It's funny, every time I read about yet another security vulnerability in Internet Explorer, such as the recent one involvingĀ Adobe Flash hosted on the Council of Foreign Relations website that performs a heap spray against Internet Explorer 8, I am reminded of the old Ralph Nader tomeĀ Unsafe at Any Speed, which was a bookĀ releasedĀ in 1965 about how unsafe the automobiles designed by the American Auto Industry are. Thus, the phrase "Unsafe at Any Version" seems to come to mind when I think of Internet Explorer.Ā Likewise, I tend to think the same thing about Adobe Acrobat, Adobe Flash, or Adobe Shockwave (2 year old vulnerability, anyone?)
Is it fair to say these products are unsafe at any version?Ā While evidence seems to suggest that is probably true, I believe the security problems we see in these products are evidence of their success. Okay, maybeĀ Internet Explorer was successful because of being illegally tied to Microsoft Windows, butĀ I'm trying to remember the last time Internet Explorer, Adobe Flash, and Adobe Acrobat Reader were not considered "required items" for a PC.
Which is part of the problem of keeping these programs secure. There is aĀ lotĀ of legacy code in those apps. They were written well beforeĀ Secure Coding PracticesĀ became the norm. Internet Explorer itself has a fundamental flaw by being so tightly tied into the operating system. Rewriting code is no fun and, unless there is a significant business reason to do so, doesn't happen.
Granted, AdobeĀ didĀ do this with Adobe Reader, but there's still a lot older Adobe Readers out there still, just waiting to be compromised. Just like there are millions of people still running XP and Internet Explorer 8, which Microsoft will eventually stop providing security patches for.
These applications aren't going anywhere anytime soon. Which means the bad guys are going to continue to find vulnerabilities in these applications for theĀ foreseeableĀ future.Ā It certainly will keep us good guys busy for theĀ foreseeableĀ future, too.