Questionable IE 8/9 TÜV Certification
Friday, 01 July 2011
In an effort to get one of its most popular software more widely accepted, Microsoft entrusted TÜV TRUST IT Ltd. from Austria to determine the security characteristics of the Internet Explorer 8 and 9 – with questionable results.

Company representatives reported about a check of Internet Explorer 8, on Microsoft's official website microsoft.com, which took place from Dec. 2009 to March 2010 [1]. It has been pointed out repeatedly that a neutral instance had been given the mandate to run this exhausting investigation. According to these representatives data security, privacy and compliance aspects, based on a broad catalog of requirements, have been taken into account. Detlev Henze from TÜV TRUST IT Ltd. finally summed it all up with, quote: "The Internet Explorer 8 convinced us." and further "In comparison to the previous version (Internet Explorer 7) it contains significant improvements in safety and sets the standard for browser security." Later, in May 2011, a news report about the successful certification of Internet Explorer 9 also appeared in the media.

Said check of Internet Explorer 9 involved ISO/IEC 27001:2005 as a base for the common requirement specification. Interestingly flaw detection, update procedures and software inherent security mechanisms had been covered by the check, although ISO/IEC 27001:2005 is meant to be a formal specification which mandates specific requirements. That implies a company or an organization can only get certified for bringing information security under explicit management control, but any given piece of software itself cannot get certified that way – just as a software security mechanism which is ultimately based on a software's source code [2]. However the ISO/IEC 27001:2005 part which addressed Microsoft's update procedures seemed to be valid. It especially addressed the most considerable aspect of that notion: time. Most FOSS projects like Mozilla Firefox provide updates to fix bugs with severe impact faster than any commercial entity could possibly ever accomplish [3]. Nevertheless Microsoft Internet Explorer passed that component testing.

The inspectors also pointed out that the secure operation of Internet Explorer 9 heavily depends on its security settings. Of course such settings are important, but even more important is the source code which ensures that a web browser and its underlying operating system never get compromised no matter what settings were in effect at the time of use. Unfortunately as with the check of Internet Explorer 8 no code analysis of Internet Explorer 9 has been performed as well. To make clear the importance of well designed code one should browse cert-bund.de/search and provide the system with a date range for notices between 25.05.10 and today (the time of writing this article) [4]. Therefore it is advised to select "short infos" and a risk level higher or equal than 4. The results indicate that there are 84 announcements for the search term "Internet Explorer" vs. 34 when entering "Firefox". Nevertheless Microsoft Internet Explorer got certified successfully.

The TÜV TRUST IT Ltd. website also contains an extraordinary sentence on it-tuv.com which the authors of this article had to read twice, quote: "Software, in particular, as comprehensive software as a web browser, has inherent errors in principle that can cause a system compromise in certain situations. Therefore, as part of the technical analysis, a full and intensive analysis of the software, based on its source code, was abandoned as an option." In other words the inspectors did not analyze the code because (that) software has errors in principle and so it is not reasonable spending the time [5]. This is plain wrong! Especially such software, which is "the Window to the Internet", as Dorothee Ritz, General Manager Consumer & Online at Microsoft Germany mentioned, cannot be analyzed, penetrated and risk assessed to much and by too many people. Everyone knows that source code quality increases with the number of people who have a look at it and so the opposite is always a false assumption [6]. Microsoft does not follow that paradigm due to its nature. Anyhow that does not matter since the Microsoft Internet Explorer now has a valid TÜV certificate after all.

The authors of this article further criticize the focus of the technical inspection, but primarily the lack of document publishing as a whole. Neither TÜV TRUST IT Ltd. nor Microsoft offered substantial documentation with reference to the discussed certification on their official websites for review. Especially these documents would have laid open the quality of the inspection and certification process in greater detail.

References:
Last Updated (Friday, 01 May 2015)
 
 
Folding@Home
 

DOCUMENT TIME

  2017-07-29  ☀  14:00 UTC

CYBER THREATCON

  ✛ΔO CYBER THREATCON: Level ALPHA

SECURITY MODULE

  ᐅ REQUESTOR / YOU
  ᐊ 1&1 INTR. AG  CDN

POLL / VOTE

Should ✛ΔO engage more in counter-intelligence?
⚫ Yes, there is a need for such operations.
⚫ No, because it may be very dangerous.

BOOKMARK

Press Cmd or Ctrl + D
Press Cmd or Ctrl + D

STATISTICS

  Visitors: 642.250+ ℮

CAMPAIGNS

  25 Years of Linux

TECHNOLOGY BASE

COAT OF ARMS

  Code Of Arms: Frankfurt

OPERATING STATUS

  Facility: open and operating
 
©  2003 - 2017   TRON-DELTA.ORG  (NGO)   –   Nongovernmental  Intelligence  Organization
Portal v5.05.142 R 1 on ✛ΔO LXCMS v1.1