The load balancer will, but you might want to get around it for testing purposes or some such.
What I'm saying: It's all expected behaviour. Throw in a PING Math.rand() from the server before actually throwing out those RAW001-4 and the spamming problem is instanty solved. Or, to make things even simpler: If you're an ircd, kill whatever starts it's requests with HTTP POST. Chances are, it's not an IRC client.

Re:Probably true, even.

[SimonTheSoundMan]

The MoD have sent me a letter three times stating they have lost personal data about me. One was a CD, another a pen drive, and a laptop was stolen from the premises.

Data that went missing was my name, address, passport number, national insurance number, photograph, medical history and criminal record. Obviously nothing important.

This data was unencrypted.

Re:Probably true, even.

[rich_r]

Home Office as in 'Office of Home Affairs'. A bit like 'Homeland Security'...

*No* evidence?

[henrypijames]

It's one thing to say there is insufficient evidence, but *no* evidence?!

in case any other Americans are confused

[Trepidity]

In UK governmental English, "to table" apparently means something like "to propose" or "to bring up for consideration", almost exactly the opposite of the U.S. meaning, which is "to withdraw from further consideration".

I guess there's some international disagreement over whether this mythical table is where you put things to be considered, or where you put things to die. Perhaps to Britons, putting things on a table is officially proposing them, whereas to Americans, if it's on the table it's inert, and if you want it proposed, you had better have it in your hand waving it in someone's face.

Re:in case any other Americans are confused

[gigne]

Yes, indeed you are correct.

UK: To place an item on the agenda for discussion.
US: To remove the item from consideration.

In the UK we shelve discussion items when they are removed from consideration.

Lack of evidence shouldn't be a problem

[noidentity]

They just need grow suspicious of IE harboring WMDs. Then the lack of evidence wouldn't be a problem at all.

There IS no evidence!

[guyminuslife]

The latest patched version of Internet Explorer fixed the bugs that Microsoft found. The latest patched version of other browsers fixed the bugs that other browser-manufacturers found. Ergo, there is no evidence that the latest patched version of Internet Explorer are less secure, since the officially "known" security features have been fixed.

In fact, there's no evidence that there are any bugs at all in the latest patched versions of any software ever written, unless the manufacturers have explicitly stated that there are. In which case, in order for policymakers to accept such a report, they would need to prove that this is the case, by lobbying the government to the effect that their software is inferior.

"Not please" Slashdot readers?

[Jane+Q.+Public]

I don't know why it would "not please" Slashdot readers. I am very pleased. That is the funniest thing I've read all week.

Nothing like a good laugh to start your morning.

Are these the same people....

[Joce640k]

Are these the same people who said IRAQ was full of WMDs and terrorists?

Re:Bullshit

[Runaway1956]

You get your IT news from the register? Coool!

More seriously - you link to that page, with words that seem to indicate there are a LOT of Firefox exploits in the wild. Care to name some? The IRC exploit only counts as one.

One more time, I'll point up Firefox's main advantage over IE: Vulnerabilities are made public, and people actually address the vulnerabilities as quickly as possible. Firefox exploits aren't hidden under a mountain of shit by some corporate boss, so that he hopes they can go away.

IMHO, Firefox is just about as safe as a browser can be, today, based on current knowledge. It ranks right up there with Chrome and Opera, and Safari, and Konqueror.

IMHO, Internet Explorer MIGHT be almost as secure - if and when people finally upgrade from IE6 to at least 7, and preferably 8. MIGHT BE. You'll notice that MS didn't publicize this newest vulnerability, until Google and others had already done so.

Missing the point

[sparky81]

"The reason for this statement by the UK government is very simple - it has intranet and business systems in virtually every government department which work only with IE. They frequently ridiculously old versions at that - IE6 take a bow - giving the lie to the "latest, fully patched" comment anyway. There is no way that the UK government is going to incur the conversion costs for these systems at this moment given the state of its books at the moment. Stating that IE was insecure would create an inexorable pressure to do exactly that. This statement has nothing to with security, and everything to do with internal government politics.

Re:Missing the point

[M-RES]

I was going to mention this very issue and you beat me to it. I know people who work in local government, both as 'users' of the in-house systems and 'sysadmins' on those same systems, and they all tell me how outdated their setups are. They're by and large using IE6 across the board, because the browser-based apps they use work in IE6 and if there's the slightest glitch in updating the browser they won't touch it - they just don't have the budget to deal with the issue and test it rolled out across such huge networks.

If it doesn't work someone would have to take the blame and we all know how civil servants do everything they can to avoid having any responsibility whatsoever for any decisions, hence the 'committee'. The committee provides plausible deniability wherein any single member can say "I didn't agree with the decision, but the committee decided...".

Welcome to the cosy sheltered world of civil service. People who work there genuinely couldn't survive in the 'real world' of private business/industry!

Re:Bullshit

[icebraining]

That's NOT a Firefox exploit. That's Firefox send a normal HTTP request to a non-standard port (6667), and the IRC server *wrongly* interprets it as IRC protocol.

The only thing they say Firefox does "wrong" is actually connecting to a non-standard port, which I dispute: there are plenty of reasons to run webservers in non-standard ports, and I want to be able to connect to them.

Is not talking about home user

[DaveGod]

The quote bears no reflection of any opinion on the security or quality of IE in general. The "user" being referred to in the quote is UK government staff, using UK government IT, and his response is wholly within that context. As is very often the case on Slashdot (and, to be fair, much of the media), the summary shifts the context slightly and then omits significant information and thus infers something other than what was communicated at the time.

Immediately after the quoted text, unmissable except by the most... Let's give the benefit of the doubt and say hurried of submitters and editors, is the following: (my emphasis added for the most hurried of Slashdot readers)

26 Jan 2010 : Column WA317

Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

So security through wishful thinking is better?

[Anonymous+Brave+Guy]

With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done.

This argument endlessly amuses me. Do you really think the exact same thing is not true of OSS-based browsers such as Firefox and Chrome?

Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them. The theoretical possibility that you can examine the source code is just security theatre unless you actually spend the time and resources to do it.

Hint #2: Which OSS browser do you think has a public bug database listing all known vulnerabilities, whether or not they have yet been patched, and keeps that database updated immediately every time a new vulnerability is reported?

With Firefox, there is generally a very high degree of transparency when it comes to security problems.

Unless you are one of the select few with access to the full security issue process, you don't know that.

Additionally, fixes are pushed out quickly.

Or that.

Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.

Or any of that.

If you really don't see the blind spot you're exhibiting here, try answering these simple questions (and be honest with yourself):

• When you bashed IE above, how many exploited vulnerabilities in the latest version of IE did you actually know about?
• How many confirmed cases could you name where damage had been caused as a result of one of the exploits you just listed (if there were any)?
• Did you know whether those vulnerabilities (if you could actually name any) had been patched, and if so, how quickly?
• How would you answer the same questions for the latest versions of the major OSS-based browsers?

If you can't immediately answer those questions, and provide yourself with objective, factual data to support your claims above, then please consider that you may just be projecting your own prejudices based on IE6 from many years ago onto the IE8 of today, while letting your own faith in OSS onto other browsers convince you that they are more secure even though you don't have access to all the facts.

Re:So security through wishful thinking is better?

[palegray.net]

Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them.

Speaking of tired old arguments, you lost all credibility right there. Thankfully, it was in the opening statement of your "rebuttal," so I don't feel too compelled to slog through a more lengthy reply.

Suffice it to say there are a lot of eyes on Firefox, for both the code itself and for evaluating and testing exploits. This process occurs transparently; anyone can (and a crapload of people do) participate. This is absolutely the opposite of Microsoft's model, and no amount of denial or hand-waving on your part is going to change that.

Answers you won't listen to

Answers you won't listen to:

When 20 other people have gone through a door and come back out again, I will assume that it's safe to walk through the door. Likewise though I may not have read all the code in Firefox, if there were any big problems, someone WOULD have seen it: Microsoft do not have half the world's web browser writers,

How many people HAVE the latest version of IE? Now how many NEVER use flash or Adobe plugins? Because they require you turn off the security and then IE8 becomes vulnerable again. Did you know that?

Google would have got dinged. Likewise, please do the same about Firefox. You've narrowed the window so small there's nothing left of the hole.

And how would YOU answer?

IE8 today has many or most of the downsides that IE6 has. Unless you lock it down so much you can't use it.

But FF 3.5 when locked down as much is still usable. Putting it under LIDS makes it much safer. Adding RBAC from NSA makes it yet more secure.

And still usable.

You cannot say the same of IE and Windows.