http://strom.com/awards/377.html
Over the past few weeks more Internet Explorer vulnerabilities
have come to light. Here is advice from Bob Matsuoka, President and founder of Runtime
Technologies. I think what he has to say makes a lot of sense. Take it away,
Bob.
At the bottom of a recent vulnerability note
posted by the US Computer Emergency Readiness Team (CERT) is a chilling paragraph
header in the Solutions section: "Use a different web browser" (than
IE). This has been our company
policy for about four months, ever since our System Administrator, who is no
security slouch himself, had his machine infected by some sort of malware that
brought it down and necessitated a day-long cleanup. Yes, he had anti-virus
software installed, we have a firewall, and his IE security settings were tight.
Clearly, however, unless you crank up security to the maximum level --
disabling Active scripting and ActiveX controls in the Local Machine Zone, and
also disabling browser helper objects -- IE
can not be considered a "safe" browser.
http://www.kb.cert.org/vuls/id/713878
http://support.microsoft.com/?kbid=870669
At this point, a reasonable person might consider: why bother with
IE? Not only does locking down IE to this level reduce any advantage it may
have over other browsers for accessing proprietary IE-specific websites, they
are user-controlled settings. A careless configuration by an end-user may
result in anything from a fatal corruption of that computer to a compromise of
your company's security by some malicious script that is contained in some
innocent Web site.
Our policy now is that one of the Mozilla project's browsers, preferably
Firefox (Firefox is a browser-only application re-built from scratch based on
the Gecko rendering engine developed by the Mozilla),
should be installed as primary browser. As a Web development company, we can't
afford to not have IE available to view finished designs. But we can at least
be reasonably certain that browsing one of our own sites with IE won't cause
any problems!
http://www.mozilla.org/products/firefox/
With a huge majority of the browser market share, making a
suggestion to switch to a non-Microsoft browser is liable to result in one's
being labeled as an open-source software or Linux zealot. Interestingly enough,
some statistics
indicate that Internet Explorer has lost almost 7% share to Mozilla in less
than a year.
But
there are plenty of reasons why this may make sense:
1. Security,
security, security: Even a Microsoft
apologist should admit at this point that IE may never be a secure browser to
operate. Secunia.com currently
lists 54 current advisories for IE 6, with nearly half (42%) of them either highly or extremely critical. By
comparison, Firefox has three listed, none of them highly or extremely
critical. Clearly Firefox has the
newcomer's advantage, but an examination of the type of errors that plague IE
indicates that it is IE's integral connection to the underlying Windows OS that
results in many of these problems. As a standalone application, Firefox is
never likely to suffer the same sort of vulnerabilities that IE does, though it
will likely have some exposed as its popularity grows.
2. Features: Firefox has
plenty, including tabbed browsing, popup blocking, extensions, and developer
tools.
3. Simplicity:
Firefox comes in a ~5Mb installer package that takes less than 5 minutes to
install. There are no automatic deployment tools yet that I could discover, but
it should integrate nicely with existing third party tools.
4. Compatibility:
I've used Firefox as my primary browser now for nearly a year, and I've found
very few public sites that don't look as good or better. Sites that use proprietary Microsoft
technologies, such as MSHTML (WYSIWG content editing) and Active X, will not
work. It may be impossible to secure IE for external use at this point. In
fact, ActiveX seems to be at the heart of many of IE's security problems.
Firefox uses an extensions model which is much more self-contained and can
provide similar functionality without the same security risks. Given the
popularity of Mozilla, it is more likely that designers will consider its
support in Web site designs.
Mozilla also consistently ranks as having the highest Web standards
support among browsers, providing even more incentive.
5. Cost:
Firefox is free. It also is much less likely to cost you the downtime and
ticket resolution time that IE will due to its security problems.
6. Microsoft:
IE 6 was first released over 3 years ago.
Their official policy is that there will be no more major releases until
Longhorn, which is at least two years away. Clearly there are no
quick fixes for the raft of problems facing IE, although the XP SP2 should help
XP users. Can you afford to leave such a big security hole running in your
network?
If you are a corporate IT manager, it is probably premature for
you to switch browsers system-wide. After all, Firefox still hasn't even
reached version 1.0 (the latest release is currently 0.9.1; Version 1.0 is due
out in September). There are also a number of factors to be considered in
moving away from IE, including support for commonly used plug-ins, Active X and
extensions which your Intranet may use. Also, simply not using IE as a browser
won't solve all IE-related problems. Programs which use IE's rendering engine,
such as Outlook, are still vulnerable. And while possible, Microsoft
has made it painful to remove IE from Windows entirely.
http://www.litepc.com/ieradicator.html
However, if you are concerned about IE security problems, it is
probably time for you to look seriously into Mozilla Firefox. Go ahead, it
won't hurt. Run it yourself, have your IT staff run it. And consider making a
company-wide switch once v1.0 is released.
- -
- -
Thanks
for the advice Bob. I do think that the security model initially chosen for
Active X by Microsoft is finally coming back to haunt us all. And while many of
us don't want to give up the functionality and extra features that having
Active X in our sites provides we may not have much of a choice as these
exploits continue to undermine the security of our desktops and our data.
Entire contents copyright 2004 by David Strom, Inc.
David Strom, dstrom@cmp.com, +1 (516) 562-7151
Port Washington NY 11050
Web Informant is (r) registered trademark with the
U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress
If you'd like to subscribe (issues are sent via email),
please send an email to:
mailto:Informant-request@avolio.com?body=subscribe.