The roots of Internet Explorer’s security problems

About a day ago Zack Whittaker posed the question: Has Internet Explorer ever been safe?

Overall I think this is a pretty good write-up on the history of Internet Explorer for those who don’t understand its faults and/or are actually still using IE for serious Web browsing.

I think on a greater scale, it’s a great example of Microsoft’s utter failure in terms of security, and quite possibly a testament to the problems facing non-free software.

Non-free software is defined here as software licensed under terms which do not grant at least one of the four freedoms in the FSF’s Free Software Definition. This includes most of the shrink-wrapped boxes on the shelf at your local computer/electronics retailer.

This class of software, particularly software made available without human-comprehensible source code (like just about all of Microsoft’s products),  starts at a significant security disadvantage. The users are stuck waiting on the maintainer’s patch, and in the case of some remotely exploitable holes, are “sitting ducks” until one is available.

The FSD’s freedoms 1 and 3 are particularly important for getting security fixes out on the users’ timetable instead of the maintainer’s timetable, with freedom 2 playing a strong supporting role in the case where the maintainer refuses to even acknowledge the problem. This is how the teardrop vulnerability in the kernel, Linux, made it out in a matter of hours, instead of days or weeks like the corresponding patch for Windows. Unfortunately for the Windows users in 1997, Microsoft’s stance on security had much more room for improvement than it does today. Even if there was a fix which came from a user or group of users, it could not be legally distributed due to Microsoft’s end-user license agreement (EULA).

Note that this is only an example. The issues are still just as relevant in 2008 (or soon 2009) as it was in 1997. They apply to the recent zero-day IE exploit the same as they do to the teardrop vulnerability.

It is possible Microsoft’s programming staff may one day, finally, match the speed at which Firefox’s development team (which includes users capable of fixing security holes in Firefox)  on a consistent basis. In fact I would like to see that happen in the near future.

However, I’ll be honest here and say I’d also like to win a multi-million dollar lottery jackpot in the near future. Casting wishful thinking aside and sticking to strict realism, I don’t see either happening soon.

[Edit 2020-12-15: dead link updated]