Should You Give Up Internet Explorer?

by Preston Gralla

Another day, another Internet Explorer vulnerability. Ho-hum, you might say. Who can keep track of them all? The U.S. Computer Emergency Readiness Team (CERT) issues yet another advisory, Microsoft issues yet another patch, and the world goes on.



Except this time it's different. CERT's advisory, as always, includes recommendations on how to protect yourself against the vulnerability. But buried at the bottom is this bombshell recommendation: "Use a different Web browser."



So here we have a team funded by the U.S. Department of Homeland Security recommending that we all give up Internet Explorer. As you might guess, downloads of alternate browsers Mozilla and Firefox have gone through the roof.



But should you give up Internet Explorer? First, look at the roots of the vulnerability. It's true that no one will ever accuse Microsoft of being overly focused on security. But on the other hand, there's one primary reason that malware writers target IE rather than other browsers - it's the browser that everyone uses. If Mozilla or Firefox were to suddenly become the most popular browser, either would be Target Number One as well.



ActiveX presents a big tempting target, and malware authors have taken advantage of it. Internet Explorer supports it; Mozilla and Firefox (and Opera) don't. But when you give up ActiveX, you give up a lot. If you ever use the Web for Windows Update, you use ActiveX, for example. And there are plenty of other places that use it as well.



So for now, I'm still using Internet Explorer, although I'm about to download Firefox as well. Maybe I'm a tempting target, but isn't computing about living dangerously?




Are you ready to give up Internet Explorer? Let me know.


26 Comments

macrat
2004-07-06 19:42:52
Give up Windows
Just stop the pain at the source and stop using Windows.
Chirael
2004-07-06 23:30:33
ActiveX and the Microsoft Agenda
The really irritating thing about ActiveX was that you couldn't disable it easily. IF you could figure out how to disable it (they didn't make it easy, certainly too difficult for most users), then you would still be faced with an annoying "This page will not display correctly; would you like to enable Active X?" for EVERY page. MS engineers aren't dumb; I'm sure they realized just how annoying it would be, just as they deliberately tried to annoy people into signing up for a Passport/Messenger account when XP first came out.


I think MS does make good products, but I also see the many big and small ways they insidiously push their technological agendas, from middleware to marketing to user interface. My reason for avoiding MS products when I can isn't because they're inferior--they generally aren't IMO--it's because Microsoft puts its own monopoly power ahead of the user's interest. Priority #1 is ensuring Microsoft's continuing dominance, priority #2 is making life better for the user. Usually they find a way to accomplish both, but when push comes to shove my experience is that Microsoft will put itself first.


Open source, by comparison, is about choice. The Mozilla foundation doesn't have contracts or co-investments with Macromedia, so it has no qualms about allowing the user to easily and permanently disable Flash. It's not pushing technology X down users' throats because it knows it can sell the next version of VisualX if they succeed in getting the market locked into it. Sure, the process takes longer, but I think in the end, freedom of choice and not having to worry about hidden agendas is worth it.

simon_hibbs
2004-07-07 01:06:49
What is in the best interests of users?
I'm no Microsoft hater, I use Microsoft products every day and some of my core xcareer skills depend on Microsoft products and technologies. However their effective abandonment of development of the IE platform for so many years speaks of an appaling complacency which has made this CERT recommendation almost inevitable.


You answer your question 'should you give up Internet Explorer?' in the negative because 'If Mozilla or Firefox were to suddenly become the most popular browser, either would be Target Number One as well'. This is essentialy irrelevent. The alternative browsers are not Target Number One, they are not subject to continual and effective attack by hackers. Protesting that maybe, one day if the stars allign an a certain way they mght be, is no way to justify inaction now to resolve vulnerabilities today.


Fortunately Microsoft are restarting development on IE, although comments by their developers so far have shown a half-hearted approach to the project, and in particular the issue of standards compliance. It's about time they got their act together.


Come on Microsoft - We know you can do better, and if you don't there are plenty of alternatives that users should not be afraid to explore!


Simon Hibbs

guet2
2004-07-07 01:10:28
Other websites?
Hi,


I'd be interested to know if there are any other mainstream websites that use ActiveX nowadays, apart from windows update? I use a mac and haven't really come across any sites that require it, apart from windows update. Annoyingly I wanted to access windows update for a friend on dial-up recently (computer continuously rebooting, uses an anti-virus program but never updates and no firewall), and couldn't download anything as it's broken in other browsers, there was no alternative given. The updates are really too large for her to download at home. I really don't see why they would exclude other browsers apart from to try to lock down their users to use their software and platform.


Frankly, when I find a message in a browser window that tells me the browser is checking my version of windows (as happens on Windows Update), that really worries me.


If that's the only mainstream one that requires it, why not use another browser most of the time and just use Explorer for Windows Update? There are so many other advantages to other browsers (standards support, pop-up blocking, tabs etc) apart from security, that the question should really be :


'Should you keep using Internet ExplorerTM?'

jwenting
2004-07-07 01:24:43
simple solution
The simple solution is to change your IE settings to always ask for permission before executing any ActiveX control.


That's what I do as standard and strangely I never have malware intruding through my browser...


I fully agree that any platform that's the de-facto world standard is the prime target for intrusion attempts.
After all, why target Mozilla when only 1% or so of users run it when you get 95%+ when targeting IE?
The virus writers and malware authors are doing this after all for 2 reasons which are highly related through the desire to get the highest possible number of infected machines.
Those 2 are:
1) economic incentive (mainly for spyware authors and authors of trojans that turn computers into spam robots)
2) peer recognition in the cracker and malware author community.


Of course the typical Microsoft haters are unlikely to ever admit this...

aristotle
2004-07-07 02:56:58
Sorry, come again?
I've been using Firefox (on Linux, to top it off) for ages, and I've never come across a site that required ActiveX. If there's anything I miss with any frequency, it's the lack of a Shockwave (not Flash) plugin, but that's because I'm on Linux, and wouldn't be an issue if I ran Firefox on Windows.


I can't see why anyone would stick to IE nowadays, particularly when all the other browsers also provide a loads better user experience.

xeroply
2004-07-07 09:00:21
Other websites?
Note that you can obtain security-related patches from Microsoft without going through Windows Update, and without needing ActiveX. Go to:


http://www.microsoft.com/technet/security/CurrentDL.aspx

brianiac
2004-07-07 09:54:07
Why should you keep using IE?
Look, I use Microsoft products everyday, and I like many of them, but what is this hand-wringing all about?
Is this just inertia? With which sites do you have trouble with Firefox?
I mean IE barely understands HTML (the abbr tag, option groups, the button tag, the object tag, no alternate stylesheet selector, no link bar, ...), much less CSS (selectors, box model). It simply isn't very capable!
Should ActiveX be a bigger concern than these basic web technologies?


In terms of security, I can understand the "biggest target" argument, but is it really technically *possible* to install spyware on anything other than IE? If so, is it a transient bug? It seems that it is easier to build an amoral business model on a "feature" like ActiveX, than a programming error that cannot be relied on.


Sure, you can disable ActiveX (or set it to prompt, although in my experience that just does the same thing), but then you have a browser without ActiveX (or that, in the best case, incessantly prompts you--remember the Eolas proof of concept IE?) *or* decent standards support (or cool extensions/themes).

jimothy
2004-07-07 10:45:58
Windows Update
Ironically, the prime use for ActiveX and thus IE, both aknowledged security risks, is Windows Update, a service to install patches for...security risks!
simon_hibbs
2004-07-08 04:34:48
Other websites?
>I'd be interested to know if there are any other mainstream websites
>that use ActiveX nowadays, apart from windows update?


There are many. Run IE and set it to ask you every time before running an ActiveX controll. The &^$* dialog pops up for me constantly. You can also switch it off completely.


Simon Hibbs

jwenting
2004-07-08 07:12:14
Other websites?
None of the data collected by the Windows Update control is ever sent over the net except the list of updates it is requesting from the server (hard to get them otherwise).


As to standards support, in that IE excels thank you very much.
It's simply THE most complete implementation of the HTML, ECMAScript and CSS standards as well as XSLT and XML.

jwenting
2004-07-08 07:14:13
Windows Update
ironically, you're wrong...


ActiveX is central to the way all (modern) Windows applications work. Every button and other control you see on your screen is actually an ActiveX component.
If you're using DirectX, everything is ActiveX controls including (but not limited to) your sound, animation, graphics, network connection, etc. etc.

jwenting
2004-07-08 07:17:08
Sorry, come again?
which browser you prefer is a personal choice.


I've used all major browsers since Netscape 2 (haven't tried Firefox yet, maybe will have a look at it when it's matured) and IE (post 3.x) is by far my favourite for stability, speed, as well as features and standards support.

micampe
2004-07-08 07:43:58
On market share
Ok, I'm failry sure that if Firefox would be the browser used by 90% of the Internet it'll surely be attacked (the same could be said for my lovely Mac OS X or for mail clients) but what I'd like to ask is: why doesn't this happens to the Apache vs. IIS case? Last I checked there were way more IIS advisories than Apache, yet Apache has bigger market share, how could that be?
guet2
2004-07-08 09:39:32
Other websites?
Thanks that's interesting, I didn't realise so many sites were using it. I'm on a mac so I can't turn it on or off. Haven't used Internet Explorer in a long time and can't say I miss it. The only site which I have to use IE for is a banking one which displays fine in other browsers but has one form which won't work : )


Presumably the sites that I haven't noticed it on are serving up alternate content for other browsers. I wonder what they're using it for?

guet2
2004-07-08 09:50:04
Standards support
It was more the fact that it can look at your system etc that worried me, not that it would send info to microsoft in that particular instance. I'm sure it's ignorant paranoia : )


Re Standards support, there are a few things which I've found frustrating about IE (various versions), like the lack of support for transparency in PNGs without a horrible hack (AlphaImageLoader), and various CSS problems - here's a few:


http://www.quirksmode.org/css/contents.html


I wouldn't call that the best support, it's not bad, but there are better browsers, and Microsoft doesn't seem inclined to fix it before 2007. According to that table, it doesn't seem to be the most complete implementation at all (of CSS). The XSLT support is very nice, I wish other browsers had that.

guet2
2004-07-08 09:50:53
updates
ta
jackbang
2004-07-08 11:42:28
Two Reasons to switch...
...to Safari or Mozilla/Firefox:


1) Pop-up blocking


2) Tabbed browsing


I can't live without these features now that I've tried them. Until Microsoft releases IE 7 you owe it yourself to check out the competition for those two things alone, all security considerations aside.

jcteo
2004-07-08 17:31:35
Give up Windows
Amen!
vainst1k
2004-07-08 21:32:23
disable ActiveX in the non-Trusted Zones!
Geesh... all you guys here are hard-core geek warriors... hand-hacking Sendmail config and so forth... and disabling ActiveX in IE's Internet Zone is too tough? Trust me, no soldering iron required.
ilyanov
2004-07-09 07:22:12
I drive a car
The CERT advisory is sort of like GreenPeace telling me to car pool. Surely one more measly car on the road is not going to damage the climate or kill off the whales. Does it? Surely them terrorists are not smart enough to figure out how to exploit these holes and even if they did know how to, they are not going to target my browser. After all what can I do and besides, I am not that important for them to notice. I only work at a bank.
vainst1k
2004-07-09 07:37:30
Mozilla vuln - here ya go
As another poster was saying, the popular browsers are targeted.


http://www.pcmag.com/article2/0,1759,1621741,00.asp

vainst1k
2004-07-09 09:57:50
O'Reilly admins, stop deleting my posts
like the one about the Mozilla vuln
badguy
2004-07-11 14:17:20
Other websites?
IE isn't that good at standards - it implements them but isn't very complient as it doesn't strictly inforce the syntax.
For example in Java Script on IE you can do document.forms(form) whereas it should be document.forms[form]
Firefox supports all the standards you mention.
paulwaite
2004-07-14 02:24:07
Most complete standards implementation
Hee hee hee hee hee! That's a good one. IE good as CSS. Hee hee hee! I'm sure it's fine at everything else, but as far as CSS goes, IE6 is almost the new Netscape 4 (http://www.evolt.org/article/Browser_Wars_II_The_Saga_Continues/25/60181/).
kyleadams
2004-07-14 06:25:33
Other websites?
Wow. That is just about the most ignorant statement I've ever seen about IE and standards support. Go ahead, test it for yourself--try the W3C's CSS test suites. Be sure run through the selectors suite in IE.


Of course, if IE was truly standards compliant, we wouldn't need things like Dean Edwards' IE7, would we?


Anyone with a lick of knowledge about Web development knows that IE's support for standards is abysmal. Anyone claiming otherwise needs to do some more research.