Commentary: Browser Exposure

In late November, researchers disclosed they had identified a critical Zero-Day vulnerability in Internet Explorer (IE) 6 and IE 7.

A Zero-Day flaw is a software coding condition that malicious software or hackers take advantage of on the same day that the vulnerability becomes publicly known. However, this might be something different.

Secunia, a Danish vulnerability tracking vendor, said the flaw could be exploited by hackers to hijack fully-patched Windows XP Service Pack 3 (SP3) machines. It rated the vulnerability "highly critical," next to the highest threat ranking. Microsoft acknowledged the bug and noted that the vulnerability does not affect Internet Explorer 8.

The vendor said it isn't aware of any existing attacks using that flaw, and might decide to release a patch once it has finished its investigation.

What’s disturbing is how many computer users are still using IE 6 and IE 7 browsers on their machines.

IE 6 was released in April 2001 and IE 7 followed in October 2006. According to Market Share as of October 2008, the latest data available showed IE 6 was used by 37.0 percent of users and IE 7 by 35.8 percent of users. Cumulatively, IE 6 and IE 7 were used by more than 70 percent the online community. The exposure to potential exploitation has been around for eight years.

As cyber security strategists will say, it is extremely dangerous to think cyber attackers (criminals, spies, extremists and terrorists) sit around and wait for vulnerabilities to be announced so they can take advantage of the newly discovered flaw. Do you think the Defense Department is just sitting around waiting for vulnerability announcements to build offensive, defensive and intelligence gathering cyber capabilities?

Cyber attackers are more likely to be looking for flaws much the same way as done by security researchers. Once discovered, they can take advantage of the vulnerability for an extended period given it is not publicly known. Uncovering compromises based on a vulnerability like this that dates back to 2001 is nearly impossible. We simply do not know when cyber attackers became aware of the opportunity this vulnerability created. This example is a symptom of an industry problem that must be addressed now.

As I’ve noted in a previous column for Defense Systems, coding errors, hidden within the production code, open thousands of new security holes each year and a threat to systems security. It did not take long until an instance of this was made public that clearly illustrates the magnitude of this kind of threat.

This is not just a Microsoft problem. It is an industrywide problem that has national security implications. Multiple studies suggest that approximately 50 percent of development costs are in testing. Doing more of the same thing is not the answer. As the old saying goes, doing the same thing over and over again and expecting different results is the definition of insanity.

New testing methods must be developed to effectively and efficiently evaluate software code. In addition, new security measures must be built in to mask and obscure system vulnerabilities and limit cyber attackers' capabilities to exploit flaws in our critical systems.

Finally, the software industry, our military and intelligence organizations must work together and not just in research and advancing technologies that help mitigate this threat, but in sharing cyber intelligence around active exploitation and specific methods used in cyber attacks.