Archive for February, 2010

Browser Security Flaws & Innovation Pace

The most dominant browser on the world wide web has been steadily loosing market share for the last two years or so but make no mistake that Internet Explorer (IE) did not get to its dominant position by accident nor is it a simple matter of switching to another browser all together. For example, in the corporate environment IE is going to feature heavily as some custom enterprise application were written to work with IE specifically and over time these applications have become critical to the mission of the organization. Most organizations will keep IE for compatibility and continued use of what should perhaps be labeled legacy code.

There are those who are genuinely indifferent to the particular browser they are using or indeed genuinely prefer Internet Explorer to all other available options. However, no computer user should prefer to run buggy software regardless of the producer of the said software: open source or not. This has increasingly become important after news that Google (and 30 other companies) were attacked by leveraging flaws in Internet Explorer. As it stands Internet Explorer remains a laggard with regard to advances in web standards: there is not even a slight mention of support for HTML5 (at the time of this writing) while other competing browsers are gradually adding elements of HTML5 as well as CSS3. There is on going competition between the developers of the core components of browsers like Google Chrome and Safari (WebKit) and Firefox (Gecko) to bring in aspects of this increasingly final HTML standard. While those in the know and would want to side with developments with regard to version 8 of Internet Explorer, please note that IE 8 has added significant support for standards and a host of security-targeted innovations that are indeed welcome but in all the competition to provide support for the latest standards, IE 8 is playing catch up. It remains important that IE 8 needs to implement these standards or at least appear to be working on implementing them. Information about IE 9 thus far makes (as of this writing) no specific mention of support for upcoming web standards though they definitely continue to work on some interesting innovations that aim at rethinking the browser experience as a whole.

The focus on security with IE 8 was both important and necessary but it needs to evolve with the rest of the internet and as a dominant browser, it increasingly need to play the role of pushing standardization or at the very least engaging with their user community in pushing the state of their browser and consequently the web as a whole forward. At this point, all signs suggest that the IE team is playing catch up with everyone else while bleeding market share at the same time. Pointing out the security superiority of IE 8 is a lame strategy as at this point they have just managed to fix all the nasty things that was part of previous versions of IE and in some cases even IE 8 is still vulnerable. If you take the number of bugs found in a piece of software (an ineffectual metric), then Firefox can barely stand as one that has less bugs but here is a justifiably logical way of looking at the high bug count in Firefox: they are constantly working on the code and hence introducing new bugs is almost inevitable. As opposed to finding less bugs in a piece of software because developers are only carrying out maintenance on an existing code base. Most importantly, less bugs in a piece of software do not translate to speed and effective elimination of identified threats and vulnerability in the software.

The dynamic of Microsoft’s ecosystem is something that can not be taken lightly as the effort required to engineer and maintain compatibility extends far beyond what Microsoft can truly affect. In recent years, Microsoft has made effort to try to reign in vulnerabilities in its software which have made its platform an easy target for hackers and all manner of online fraud. Perhaps one of the most glaring examples of its lack of focus on engineering and architectural excellence was integrating the browser with the operating system. This was a brilliant business move to destroy Netscape and it worked as well but it also created a rigidity on the Windows platform that their current crops of engineers are trying to address while at the same time held back by the need to ensure that clients of their platform suffer minimal lost that would arise from breaking compatibility. Making IE a core component of Windows was a good way to up end Netscape but it also reduced Microsoft’s ability to effectively fight off later competition from the likes of Google, Mozilla, Opera and others. That integration made any response by Microsoft less original since it needs to worry about compatibility which at this point can present real problems that should not happen when dealing with a mature platform builder and maintainer like Microsoft. Think of the dollars that Microsoft’s platform clients (ISVs etc) would lose as well as anyone who relies on the correct behavior of Microsoft’s Windows & Web technologies?

One of the good things I have always liked about Windows Vista is that it was an opportunity for Microsoft to fundamentally reconsider its software stack and add as many enhancements and perhaps even innovation as was necessary in the new environment that is increasingly consumer-internet centric. One of the much lamented additions in Windows Vista was user account control (UAC) which I think was a great idea that will get better with later releases of Windows and Windows 7’s UAC implementation is significantly better without sacrificing security. The China-based attack on Google brought out the full implication of this platform reconsideration: all versions of IE suffered the flaw that facilitate the aforementioned attack. Yes, the fact that IE is sandboxed in Windows Vista and Windows 7 does reduce the effectiveness of the exploit in question. The underlying OS platform has been engineered for security but the fact that IE still remains flawed is disturbing to ponder. Many would agree that after soundly defeating Netscape Microsoft neglected Internet Explorer and indeed tried to tie IE improvements to release of Windows. At this point, it is not even clear that IE development and innovation has reached parity with other players in the browser market though its inertia remains a worrying concern even for Microsoft.

To some extend the problem of a sizable market share are also plaguing Mozilla Firefox but their development team seems to be looking for ways to improve the browser. The recently released Firefox 3.6 is much faster and contains additional features for both web surfers and web developers. At this point, Firefox maintains a monolithic execution model wherein there is one process for all the browser tabs such that if a single tab hangs, the entire browser is forced to shut down. Google Chrome supports a per tab process model where the failure of one tab does not cause the entire browser to shut down. Microsoft’s Internet Explorer 8 also runs each tab in its own process and thus far a certain degree of resilience. The Firefox team is working on bringing such changes into Firefox and while implementing the same changes, they also plan to cater for their extensive plugin ecosystem.

The thorny question of install-base inertia also plagues Internet Explorer and more specifically version 6 of that browser. Recent security related events targeting IE 6 has led to widespread calls for users to abandon that obsolete deserve-to-die version of IE. Even Microsoft is asking users to upgrade to the latest version of Internet Explorer though it goes without saying that people who still user IE 6 present a good opportunity for Microsoft to sell Windows 7 to. However, the security implications of using IE 6 remains an important matter to take into account.

Resources

Advertisements

Leave a comment