Questionable IE 8/9 TÜV Certification
Friday, 01 July 2011
In an effort to get one of its most popular software more widely accepted, Microsoft entrusted TÜV
TRUST IT Ltd. from Austria to determine the security characteristics of the Internet Explorer 8 and 9 – with
questionable results.
Company representatives reported about a check of Internet Explorer 8, on Microsoft's official website microsoft.com, which took place from Dec. 2009 to March 2010 [1]. It has been pointed out repeatedly that a neutral instance had been given the mandate to run this exhausting investigation. According to these representatives data security, privacy and compliance aspects, based on a broad catalog of requirements, have been taken into account. Detlev Henze from TÜV TRUST IT Ltd. finally summed it all up with, quote: "The Internet Explorer 8 convinced us." and further "In comparison to the previous version (Internet Explorer 7) it contains significant improvements in safety and sets the standard for browser security." Later, in May 2011, a news report about the successful certification of Internet Explorer 9 also appeared in the media.
Company representatives reported about a check of Internet Explorer 8, on Microsoft's official website microsoft.com, which took place from Dec. 2009 to March 2010 [1]. It has been pointed out repeatedly that a neutral instance had been given the mandate to run this exhausting investigation. According to these representatives data security, privacy and compliance aspects, based on a broad catalog of requirements, have been taken into account. Detlev Henze from TÜV TRUST IT Ltd. finally summed it all up with, quote: "The Internet Explorer 8 convinced us." and further "In comparison to the previous version (Internet Explorer 7) it contains significant improvements in safety and sets the standard for browser security." Later, in May 2011, a news report about the successful certification of Internet Explorer 9 also appeared in the media.
Said check of Internet Explorer 9 involved ISO/IEC 27001:2005 as a base for the common requirement specification.
Interestingly flaw detection, update procedures and software inherent security mechanisms had been covered by the
check, although ISO/IEC 27001:2005 is meant to be a formal specification which mandates specific requirements.
That implies a company or an organization can only get certified for bringing information security under explicit
management control, but any given piece of software itself cannot get certified that way – just as a software
security mechanism which is ultimately based on a software's source code
[2].
However the ISO/IEC 27001:2005 part which addressed Microsoft's update procedures seemed to be valid. It
especially addressed the most considerable aspect of that notion: time. Most FOSS projects like Mozilla Firefox
provide updates to fix bugs with severe impact faster than any commercial entity could possibly ever accomplish
[3].
Nevertheless Microsoft Internet Explorer passed that component testing.
The inspectors also pointed out that the secure operation of Internet Explorer 9 heavily depends on its security settings. Of course such settings are important, but even more important is the source code which ensures that a web browser and its underlying operating system never get compromised no matter what settings were in effect at the time of use. Unfortunately as with the check of Internet Explorer 8 no code analysis of Internet Explorer 9 has been performed as well. To make clear the importance of well designed code one should browse cert-bund.de/search and provide the system with a date range for notices between 25.05.10 and today (the time of writing this article) [4]. Therefore it is advised to select "short infos" and a risk level higher or equal than 4. The results indicate that there are 84 announcements for the search term "Internet Explorer" vs. 34 when entering "Firefox". Nevertheless Microsoft Internet Explorer got certified successfully.
The TÜV TRUST IT Ltd. website also contains an extraordinary sentence on it-tuv.com which the authors of this article had to read twice, quote: "Software, in particular, as comprehensive software as a web browser, has inherent errors in principle that can cause a system compromise in certain situations. Therefore, as part of the technical analysis, a full and intensive analysis of the software, based on its source code, was abandoned as an option." In other words the inspectors did not analyze the code because (that) software has errors in principle and so it is not reasonable spending the time [5]. This is plain wrong! Especially such software, which is "the Window to the Internet", as Dorothee Ritz, General Manager Consumer & Online at Microsoft Germany mentioned, cannot be analyzed, penetrated and risk assessed to much and by too many people. Everyone knows that source code quality increases with the number of people who have a look at it and so the opposite is always a false assumption [6]. Microsoft does not follow that paradigm due to its nature. Anyhow that does not matter since the Microsoft Internet Explorer now has a valid TÜV certificate after all.
The authors of this article further criticize the focus of the technical inspection, but primarily the lack of document publishing as a whole. Neither TÜV TRUST IT Ltd. nor Microsoft offered substantial documentation with reference to the discussed certification on their official websites for review. Especially these documents would have laid open the quality of the inspection and certification process in greater detail.
The inspectors also pointed out that the secure operation of Internet Explorer 9 heavily depends on its security settings. Of course such settings are important, but even more important is the source code which ensures that a web browser and its underlying operating system never get compromised no matter what settings were in effect at the time of use. Unfortunately as with the check of Internet Explorer 8 no code analysis of Internet Explorer 9 has been performed as well. To make clear the importance of well designed code one should browse cert-bund.de/search and provide the system with a date range for notices between 25.05.10 and today (the time of writing this article) [4]. Therefore it is advised to select "short infos" and a risk level higher or equal than 4. The results indicate that there are 84 announcements for the search term "Internet Explorer" vs. 34 when entering "Firefox". Nevertheless Microsoft Internet Explorer got certified successfully.
The TÜV TRUST IT Ltd. website also contains an extraordinary sentence on it-tuv.com which the authors of this article had to read twice, quote: "Software, in particular, as comprehensive software as a web browser, has inherent errors in principle that can cause a system compromise in certain situations. Therefore, as part of the technical analysis, a full and intensive analysis of the software, based on its source code, was abandoned as an option." In other words the inspectors did not analyze the code because (that) software has errors in principle and so it is not reasonable spending the time [5]. This is plain wrong! Especially such software, which is "the Window to the Internet", as Dorothee Ritz, General Manager Consumer & Online at Microsoft Germany mentioned, cannot be analyzed, penetrated and risk assessed to much and by too many people. Everyone knows that source code quality increases with the number of people who have a look at it and so the opposite is always a false assumption [6]. Microsoft does not follow that paradigm due to its nature. Anyhow that does not matter since the Microsoft Internet Explorer now has a valid TÜV certificate after all.
The authors of this article further criticize the focus of the technical inspection, but primarily the lack of document publishing as a whole. Neither TÜV TRUST IT Ltd. nor Microsoft offered substantial documentation with reference to the discussed certification on their official websites for review. Especially these documents would have laid open the quality of the inspection and certification process in greater detail.
References:
- ↟ "TÜV Trust IT Ltd. checks the Internet Explorer 8"↗. Microsoft Germany Ltd. / I. Nadler. Retrieved 01 July 2011.
- ↟ "Wikipedia - ISO/IEC 27001:2005"↗. Wikipedia / B. Rayner, D. Shearer, et al. Retrieved 01 July 2011.
- ↟ "Internet Explorer is Dangerous - Browser Patch Delay"↗. Web Devout / David Hammond. Retrieved 01 July 2011.
- ↟ "Warning and Information Services - Search"↗. Federal Office for Information Security. Retrieved 01 July 2011.
- ↟ "TÜV-Studie: Internet Explorer 8/9"↗. TÜV Austria Group / TÜV TRUST IT TÜV AUSTRIA Ltd. Retrieved 01 July 2011.
- ↟ "Open source's 'shallow bugs' theory hasn't [..]"↗. CBS Interactive, TechRepublic. / M. Asay. Retrieved 01 May 2015.
Last Updated (Friday, 01 May 2015)
