Usually in this space, I write about some secret or little-known technology that I can reveal to my readers. This time, I'm forced to cover a topic that many computer security experts have been talking about for months or years: we need to drive a stake through Internet Explorer's heart.
From Healthy Competition to a Monolithic Shell
The latest and greatest security threat, in which Russian hackers were able to infect hundreds if not thousands of corporate Web sites and use them to install Trojan horse programs on visitors' PCs, marked a turning point. Even US-CERT, a respected nonprofit security clearinghouse, recommended in June that Windows users "use a different Web browser" than Microsoft's free IE program.
It wasn't always like this. Now that IE is used by 95% of Web surfers worldwide, it's hard to remember the day when many browsers bloomed. Back at the dawn of the World Wide Web — in 1996, before Microsoft started bundling IE into every copy of Windows — there were actually 10 or more browsers competing for users' dollars. For example:
• IBM's Internet Connection was a serious contender back then. It was an especially strategic product for the giant corporation because it worked well with the IBM Global Network, an early Internet access method.
• Symantec's CyberJack was another choice, this one from a company that would later become well-known as a computer security powerhouse. The browser could even decompress Zip files for you — something IE can't do to this day (without relying on built-in features of Windows XP).
• Netscape Navigator, of course, was still tops in market share at this early crest of the Web wave. Selling for a street price of $35, Netscape had the incentive and the means to innovate, with extensive support for novelties of the day, such as HTML tables, frames, and a wide array of "plug-ins" provided by third parties.
Other names were players then, too — Attachmate, Quarterdeck, Spry and several others offered retail products that evolved almost weekly. IE 2.0 at that time had no support for frames and commanded only a limited market share (even though Microsoft allowed all comers to download it for free).
You may think that those days of Windows 95 and 28.8 Kbps modems are irrelevant to us now. But with numerous security analysts coming to the conclusion that IE's reliance on flawed extensions such as ActiveX make the browser impossible to permanently secure, your company may find itself longing for the good old days when software competition was seen as a plus.
As The World Turns
Whether today's competitors to IE are really engineered more securely — or are merely attacked by worms less often — is beside the point. If the marketplace supported 10 browsers today, hackers would have much less incentive to generate remote threats, which would require the development of specialized code for each alternative.
I sense that enterprises across America and around the world are just now beginning to entertain the idea of abandoning IE and investing in other browsers instead. It's remarkable to think that a software company as successful as Microsoft might actually blow a 95% penetration rate due to a user backlash over bad engineering. But that's what we're starting to see.
In my view, the Firefox browser is coming on as a strong threat to IE. Emerging from the Mozilla team, Firefox is still at a beta level of development. But it's well into the 0.9x stage and should "go gold" with its slick tabbed interface as early as September.
The older Mozilla browser itself is currently the most widely used of all the IE alternatives. But that number of users merely represents low single digits of market share and the product may soon be eclipsed by Firefox.
Opera, developed by a Norwegian company, has had some success providing Web access in advanced cell phones, but it's still stuck at only about 1% of desktop PC users. Even so, with major IE users desperate to get off the treadmill of constant updates and patches, any alternative — even a little-used browser — starts to look good.
Moving your company away from IE, unfortunately, doesn't eliminate hacker threats against Windows. Microsoft's browser technology has been integrated into its operating system since Windows 98, and merely avoiding the browser doesn't remove from a PC all of IE's vulnerable components.
Additionally, you may be forced to fire up IE to visit sites that require ActiveX to function. The worst offender is Microsoft's own Windows Update, which won't work at all if you merely turn IE's security setting to "High."
In a nutshell, that setting may offer the best roadmap we can currently get. By cranking IE up to its highest security setting to make its components less vulnerable, lowering that setting to Medium only to access Windows Update and its ilk, and using Firefox or Mozilla for everything else, you may just be able to sleep easier at night.