With the recent Scob bug attacks and last week's Department of Homeland Security recommendation that Microsoft Internet Explorer users consider changing browsers, some analysts are wondering whether the problem is deeper than just security flaws in the browser or its parent operating system.
At least one chief executive, John Quarterman of InternetPerils, a company making business risk management solution software and other materials, says the Homeland Security CERT team recommendation means the "monoculture" goes beyond just finding, patching, and preventing future security flaws.
"Any technical solution can fail," Quarterman said in a formal statement on the matter. "What do you do then? Simply put, the Internet clearly needs new business risk management strategies."
Perhaps not surprisingly, the open-source community is also pushing for Netizens to change from Internet Explorer. Open-source Internet news site NewsForge.com has said IE users should think seriously about shifting to Mozilla or Opera, though they didn't mention Netscape, which is still available and used widely enough in its 7.1 version suite.
"While viruses and Trojans have been around for years, this particular attack was new because it used several vulnerabilities at once, and it didn't require the user download or install any programs or visit any malicious Websites," said NewsForge writer Jem Matzan. "It's time to say goodbye to Internet Explorer and its security flaws forever."
The Trojan that sent the camel to the chiropractor at last involved both Scob and another bug, a keystroke logger made to resemble a browser helper object (BHO) and believed to be used by phishing attackers.
But BHO programs have deeper problems than just phishing uses. "The close integration with Internet Explorer allows browser helpers to go undetected by many antivirus programs," said Netcraft.com, a security and performance news Website, alluding to Microsoft's own having created the BHO technology in the first place, though certainly without anticipating it could be used for malware purposes.
"Microsoft acknowledges that 'specialized software and deep technical knowledge' are needed to find and remove many browser add-ons," Netcraft.com continued. "Symantec classifies BHOs as an expanded threat not covered by Norton AntiVirus. BHODemon is a free program specifically designed to detect and remove BHOs, which can be challenging to uninstall. Just this week, the popular CWShredder BHO removal tool was discontinued, with its author saying the malware was morphing too quickly for him to keep up."
Quarterman urged users and system administrators to try installing the newest patches and be wary of hitting unsolicited URLs, but there are still limits enough to what even they can do.
"This IE problem appears to have no patch yet," he said of the flaws that allowed Scob and the BHO bugs to run around loose, "and the CERT advisory comes pretty close to saying it's not just a bug; it's a design flaw. This is not surprising for a product from a company that grew up in the hothouse of non-networked PCs, and is still trying to adapt to the more complex jungle of the Internet.
"An infested IE can turn its host computer into a staging ground for attacks on other machines throughout the Internet, causing both direct harm and collateral damage from increased traffic and from inaccessibility of damaged computers," he continued. "Even such a dangerous bug wouldn't be as much of a problem if it occurred in a web browser with a minority market share. But IE covers the Internet like kudzu, and thus threatens its habitat."
The CERT advisory urging a switch away from IE is believed to be the first time the federal government has actively and vocally recommended against a particular Internet browser. "It appears that CERT has determined it is time to weed this particular hot-house plant before the locusts of the Internet grow fat on it and multiply to infest other parts of the jungle," Quarterman said. "It is good to see recognition of the problem and some technical action. But what if companies lose business because of this or some other technical failure? What then?"
His own suggestions included insurance, as in Internet business connectivity insurance, as well as catastrophe bonds and performance bonds, and "reputation systems such as peril and anomaly reporting going beyond even what CERT does."
