Web Informant #377, 9 July 2004:

IE May Be Hazardous To Your Computer's Health




Over the past few weeks more Internet Explorer vulnerabilities have come to light. Here is advice from Bob Matsuoka, President and founder of Runtime Technologies. I think what he has to say makes a lot of sense. Take it away, Bob.


At the bottom of a recent vulnerability note posted by the US Computer Emergency Readiness Team (CERT) is a chilling paragraph header in the Solutions section: "Use a different web browser" (than IE).  This has been our company policy for about four months, ever since our System Administrator, who is no security slouch himself, had his machine infected by some sort of malware that brought it down and necessitated a day-long cleanup. Yes, he had anti-virus software installed, we have a firewall, and his IE security settings were tight. Clearly, however, unless you crank up security to the maximum level -- disabling Active scripting and ActiveX controls in the Local Machine Zone, and also disabling browser helper objects -- IE can not be considered a "safe" browser.




At this point, a reasonable person might consider: why bother with IE? Not only does locking down IE to this level reduce any advantage it may have over other browsers for accessing proprietary IE-specific websites, they are user-controlled settings. A careless configuration by an end-user may result in anything from a fatal corruption of that computer to a compromise of your company's security by some malicious script that is contained in some innocent Web site. 


Our policy now is that one of the Mozilla project's browsers, preferably Firefox (Firefox is a browser-only application re-built from scratch based on the Gecko rendering engine developed by the Mozilla), should be installed as primary browser. As a Web development company, we can't afford to not have IE available to view finished designs. But we can at least be reasonably certain that browsing one of our own sites with IE won't cause any problems!



With a huge majority of the browser market share, making a suggestion to switch to a non-Microsoft browser is liable to result in one's being labeled as an open-source software or Linux zealot. Interestingly enough, some statistics indicate that Internet Explorer has lost almost 7% share to Mozilla in less than a year.


But there are plenty of reasons why this may make sense:


1. Security, security, security:  Even a Microsoft apologist should admit at this point that IE may never be a secure browser to operate.  Secunia.com currently lists 54 current advisories for IE 6, with nearly half (42%) of them either highly or extremely critical. By comparison, Firefox has three listed, none of them highly or extremely critical.  Clearly Firefox has the newcomer's advantage, but an examination of the type of errors that plague IE indicates that it is IE's integral connection to the underlying Windows OS that results in many of these problems. As a standalone application, Firefox is never likely to suffer the same sort of vulnerabilities that IE does, though it will likely have some exposed as its popularity grows.


2. Features: Firefox has plenty, including tabbed browsing, popup blocking, extensions, and developer tools. 


3. Simplicity: Firefox comes in a ~5Mb installer package that takes less than 5 minutes to install. There are no automatic deployment tools yet that I could discover, but it should integrate nicely with existing third party tools.


4.     Compatibility: I've used Firefox as my primary browser now for nearly a year, and I've found very few public sites that don't look as good or better.  Sites that use proprietary Microsoft technologies, such as MSHTML (WYSIWG content editing) and Active X, will not work. It may be impossible to secure IE for external use at this point. In fact, ActiveX seems to be at the heart of many of IE's security problems. Firefox uses an extensions model which is much more self-contained and can provide similar functionality without the same security risks. Given the popularity of Mozilla, it is more likely that designers will consider its support in Web site designs.  Mozilla also consistently ranks as having the highest Web standards support among browsers, providing even more incentive.


5. Cost: Firefox is free. It also is much less likely to cost you the downtime and ticket resolution time that IE will due to its security problems.


6. Microsoft: IE 6 was first released over 3 years ago.  Their official policy is that there will be no more major releases until Longhorn, which is at least two years away. Clearly there are no quick fixes for the raft of problems facing IE, although the XP SP2 should help XP users. Can you afford to leave such a big security hole running in your network?


If you are a corporate IT manager, it is probably premature for you to switch browsers system-wide. After all, Firefox still hasn't even reached version 1.0 (the latest release is currently 0.9.1; Version 1.0 is due out in September). There are also a number of factors to be considered in moving away from IE, including support for commonly used plug-ins, Active X and extensions which your Intranet may use. Also, simply not using IE as a browser won't solve all IE-related problems. Programs which use IE's rendering engine, such as Outlook, are still vulnerable. And while possible, Microsoft has made it painful to remove IE from Windows entirely.



However, if you are concerned about IE security problems, it is probably time for you to look seriously into Mozilla Firefox. Go ahead, it won't hurt. Run it yourself, have your IT staff run it. And consider making a company-wide switch once v1.0 is released.


- - - -


Thanks for the advice Bob. I do think that the security model initially chosen for Active X by Microsoft is finally coming back to haunt us all. And while many of us don't want to give up the functionality and extra features that having Active X in our sites provides we may not have much of a choice as these exploits continue to undermine the security of our desktops and our data.


Entire contents copyright 2004 by David Strom, Inc.

David Strom, dstrom@cmp.com, +1 (516) 562-7151

Port Washington NY 11050

Web Informant is (r) registered trademark with the

U.S. Patent and Trademark Office.

ISSN #1524-6353 registered with U.S. Library of Congress

If you'd like to subscribe (issues are sent via email),

please send an email to: