In-Depth

Time to Dump IE?

Internet Explorer is a hacker's dream. Can you (and should you) drop it right now?

• By Don Jones
• 10/01/2004

Internet Explorer is the Swiss Cheese of software—it's full of holes. Holes in software are never good, but when the browser is so integrated with the OS as to be as one—you've got problems. Add to that the sheer ubiquity of the Microsoft browser, and it's no wonder IE has become the hackers' No. 1 playground.

Now we're beset by increasingly common—and dangerous—security vulnerabilities. We knew IE was integrated with Windows, but we didn't have any idea how integrated it was. Even Microsoft doesn't seem to have a firm grasp on IE's internals, judging from the weeks it took to deliver an actual fix for the recent Download.Ject Trojan.

Not to say an integrated browser is all bad. To a developer, an integrated browser is cool because it gives you a built-in HTML rendering engine. You can then write apps that use HTML, knowing that the OS can render that HTML for you. IE can begin to take over the regular Windows Explorer shell and, in fact, has become so tightly integrated with Windows Explorer that it's a bit difficult to see where the shell ends and the browser begins.

The downside is a real downer. With a regular Web browser, a security vulnerability might let someone crash the browser. With an integrated Web browser they can crash the whole operating system. The tight ties to Windows means that the slightest IE security issue becomes an OS-wide panic. It's not just IE, either: Windows Media Player, Outlook Express, and even DirectX, are all, in my opinion, overly integrated and give hackers too much access to core PC functions.

But corporate users don't spend a lot of time playing with DirectX-based games, listening to Windows Media Player, or checking e-mail with Outlook Express. They do spend a lot of time in IE, and the more they surf the more they're vulnerable to its eccentricities. That's why more than a few corporations, not to mention individual users, are looking at alternatives—any alternative—to the built-in browser.

Browsing the Alternatives
Despite dire predictions from Netscape (now a unit of America Online, which, weirdly, continues to bundle IE with its software), the market for non-Microsoft browsers didn't go away. It sure as heck got small, though, with Microsoft now commanding around 95 percent of the market, according to some sources. But the times, they are a-changin'. San Diego Web metrics company WebSideStory recently reported IE losing 1 percent of that market, the first time IE has stumbled. IE is now down to 94 percent. Who's gaining? Mozilla.

The open-source code base of the Netscape browser, Mozilla offers a couple of browsers. Mozilla 1.7 is its base product (1.8 is in beta as of this writing); Firefox (currently at 0.9) is the next-generation browser. Both are available from www.mozilla.org. Netscape also offers 7.1 of its venerable browser based on Mozilla code. It's available from www.netscape.com, but you'd better hurry: It'll be the last Netscape-branded browser AOL produces.

Figure 1. Firefox's tabbed browser beats the heck out of Alt+Tabbing between a clutter of browser windows. (Click image to view larger version.)

There's also the well-known Opera Web browser, currently at version 7.53, available from www.opera.com. All of the Mozilla products, including Netscape's browser, are completely free. Opera offers a free, advertising-supported browser as well as a $40 version sans ads. And those are just the Windows browsers (see online extras for more on browsers for other OSes). While these are the major contenders, others exist: Search Download.com for "Web browser" and you'll get 356 results, many of which are small-footprint, self-contained Web browsers. Be aware that some of these simply throw a new cosmetic face on Windows' built-in IE objects, meaning you're still using IE. Others are completely self-contained and count as true alternatives.

Pros and Cons of Straying From the Pack
Forgetting security for a moment, there are functional reasons to consider another browser. One of the best is tabbed browsing, something you'll love once you try. Firefox's tabbed browsing shows each Web page in a separate tab (see Figure 1), allowing you to quickly flip among pages all within one window. Ctrl+ clicking a hyperlink opens a new tab, keeping your desktop nice and manageable. You can close tabs individually and add a group of tabs to a single bookmark for later reference. Any group of bookmarks can be opened all at once, with one page per tab. It's intoxicating.

Most of the third-party browsers build in searching. You can select from an array of other search options that plug into Firefox, such as Amazon, eBay, Yahoo and more, providing robust searching right from the toolbar. Opera supports similar functionality: Typing "g browser" in the address bar will search Google for "browser."

Pop-up blocking is also built into most alternative browsers. Many IE users are already installing tools like the Google Toolbar to handle annoying pop-up ads, and Microsoft has promised integrated pop-up blocking in a forthcoming version (which must irritate the folks who run the MSN Web site, a notorious pop-up villain).

For most other functions, it's all the same. While alternative browsers don't support ActiveX controls, they do support a plug-in model based on the original Netscape Navigator's model, and there are compatible plug-ins for technologies like Flash. Many legitimate, commercial Web sites have eschewed ActiveX in recent years because of that technology's worsening reputation as a virus and Trojan vector.

You're obviously going to miss out on some functionality if you switch browsers. Anything ActiveX-based won't work, nor will sites that use client-side VBScript for dynamic HTML. Someone sitting in an ivory tower might suggest that not having VBScript and ActiveX is a good thing and that visiting sites that use them is a bad idea anyway. True, but if that Web site happens to be your internal procurement Web site, not visiting isn't really an option.

Does "Non-Microsoft" Really Mean "Secure"?
No software is secure in the absolute sense of the word. Mozilla has issued more than a few patches for its browser, as has Opera. For example, Mozilla issued a patch that stops the browser from allowing an attacker to execute applications on a Windows system—something we're used to dealing with in IE.

With this in mind, part of the reason that browsers like Mozilla are more secure is that there are fewer deployments. Attackers prefer to have a good opportunity, so in many cases they simply ignore marginal products. You can be sure that if Mozilla had a 95 percent market share, we'd see more than a few patches cropping up.

But that's not what led the U.S. Computer Emergency Readiness Team (CERT) to announce, in June, a recommendation that users stop using IE. While the advisory, posted on the CERT Web site (www.kb.cert.org), relates to a specific IE vulnerability, the advisory states that there are a "number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites." In the eyes of CERT, IE's architecture is at the heart of its security problem, not just that millions of copies are in use. The most compelling thing an alternative browser offers, therefore, is an alternative architecture, one less tightly integrated with Windows.

The patch issued by Mozilla is the first and only entry for that browser in the CERT database. Opera doesn't show up at all in CERT's records, nor does Netscape 7.1. A search of CERT's vulnerability advisories for Internet Explorer returned more than 80 results. Clearly, an alternative architecture offers some promise.

So does simplicity. The Mozilla browsers (including Firefox and Netscape) use a simple checkbox to turn off JavaScript and Java. That's it, on or off. IE has a similar capability, but it's tied to a complex system of zones. While JavaScript might be disabled for the Internet zone, an attacker who sends you an HTML file and gets you to execute it locally can attack from the more highly trusted Local zone, which by default has everything enabled. Alternative browsers, while supporting plug-ins, provide absolutely no support for ActiveX, which from a security standpoint is one of Microsoft's bigger mistakes.

There is one area in which the alternative browsers (at least, the Mozilla family) commit the same sin as Microsoft: Trusted Certification Authorities (CAs). I have a long-standing gripe with the number of CAs that Microsoft has arbitrarily decided that I trust, without providing any information on how trustworthy these CAs are or what procedures they use to verify the identities of the organizations and people they issue certificates to. I've always recommended paring that list down to the CAs you've personally investigated and decided to trust. Sadly, alternate browsers ship with a similar, extensive list of trusted CAs built in, although it's still somewhat shorter than the all-encompassing list included with the current IE.

Super-Sized Browser Manageability and Deployment
Sure, non-IE browsers may offer increased security, but when it comes to implementation, there are downsides. For example, if you're not using System Policies or Group Policy to centrally manage IE and you're not using an auto-discoverable proxy server like Microsoft ISA Server, then enterprise manageability isn't a concern for you. Unfortunately, if you are using those features, you're probably going to lose them. Nothing but IE supports the Microsoft-centric "proxy discovery" mechanism that so many companies rely on to auto-configure Web browsers. With other browsers, you have to manually configure the proxy settings the first time out, and users may have to reconfigure laptop settings when they're away from the office.

And because most alternative browsers run on more than one operating system, none make extensive use of the Windows registry. Instead, they tend to store information in a proprietary configuration file. Personally, I've always been a little skittish about the registry. Having my configuration information in one place just seems to be tempting fate. But the registry is the enabling technology behind System Policies and Group Policy. That IE goes to a certain portion of the registry for its configuration information makes it possible to centrally manage IE through registry-manipulating technologies like Group Policy. In short, you're not going to be configuring Firefox via Group Policy anytime soon. The decision to deploy an alternate browser is a decision to relinquish centralized control. That said, you may not find yourself yearning for centralized control. Without complex Security Zones and a dozen other settings, allowing users to configure their own browser preferences might not be so scary. The Firefox options dialog is pretty straightforward (this is a version back from the current release, but the newest version looks similar). Even the Advanced section's 14 settings can't hold a candle to IE's overly option-laden Advanced tab.

Deployment is another issue. Unfortunately, most of these alternative browsers are distributed as executable files, rather than the easier-to-deploy MSI packages that work so well with Group Policy's IntelliMirror features. In fact, of the most popular third-party browsers—Opera, Firefox, Mozilla and Netscape—none were available as an MSI. Of course, you could use MSI repackaging tools for easier deployment through SMS, Group Policy or some other tool, but it's a shame that these vendors haven't realized the market potential and made their products more accessible to corporate IT departments.

How Do You Ditch an "Integrated" Browser?
Ever remove IE with the Add/ Remove Programs function? You can't. In fact, you can never rid your hard drive of IE because it is completely integrated into Windows. Microsoft made that point while defending lawsuits over IE.

Today, the best you can do is to stop using IE. You can start by using the "Program Access Defaults" application that comes with the latest versions of Windows to block access to IE. This will, however, only stop IE's user interface from running; the underlying functionality, which is used in a number of Microsoft management console (MMC) snap-ins and other applications, will continue to execute. However, if your users aren't using IE to browse Web sites, they'll be much less likely to get nailed by the next vulnerability.

Which brings me to the real question: Can you live without IE? I try to use Firefox as my main browser, but I find myself firing up IE from time to time out of sheer necessity. My Web site uses Google AdSense to display context-sensitive ads to my users. The AdSense administration site works only with IE, which, if you think about it, is ironic given the competition Google is starting to face from Gates and Co. A number of companies have built intranets around IE, meaning they'll have to continue using it until those sites can be redeveloped. Given today's IT budgets, that might never happen. A number of commercial Web sites rely utterly on IE, which is something those companies may want to seriously reconsider in light of signs of waning popularity for IE (not to mention its increasing age).

Unfortunately, there are a number of ways that IE can "get ya," even if you're not using it as your Web browser. IE is basically a gigantic COM object; it can be instantiated and controlled by ActiveX controls, applications and scripts written in VBScript or JScript. Not using IE will not make you invulnerable to IE-based attacks, but not using IE will make you less likely to get those attacks into your system in the first place.

Alternative Medicine
Alternative browsers may not offer perfection, but they offer plenty of features, though with less manageability. Their security is stronger at this point, but haven't really been tested. At the very least, though, these browsers offer far less integration with the Windows operating system, making them far less likely to be an entry point for a severe, system-damaging attack.