***Dave asks the question: Is Internet Explorer really so bad?

Looks like all my talk about the Swiss-cheese that is Internet Explorer has got ***Dave asking some questions so I thought I’d toss them up here for folks to chew on.

Granted that IE has security issues, riddle me this:

  1. Is there something about IE’s architecture that renders it particularly, intrinsically insecure vs. other browser platforms, or is it just that the Bad Guys find IE a more attractive target than less-used browsers? And, if so, is this more a matter of security through obscurity than anything else?
  2. If the danger in IE is its openness to hostile scripting (via Java or ActiveX), how is a non-IE browser going to work around that and still maintain the web functionality folks (i.e., me) want?
  3. I haven’t been bitten by a security hole yet, and have the full array of AV and spyware-blocking and anti-spam stuff running on my machine. I avoid most risky behavior (don’t open spam, don’t hit file-sharing and adult sites). How much risk am I really taking here for what return?

I’m looking here for something a bit more sophisticated than “Micro$oft bad, Firefox Pretty” here. Any input welcome.

These are definitely fair enough questions and I’ll see if I can’t address them.

1: Yes to all three parts of this question.

OK, perhaps I should elaborate: A) Yes, there are things about IE’s architecture that does render it intrinsically more insecure. It’s a side-effect of two primary factors: First, the whole ease-of-use aspect of ActiveX and VBScript makes it, well, easy to write self-installing malware that isn’t blocked by firewalls for the browser. Second, the tight-integration with the OS means that minor vulnerabilities in one can be combined with minor vulnerabilities in the other. Individually these vulnerabilities may not be a big risk, but when combined they can be a problem and the bad guys are starting to figure out how to take advantage of them. The most recent flaw I talked about the other day isn’t a new vulnerability, Microsoft and various researchers have known about it since last January, but it wasn’t considered a significant risk so it hadn’t been patched by MS.

This is one of my big problems with IE in a nutshell: Microsoft tries to judge how significant any particular vulnerability is and may not patch one they’ve found until someone out there finds a way to use it to compromise a system. Even when someone finds a way to exploit it they may not bother to patch it for several months as they did with the flaw that allowed phishers to make it look like fake links in PayPal and eBay emails pointed to the legitimate websites. How many more minor vulnerabilities are there in IE that MS is fully aware of, but has judged as being not significant enough to warrant fixing?

B) Yes, in part it is just the fact that the bad guys find IE a more attractive target. After all, it does have something like 93% of the browser market at this point. Comparatively Mozilla/Firefox commands a mere 3-4% of the market. Much like Windows is a favorite target due to it’s wide-spread adoption, IE is also a victim of its popularity. Mozilla/Firefox isn’t without its own holes, no program truly is, but the problem definitely seems to be less severe with Mozilla/Firefox and the tendency to fix problems as they’re discovered is a lot better. It helps that often the people who find the problems send along a possible fix when reporting the bug. One definite advantage to Open Source software where anyone can look at the code.

C) Yes, switching to Mozilla/Firefox is a form of security through obscurity. Though it would be a mistake to assume that this is the only advantage Mozilla/Firefox has. Mozilla/Firefox is inherently more secure just in how it’s developed, written, and supported. The fact that it doesn’t use ActiveX or VBScript and isn’t so tightly integrated into the OS also factors into this (while admittedly also reducing some of it’s ease-of-use). Obscurity certainly doesn’t hurt, but it’s not the only reason it’s more secure.

2: How many websites do you visit that use ActiveX and VBScript? I can think of one for myself and that would be Windows Update, which I still pull out IE to make use of. Despite the near universal domination of Internet Explorer, the vast majority of websites out there make at least a token effort to keep their sites compatible with alternative browsers. Java, in terms of Sun’s Java, isn’t particularly well known for being used to write malware for browsers and the vulnerability that sites like CoolWebSearch took advantage of was in Microsoft’s version of the Java Virtual Machine, which is no longer distributed or supported by Microsoft. Is it possible to write malware for Mozilla/Firefox? Yes, I think it probably is, but no where near as easy as it is for IE.

Obviously if you use a lot of sites that make heavy use of ActiveX and VBScript then switching to Mozilla/Firefox isn’t going to work for you because they won’t work with the sites you visit most, but there’s probably fewer of those sites in your favorites folder than you suspect. You’ll need to leave IE on your system anyway just for the sake of Windows Update so it’s not like you can’t make use of it for the handful of sites you might need it for. For general browsing, though, it’s hard to beat Mozilla/Firefox. Especially when you take into consideration thing such as the joy of the built-in popup blocker. Your best bet is to install Firefox and then go to some of the sites you think might be a problem and see what happens. You could even download the package that doesn’t come with an installer so you can just delete the folder if you decide not to use it.

3: It’s hard to say how much of a risk you’re taking, though you sound a lot like me in terms of taking reasonable precautions. Until just recently I would have said you’re probably not at any great risk, but now you can’t even be sure that trusted websites you visit every day haven’t been compromised to install a Trojan on your system without your knowledge. They never said which big websites got hit, but imagine if one of them was Amazon.com? Or The New York Times? Or Stupid Evil Bastard? If you visit those sites daily then by the time you read a news report of the problem it may have already affected you. With that particular flaw it didn’t matter if you had completely up-to-date Windows patches, virus scanner and so on and all you had to do to catch it was visit the website. The only thing that might have saved you if you were a victim would have been a software firewall reporting that something was trying to get out onto the net. Even then if the keylogger had installed itself as an IE Browser Helper Object then it would never trip the firewall as it would be seen as part of IE.

So how much risk are you taking? Honestly, I don’t know. Probably less than a lot of folks and switching to Mozilla/Firefox isn’t going to make you completely risk free either. For me it was a combination of the lower risk and the fact that Firefox does things IE doesn’t such as the aforementioned popup blocker and the tabbed browsing. All of that together is why I use it more often than not.

With the upcoming release of Windows XP Service Pack 2 things will definitely improve (assuming you’re running XP). The popup blocker in IE is very effective and they’ve made some significant changes to the dialogues that popup when something tries to install itself on your system. It’s also a big help that there will be an option in IE that lets you see all the Browser Helper Objects that are installed and remove them (not possible currently) along with ActiveX controls. Will it be enough to bring IE to a reasonable level of security? That seems to be a matter of debate, but it should help a lot in my opinion.

In summary, security is only part of the reason most folks have made the switch. For many it was the initial impetus, but it was the other goodies that came with it that convinced them it was worth making the effort. Back when I first started in PCs I was a Netscape fan, but I dropped the browser when it was clear that it was at a severe disadvantage to Internet Explorer. I’m dropping IE now for similar reasons. YMMV.

7 thoughts on “***Dave asks the question: Is Internet Explorer really so bad?

  1. I like MS Windows but Mozilla is actually my “killer app.”  I use it for browsing, email, and I use the HTML authoring tool for letters and such because everyone has a browser of some kind on their computer while not everyone has Office.  Here’s how I compare Mozilla to IE:

    1) While both IE and ‘Zilla have holes, IE has more.
    2) It’s a simple fact that more malware writers are working on IE’s greater number of holes for whatever reason. 
    3) Microsoft has a nearly perfect track record of saying “we get it now” and then proving they don’t get it.
    4) I am not a technical wizard.  The effort it seems to take to get IE up to a nominal level of security often strains my modest ability.  Then when you get it secured, Windows Update doesn’t work anymore.  Screwed if you do, and…
    5) The open-source model appeals to me.  Problems are right out in the open where everyone can see them.  There’s no bigger “security through obscurity” than the closed-source model.
    6) I really dig tabbed browsing
    7) I really hate popups and it’s so easy to block them with ‘Zilla.  I like the fact that the developers made it easy for me to choose without having to do something complicated or load another utility.
    7) I prefer standards-based stuff to proprietary stuff.
    8) Mozilla’s HTML authoring tool is really handy for quick HTMLs.
    9) I like Mozilla’s mail client – it’s rather skeptical of incoming messages.  It seems to ignore tricky stuff.
    10) In Mozilla it appears to be security first, then features.  In IE, it seems to be features first, then security.

    Anyway, I use IE mostly for Windows Update and a couple other sites and ‘Zilla for everything else.  I’ll use whatever browser seems the best at the time.  If a really fantastic IE came along, I’d switch back.

    Why does Microsoft even make a browser?  Do they somehow make money with it?.  It’s costing them no end of grief.  Any MS employees here who can explain that to me?

  2. My wife and I do our banking (paying bills and transfering money between accounts) via the web now. The recent talk of a hole to allow people to see my banking information really worried me.

    I was having problems getting Mozilla/Firefox to work with our banking site. However, my wife realized that Mozilla/Firefox was blocking the pop-up window that the bank was trying to open. Once she allowed that window to open, we were able to pay the bills using Mozilla/Firefox.

    I feel way more comfortable with Mozilla/Firefox for just about everything on the web now. I’ve gotten used to using Firefox and once the bug is fixed that is causing Firefox to mess up rendering the “Post an article” page in ExpressionEngine, I’ll be updating to the latest version. Currently using 0.8 for now.

    I will only use IE for Windows Updates and would really like to be able to do those with Firefox too. Probably not going to happen thought…

  3. Well, I recently had a ‘close brush’ with some very, very pesky malware on IE. Something tried to change about 10 settings on my browser/install all kind of plug-ins via registry, and only the ‘Deny’-Button of Spybot kept me safe from it (Thanks Les, I believe I installed it in response to a topic here).

    Anyway, it was a real horror. Surfing was impossible, since the changes kept popping up with every new page. Try using links and stuff if you have to click ‘deny’ 10 times for each…

    So I have been browsing with ‘high safety’ settings for now, with the exception of some sites that I NEED active X and stuff for – mainly Yahoo web mail, which can’t be used at hig setting, so I put it in trusted sites and hope they never get infected.

    I was thinking of switching to Mozilla, but if you tell me they can’t handle pages like that at all? Unlike Lez, I think many pages don’t work well without – as Lez says – mostly its a token effort to keep up functionality.

    Ebay is still very much usable though. Have to give ‘em that.

  4. The really nice thing about free software is that it’s free to try out. smile

    Go ahead and install Firefox and try your favorite sites with it. More than likely it will work just fine.

    Firefox has a page to help the transition from IE to Firefox. It’s located here: http://www.mozilla.org/products/firefox/switch.html

    Cap: pay (Does this captcha thing read the mind of the poster to come up with a Captcha-Sense word or something!? smile )

  5. Ingolfson, you can use Mozilla/Firefox for Yahoo! Mail.  Been doing it for a couple of years with no glitches since Mozilla 0.7 back in 2001.  Ditched IE when Mozilla hit 1.0 in 2002 and haven’t looked back (well except for those endless Windows Updates….)

  6. The spoofstick plugin for Firefox (a version also exists for IE) parses your actual URL and sticks it up in large text on a toolbar. I thought it was a pretty stupid idea until I started reading about some of the spoofs that are out there. I then immediately installed it.

    So far it hasn’t saved me from anything, but I’m pretty focused and conservative about my browsing.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.