I’m afraid it’s time this week for me to speak the unspeakable —
you have to stop using Internet Explorer. You have to stop using it
now.
Usually in this space, I write about some secret or little-known technology
that I can reveal to my readers. This time, I’m forced to cover a topic
that many computer security experts have been talking about for months
or years: we need to drive a stake through Internet Explorer’s heart.
From Healthy Competition to a Monolithic Shell
The latest and greatest security threat, in which Russian hackers were able to
infect
hundreds if not thousands of corporate Web sites and use them to install Trojan
horse programs on visitors’ PCs, marked a turning point. Even
US-CERT, a respected nonprofit security clearinghouse,
recommended
in June that Windows users “use a different Web browser” than Microsoft’s free
IE program.
It wasn’t always like this. Now that IE is used by 95% of Web surfers worldwide,
it’s hard to remember the day when many browsers bloomed. Back at the
dawn of the World Wide Web — in 1996, before Microsoft started
bundling IE into every copy of Windows — there were actually 10 or
more browsers competing for users’ dollars. For example:
• IBM’s Internet Connection
was a serious contender back then. It was an especially strategic product for
the giant corporation because it worked well with the IBM Global Network, an
early Internet access method.
• Symantec’s CyberJack
was another choice, this one from a company that would later become
well-known as a computer security powerhouse. The browser could even
decompress Zip files for you — something IE can’t do
to this day (without relying on built-in features of Windows XP).
• Netscape Navigator,
of course, was still tops in market share at this early crest of the Web
wave. Selling for a street price of $35, Netscape had the incentive and the
means to innovate, with extensive support for novelties of the day, such as
HTML tables, frames, and a wide array of “plug-ins” provided by third parties.
Other names were players then, too — Attachmate, Quarterdeck, Spry and
several others offered retail products that evolved almost weekly. IE 2.0 at
that time had no support for frames and commanded only a limited market share
(even though Microsoft allowed all comers to download it for free).
You may think that those days of Windows 95 and 28.8 Kbps modems are
irrelevant to us now. But with numerous security analysts coming to the
conclusion that IE’s reliance on flawed extensions such as ActiveX make
the browser impossible to permanently secure, your company may find itself
longing for the good old days when software competition was seen as a plus.
As The World Turns
Whether today’s competitors to IE are really engineered more securely —
or are merely attacked by worms less often — is beside the point.
If the marketplace supported 10 browsers today, hackers would have much
less incentive to generate remote threats, which would require the
development of specialized code for each alternative.
I sense that enterprises across America and around the world are just now
beginning to entertain the idea of abandoning IE and investing in other
browsers instead. It’s remarkable to think that a software company as
successful as Microsoft might actually blow a 95% penetration rate due
to a user backlash over bad engineering. But that’s what we’re starting to see.
In my view, the
Firefox
browser is coming on as a strong threat to IE. Emerging from the Mozilla team,
Firefox is still at a beta level of development. But it’s well into the
0.9x stage and should “go gold” with its slick tabbed interface as early as
September.
The older Mozilla browser itself is currently the most widely used of
all the IE alternatives. But that number of users merely represents low single
digits of market share and the product may soon be eclipsed by Firefox.
Opera, developed by a
Norwegian company, has had some success providing Web access in advanced cell
phones, but it’s still stuck at only about 1% of desktop PC users. Even so,
with major IE users desperate to get off the treadmill of constant updates
and patches, any alternative — even a little-used browser — starts
to look good.
Conclusion
Moving your company away from IE, unfortunately, doesn’t eliminate hacker
threats against Windows. Microsoft’s browser technology has been integrated
into its operating system since Windows 98, and merely avoiding the browser
doesn’t remove from a PC all of IE’s vulnerable components.
Additionally, you may be forced to fire up IE to visit sites that require
ActiveX to function. The worst offender is Microsoft’s own Windows Update,
which won’t work at all if you merely turn IE’s security setting to “High.”
In a nutshell, that setting may offer the best roadmap we can currently get. By
cranking IE up to its highest security setting to make its components less
vulnerable, lowering that setting to Medium only to access Windows Update
and its ilk, and using Firefox or Mozilla for everything else, you may just
be able to sleep easier at night.