IE 6, 7, 8 Features, Loopholes and vulnerabilities

November 3, 2011 — Laxmikant Patil

This white paper discusses the feature differences between different IE versions (i.e. IE 6, 7, 8  ) and vulnerabilities and loopholes found in these versions.

Microsoft Internet Explorer’s journey started in 1995(IE 1.0) and currently is in its 9th major generation available for free download as a Release Candidate. Microsoft’s work on IE has been always influenced by feedback from end users in the area of usability, performance, security. Ongoing development of web standards and work done by competitors like Mozilla Firefox, Google Chrome, Safari, and Opera also drives Microsoft for improvements. Microsoft has taken great efforts to keep increasing its market share by introducing IE on other operating systems like Apple Mac, Unix and mobile devices using Internet Explorer Mobile(with Windows Phone 7 and Windows CE).

Every version of IE passes through regression testing by Microsoft and the real users worldwide. Microsoft keeps on providing service packs/patches for issues identified by the end users and tries to keep IE updated against latest security threats/issues reported by the end users.

 Below section discusses features differences between different versions of IE (IE 6 to IE8) –

Feature Comparison

Feature* IE6 IE7 IE8
Compatibility view     Yes
Accelerators     Yes
Web Slices     Yes
InPrivate Browsing     Yes
Tabbed Browsing   Yes Yes, improved
Search   Yes Yes, improved
SmartScreen filter Lacks advancedSecurity features Yes Yes, improved
Favourites bar   Yes Yes, improved
InPrivate Filtering     Yes
Security(Malware, Phishing)     Yes
Cross Site Scripting Filter(XSS)     Yes
Click-Jacking Prevention     Yes
Domain Highlighting     Yes
Data Execution Prevention     Yes
DHTML Yes Yes Yes, improved
CSS Support Full CSS Level 1 Support CSS 2.1 CSS 2.1
DOM Level Full DOM Level1 Support Level 2.0 Level 2.0
SMIL SMIL 2.0    
MSXML MSXML 3.0    
RSS   Yes Yes
Ajax Support XMLHTTP as an ActiveX XMLHTTP native support XMLHTTP native support
Javascript Yes Improved Improved, faster
O.S Support No –Win 7,WS 08 R2, Vista, WS 08 No – Win 7,WS 08 R2Yes – Vista, WS 08 Yes –Win 7,WS 08 R2, Vista, WS 08

*Only selected features are considered for comparison

Vulnerabilities / Loopholes

Internet Explorer has been subjected to many security vulnerabilities and concerns, much of the malware, adware and computer viruses across the internet. A number of security flaws affecting IE originated not in the browser itself, but ActiveX-based add-ons used by it. Because the add-ons have the same privilege as IE, the flaws can be as critical as browser flaws.

Below are given some of the recent vulnerabilities and loopholes found in IE –

  • Microsoft Internet Explorer 6, 7, and 8 could not properly handle objects in memory, which allowed remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, related to a “dangling pointer,” aka “Uninitialized Memory Corruption Vulnerability“.
  • Remote code execution is one of the critical vulnerabilities observed in IE 6, 7, 8 browsers. This vulnerability could allow remote code execution if a user views a specially crafted web page using IE. One of the recent occurrences of it was fixed by Microsoft and security update was released.( http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx)
  • Information Disclosure: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user and steal the information. This vulnerability was found in IE 6, 7, 8. ( http://www.microsoft.com/technet/security/advisory/980088.mspx)
  • Microsoft Internet Explorer (IE6 to IE8) contained a memory corruption vulnerability, which could result in an invalid pointer being accessed after an object is incorrectly initialized or has been deleted. In certain circumstances, the invalid pointer access can be leveraged by an attacker to execute arbitrary code. This vulnerability is being actively exploited, and exploit code was publically available. (Attackers exploited this in the December 2009 and January 2010 during Operation Aurora, aka “HTML Object Memory Corruption Vulnerability.”)
  • Microsoft Internet Explorer 6 and 7 did not properly handled objects in memory that (1) were not properly initialized or (2) are deleted, which allowed remote attackers to execute arbitrary code via vectors involving a call to the getElementsByTagName method for the STYLE tag name, selection of the single element in the returned list, and a change to the outerHTML property of this element, related to Cascading Style Sheets (CSS) and mshtml.dll, aka “HTML Object Memory Corruption Vulnerability.
  • Microsoft Internet Explorer 6, 6 SP1, 7, and 8 did not properly handle argument validation for unspecified variables, which allowed remote attackers to execute arbitrary code via a crafted HTML document, aka “HTML Component Handling Vulnerability.
  • GDI+ in Microsoft Internet Explorer 6 SP1 did not properly allocate an unspecified buffer, which allowed remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka “GDI+ TIFF Memory Corruption Vulnerability.
  • Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, allowed remote attackers to execute arbitrary code via a crafted TIFF image file, aka “GDI+ TIFF Buffer Overflow Vulnerability.
  • Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1 allowed remote attackers to execute arbitrary code via a crafted PNG image file, aka “GDI+ PNG Heap Overflow Vulnerability.
  • Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1 allowed remote attackers to execute arbitrary code via a crafted WMF image file, aka “GDI+ WMF Integer Overflow Vulnerability.”
  • Unspecified vulnerability in Microsoft Internet Explorer 6, 6 SP1, and 7 allowed remote attackers to execute arbitrary code via a crafted data stream header that triggers memory corruption, aka “Data Stream Header Corruption Vulnerability.
  • Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 did not properly handle transition errors in a request for one HTTP document followed by a request for a second HTTP document, which allows remote attackers to execute arbitrary code via vectors involving (1) multiple crafted pages on a web site or (2) a web page with crafted inline content such as banner advertisements, aka “Page Transition Memory Corruption Vulnerability.
  • Microsoft Internet Explorer 7, when XHTML strict mode is used, allowed remote attackers to execute arbitrary code via the zoom style directive in conjunction with unspecified other directives in a malformed Cascading Style Sheets (CSS) stylesheet in a crafted HTML document, aka “CSS Memory Corruption Vulnerability.
  • Microsoft Internet Explorer 6 through 8 allowed remote attackers to spoof the address bar, via window.open with a relative URI, to show an arbitrary URL on the web site visited by the victim, as demonstrated by a visit to an attacker-controlled web page, which triggers a spoofed login form for the site containing that page.
  • Microsoft Internet Explorer 6.0.2900.2180 and earlier allowed remote attackers to cause a denial of service (CPU consumption and application hang) via JavaScript code with a long string value for the hash property (aka location.hash)
  • Microsoft Internet Explorer 8.0.7100.0 on Windows 7 RC on the x64 platform allowed remote attackers to cause a denial of service (application crash) via a certain DIV element in conjunction with SCRIPT elements that have empty contents and no reference to a valid external script location.
  • mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 allowed remote attackers to cause a denial of service (application crash) by calling the JavaScript findText method with a crafted Unicode string in the first argument, and only one additional argument, as demonstrated by a second argument of -1.
  • Microsoft Internet Explorer 6.0 through 8.0 beta 2 allowed remote attackers to cause a denial of service (application crash) via an onload=screen [“”] attribute value in a BODY element.
  • The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 allowed remote attackers to bypass the XSS protection mechanism and conduct XSS attacks by injecting data at two different positions within an HTML document, related to STYLE elements and the CSS expression property, aka a “double injection.”
  • Microsoft Internet Explorer 6 SP1 did not properly validate parameters during calls to navigation methods, which allowed remote attackers to execute arbitrary code via a crafted HTML document that triggers memory corruption, aka “Parameter Validation Memory Corruption Vulnerability.

All of above vulnerabilities were confirmed and are published by National vulnerabilities database and appropriate actions were taken by the Microsoft. Please note that this is not the complete list of vulnerabilities found, this is just a list of recent vulnerabilities.

Secunia Study:

An independent security advisory firm “Secunia” has maintained vulnerabilities database in different versions of IE. This comparison of unpatched publicly known vulnerabilities in latest stable version browsers is based on vulnerabilities reports by Secunia (Secunia.com)

Browser Advisories Vulnerabilities
IE6 150 227
IE7 50 151
IE8 18 77

SecurityFocus Study (SecurityFocus.com is an online computer security news portal and purveyor of information security services):

As per SecurityFocus report below is the list of vulnerabilities found in latest stable versions of IE

Browser Vulnerabilities
IE6 473
IE7 26
IE8 62

Conclusion

  1. If you are going to develop new web application and thinking of how many IE versions your application should support, then it is clear from above study that IE6 should be your least priority considering –
    1. Features available in IE7 and IE8 (and the efforts required to implement IE6 compatibility)
    2. (sample) 20 vulnerabilities (IE6-16, IE7-11, IE8-9))
  2.  Software Giants like Google has begun the drive to phase out support for Microsoft’s web browser Internet Explorer 6 among other older browsers.

      3.  Nevertheless, Microsoft is making its own moves to make sure users have to upgrade for latest versions of IE. For example, Office Web Applications (browser versions of Word,     PowerPoint, Excel, and OneNote) will support Internet Explorer 7, Internet Explorer 8. (Firefox 3.5 on Windows, Mac, and Linux, as well as Safari 4 on Mac). There’s no mention of IE6 in support list. It’s not officially supported, but customers will not be blocked from using it.

Glossary

Tabs: View and manage multiple websites in one browser window with enhanced browser tab browsing

Web Slices: Using Web Slices, you can keep up with frequently updated sites directly from the new Favourites Bar. If a Web Slice is available on a page, a green Web Slices icon will appear in the Command Bar. Click on this icon to easily subscribe and add the Web Slices to the Favourites Bar so you can keep track of that “slice” of the web.

Accelerators:  Accelerators help you to use fewer clicks to get driving directions, translate words, and perform routine tasks.

Click Jacking: Click-jacking is an emerging online threat where an attacker’s web page deceives you into clicking on content from another website without you realizing it.

Malware: Malware is software that a cybercriminal can use to steal your bank account information, track everything you type, send out malicious software or spam, or harm your computer.

Phishing: In Phishing, a cybercriminal pretends to be a legitimate organization, such as your bank, in order to deceive you into giving up personal information such as credit card numbers and account information.

References

For Browser feature comparison

  1. http://windows.microsoft.com/en-IN/internet-explorer/products/ie-9/compare-browsers
  2. http://en.wikipedia.org/wiki/Internet_Explorer
  3. http://www.microsoft.com/windows/internet-explorer/compare/compare-versions.aspx
  4. http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
  5. http://www.microsoft.com/windows/products/winfamily/ie/ie7/features.mspx
  6. http://www.microsoft.com/windows/ie/ie6/evaluation/features/default.mspx
  7. http://www.webdevout.net/browser-support

Vulnerabilities

  1. http://secunia.com/advisories/product/11/?task=statistics_2009
  2. http://en.wikipedia.org/wiki/Comparison_of_web_browsers#Vulnerabilities
  3. http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx
  4. http://www.kb.cert.org/vuls/id/492515
  5. http://web.nvd.nist.gov
  6. http://www.cve.mitre.org/cve/
Posted in General. Tags: , , , , , , , , , , , , , , . 5 Comments »