This essay was written in 2004 and some of the information in it is no longer correct and/or extremely out of date. It is being kept online for historical reasons.
copyright © 2004 Christian Wagner - cwagner@io.com
So the question is, why is Internet Explorer so prone to these problems? Why do people keep finding bugs in IE that let the malicious install software on your PC without your permission? Is it just because Internet Explorer is popular? Would these same problems crop up if other browsers (like Firefox or Opera or Safari) were used just as much?
In short, the answer is no. The quick explanation is this: Internet Explorer is designed to let software do potentially dangerous things to your PC using a web browser. Other browsers (such as Firefox, Opera, and Safari) are not. Now the long explanation, which is somewhat technical.
The controls that form Internet Explorer are a core system service in Windows. They are fundamental to the operation of all modern Windows versions. The Add/Remove Programs dialog in Windows 2000 and Windows XP? That's generated using the same controls that form Internet Explorer. I say "controls that form Internet Explorer" because IE isn't really a single application (like, say, Firefox or Opera), it's really a collection of libraries that can be called by top-level processes like the Explorer shell, Internet Explorer, the Add/Remove Programs dialog, or other applications. Probably the most important library is MSHTML.DLL, which more than anything else probably is Internet Explorer.
These controls must be able to have full system access, or else they won't be able to do their job. They have to be able to spawn administrator-level processes and write to local files and do other things that are "bad" from a security standpoint, because when these controls are used as part of the basic Windows UI, they have to be able to do these things as part of day-to-day operation. And so we have Security Zones.
The Local Zone is where (by default) all of the "full access pass" stuff runs, the stuff that you see in the Explorer shell and other regular Windows UI bits (as well as HTML files and things that are sitting on your hard drive). Nothing from the Internet is supposed to run in the Local Zone. Everything that you view in Internet Explorer goes in the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone, or the Restricted Sites Zone. You can set the security parameters on those four zones in the Security tab of the Internet Options in IE.
Most of these security exploits you see in Internet Explorer are called "cross-zone scripting exploits". What they do (usually) is find a way to use scripting to open a Local Zone resource (such as a help file), and then somehow alter it so that it contains malicious code instead. This is how the Ilookup trojan works. Other exploits escalate the security level of an iframe to Local Zone, or some other tactic. But the general idea is getting malicious code into the Local Zone without your permission, where it can be executed with full system access. This is why locking down the Local Zone is a workaround against these sorts of exploits, but locking down the Local Zone has serious side effects in Windows itself.
The difference between Internet Explorer and other browsers is that the other browsers simply do not have this sort of problem. Firefox, Opera, and Safari do not have the requirement to manage operating-system level tasks using the same controls they use to render web pages, and so do not even have a "Local Zone" to take advantage of. They are not designed to let scripts do bad things at all.
Internet Explorer, by virtue of being a core OS service with a Local Zone that that has full access to your PC, is like a bank vault full of wealth. You may be able to throw all sorts of security at it, you may lock it down and cover it with armed guards, but all it takes is a "man on the inside" (i.e. a bug that generates a security hole) and somebody can waltz right into the vault.
Because Firefox, Opera, and Safari do not have a Local Zone to exploit in the first place, there's nothing to break into. There is no security problem because there is nothing that requires guards and six-inch steel doors and laser tripmines. That's why these alternative browsers are inherently more secure than Internet Explorer: there is nothing to steal. The criminals can spend as much time as they want casing the building but there won't be any diamonds in the vault, because the building is a bookstore.
The metaphor breaks down because yes, bugs show up in Firefox, Opera, and Safari sometimes that allow for arbitrary code execution, but that's different from the very consistent bugs in IE that give internet attackers access to Local Zone rights. These rare bugs in alternative browsers are entirely unintended behavior and easy to remove; in Internet Explorer, they are intended behavior in the wrong hands, which is much more difficult to handle.
Microsoft has made some headway on this problem with Windows XP Serivce Pack 2. With SP2 installed, the Local Zone has been locked down in Internet Explorer to help prevent exploits from working, even if those exploits are found. However, the Local Zone still exists (and exploits that affect XP SP2 have already been found as of 10/21/04), and only time will tell if the lockdown solution will help in the long-term. This also does not help anyone running previous versions of Windows; this improvement to Internet Explorer's most severe security design flaw will not be made available to anyone who is not running Windows XP.