14 DAY TRIAL // There should be little doubt that Internet Explorer 9 would be the winner of a comparison with Internet Explorer 8, security-wise, and Microsoft even has some palpable proof.
As the Redmond company released this month’s patches, Chengyun Chu, from MSRC Engineering had a look at how Microsoft Security Bulletin MS11-050 – Cumulative Security Update for Internet Explorer (2530548) impacts IE9 and IE8.
Although MS11-050 is rated Critical for both versions of Internet Explorer, users running IE9 are more secure by default compared to those that have yet to upgrade from IE8.
MS11-050 is designed to plug no less than 11 security holes across all supported IE versions. However, IE9 is affected only by four of the security vulnerabilities, unlike IE8, which contains all the flaws.
“Only a minor fraction of vulnerabilities affecting IE8 (and earlier versions of the browser) would still affect IE9. This is due to various factors related to security work that happened in IE8, ranging from deprecating obsolete features, to improving fuzzing tests in IE9 and so on,” Chu explained.
“For example, CVE-2011-1255 is related to HTML+TIME, which was deprecated in IE9 development. There are many beautiful things in IE9. Besides all these wonderful new features, we would also recommend you to update to IE9 if you can for security.”
I’ve said it before, and my view has not changed, the number of vulnerabilities in software products are not a true measure of their security.
However, I do believe that the volume of security flaws is a direct reflection of code quality and the security related efforts made during the development process.
In this particular case, the impact of MS11-050 reveals that users ought to be running IE9 instead of IE8, if they’re relying on Internet Explorer.
All 11 security vulnerabilities patched with MS11-050 have been privately reported to Microsoft.
“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” the company said.
Internet Explorer 10 (IE10) Platform Preview 1 (PP1) is available for download here.
Windows Internet Explorer 9 RTW for Windows 7 and Windows 7 SP1 is available for download here.