⤫ Kununu Ե Twitter ⴳ  Flattr
 
 
Fragwürdige IE 8/9 TÜV-Zertifizierung
Freitag, 1. Juli 2011
Eine Übersetzung für diesen Text ist nicht verfügbar.  Bitte wählen Sie die englische Version.
In an effort to get one of its most popular software more widely accepted, Microsoft entrusted TÜV TRUST IT Ltd. from Austria to determine the security characteristics of the Internet Explorer 8 and 9 – with questionable results.

Company representatives reported about a check of Internet Explorer 8, on Microsoft's official website microsoft.com, which took place from Dec. 2009 to March 2010 [1]. It has been pointed out repeatedly that a neutral instance had been given the mandate to run this exhausting investigation. According to these representatives data security, privacy and compliance aspects, based on a broad catalog of requirements, have been taken into account. Detlev Henze from TÜV TRUST IT Ltd. finally summed it all up with, quote: "The Internet Explorer 8 convinced us." and further "In comparison to the previous version (Internet Explorer 7) it contains significant improvements in safety and sets the standard for browser security." Later, in May 2011, a news report about the successful certification of Internet Explorer 9 also appeared in the media.
 
Said check of Internet Explorer 9 involved ISO/IEC 27001:2005 as a base for the common requirement specification. Interestingly flaw detection, update procedures and software inherent security mechanisms had been covered by the check, although ISO/IEC 27001:2005 is meant to be a formal specification which mandates specific requirements. That implies a company or an organization can only get certified for bringing information security under explicit management control, but any given piece of software itself cannot get certified that way – just as a software security mechanism which is ultimately based on a software's source code [2]. However the ISO/IEC 27001:2005 part which addressed Microsoft's update procedures seemed to be valid. It especially addressed the most considerable aspect of that notion: time. Most FOSS projects like Mozilla Firefox provide updates to fix bugs with severe impact faster than any commercial entity could possibly ever accomplish [3]. Nevertheless Microsoft Internet Explorer passed that component testing.

The inspectors also pointed out that the secure operation of Internet Explorer 9 heavily depends on its security settings. Of course such settings are important, but even more important is the source code which ensures that a web browser and its underlying operating system never get compromised no matter what settings were in effect at the time of use. Unfortunately as with the check of Internet Explorer 8 no code analysis of Internet Explorer 9 has been performed as well. To make clear the importance of well designed code one should browse cert-bund.de/search and provide the system with a date range for notices between 25.05.10 and today (the time of writing this article) [4]. Therefore it is advised to select "short infos" and a risk level higher or equal than 4. The results indicate that there are 84 announcements for the search term "Internet Explorer" vs. 34 when entering "Firefox". Nevertheless Microsoft Internet Explorer got certified successfully.

The TÜV TRUST IT Ltd. website also contains an extraordinary sentence on it-tuv.com/internet-explorer/ which the author of this article had to read twice, quote: "Software, in particular, as comprehensive software as a web browser, has inherent errors in principle that can cause a system compromise in certain situations. Therefore, as part of the technical analysis, a full and intensive analysis of the software, based on its source code, was abandoned as an option." In other words the inspectors did not analyze the code because (that) software has errors in principle and so it is not reasonable spending the time [5]. This is plain wrong! Especially such software, which is "the Window to the Internet", as Dorothee Ritz, General Manager Consumer & Online at Microsoft Germany mentioned, cannot be analyzed, penetrated and risk assessed to much and by too many people. Everyone knows that source code quality increases with the number of people who have a look at it and so the opposite is always a false assumption [6]. Microsoft does not follow that paradigm due to its nature. Anyhow that does not matter since the Microsoft Internet Explorer now has a valid TÜV certificate after all.

The author of this article further criticizes the focus of the technical inspection, but primarily the lack of document publishing as a whole. Neither TÜV TRUST IT Ltd. nor Microsoft offered substantial documentation with reference to the discussed certification on their official websites for review. Especially these documents would have laid open the quality of the inspection and certification process in greater detail.
 
References:
Zuletzt aktualisiert (Freitag, 1. Mai 2015)
 
 
Folding@Home
 

DOKUMENTZEIT

  2017-04-24  ☀  16:00 UTC

CYBER THREATCON

  ✛ΔO CYBER THREATCON: Level BETA

SICHERHEITSMODUL

  ᐅ REQUESTOR / YOU
  ᐊ 1&1 INTR. AG  CDN

ABSTIMMUNG

Sollte ✛ΔO Ā»counter- intelligenceĀ« anwenden?
⚫ Ja, es gibt Bedarf für solche Operationen.
⚫ Nein, denn dies zu tun ist zu risikoreich.

BOOKMARK

Via Cmd oder Strg + D
Via Cmd oder Strg + D

STATISTIK

  Besucher: 618.250+ ℮

KAMPAGNEN

  25 Jahre Linux

TECHNOLOGIE

STADTWAPPEN

  Code Of Arms: Frankfurt

BETRIEBSSTATUS

  Anlage: Offen und in Betrieb
 
©  2003 - 2017   TRON-DELTA.ORG  (NGO)   –   Nongovernmental  Intelligence  Organization
Portal v5.04.050 R 1 mit ✛ΔO LXCMS v1.1