Looks like all my talk about the Swiss-cheese that is Internet Explorer has got ***Dave asking some questions so I thought I’d toss them up here for folks to chew on.
Granted that IE has security issues, riddle me this:
- Is there something about IE’s architecture that renders it particularly, intrinsically insecure vs. other browser platforms, or is it just that the Bad Guys find IE a more attractive target than less-used browsers? And, if so, is this more a matter of security through obscurity than anything else?
- If the danger in IE is its openness to hostile scripting (via Java or ActiveX), how is a non-IE browser going to work around that and still maintain the web functionality folks (i.e., me) want?
- I haven’t been bitten by a security hole yet, and have the full array of AV and spyware-blocking and anti-spam stuff running on my machine. I avoid most risky behavior (don’t open spam, don’t hit file-sharing and adult sites). How much risk am I really taking here for what return?
I’m looking here for something a bit more sophisticated than “Micro$oft bad, Firefox Pretty” here. Any input welcome.
These are definitely fair enough questions and I’ll see if I can’t address them.
1: Yes to all three parts of this question.
OK, perhaps I should elaborate: A) Yes, there are things about IE’s architecture that does render it intrinsically more insecure. It’s a side-effect of two primary factors: First, the whole ease-of-use aspect of ActiveX and VBScript makes it, well, easy to write self-installing malware that isn’t blocked by firewalls for the browser. Second, the tight-integration with the OS means that minor vulnerabilities in one can be combined with minor vulnerabilities in the other. Individually these vulnerabilities may not be a big risk, but when combined they can be a problem and the bad guys are starting to figure out how to take advantage of them. The most recent flaw I talked about the other day isn’t a new vulnerability, Microsoft and various researchers have known about it since last January, but it wasn’t considered a significant risk so it hadn’t been patched by MS.
This is one of my big problems with IE in a nutshell: Microsoft tries to judge how significant any particular vulnerability is and may not patch one they’ve found until someone out there finds a way to use it to compromise a system. Even when someone finds a way to exploit it they may not bother to patch it for several months as they did with the flaw that allowed phishers to make it look like fake links in PayPal and eBay emails pointed to the legitimate websites. How many more minor vulnerabilities are there in IE that MS is fully aware of, but has judged as being not significant enough to warrant fixing?
B) Yes, in part it is just the fact that the bad guys find IE a more attractive target. After all, it does have something like 93% of the browser market at this point. Comparatively Mozilla/Firefox commands a mere 3-4% of the market. Much like Windows is a favorite target due to it’s wide-spread adoption, IE is also a victim of its popularity. Mozilla/Firefox isn’t without its own holes, no program truly is, but the problem definitely seems to be less severe with Mozilla/Firefox and the tendency to fix problems as they’re discovered is a lot better. It helps that often the people who find the problems send along a possible fix when reporting the bug. One definite advantage to Open Source software where anyone can look at the code.
C) Yes, switching to Mozilla/Firefox is a form of security through obscurity. Though it would be a mistake to assume that this is the only advantage Mozilla/Firefox has. Mozilla/Firefox is inherently more secure just in how it’s developed, written, and supported. The fact that it doesn’t use ActiveX or VBScript and isn’t so tightly integrated into the OS also factors into this (while admittedly also reducing some of it’s ease-of-use). Obscurity certainly doesn’t hurt, but it’s not the only reason it’s more secure.
2: How many websites do you visit that use ActiveX and VBScript? I can think of one for myself and that would be Windows Update, which I still pull out IE to make use of. Despite the near universal domination of Internet Explorer, the vast majority of websites out there make at least a token effort to keep their sites compatible with alternative browsers. Java, in terms of Sun’s Java, isn’t particularly well known for being used to write malware for browsers and the vulnerability that sites like CoolWebSearch took advantage of was in Microsoft’s version of the Java Virtual Machine, which is no longer distributed or supported by Microsoft. Is it possible to write malware for Mozilla/Firefox? Yes, I think it probably is, but no where near as easy as it is for IE.
Obviously if you use a lot of sites that make heavy use of ActiveX and VBScript then switching to Mozilla/Firefox isn’t going to work for you because they won’t work with the sites you visit most, but there’s probably fewer of those sites in your favorites folder than you suspect. You’ll need to leave IE on your system anyway just for the sake of Windows Update so it’s not like you can’t make use of it for the handful of sites you might need it for. For general browsing, though, it’s hard to beat Mozilla/Firefox. Especially when you take into consideration thing such as the joy of the built-in popup blocker. Your best bet is to install Firefox and then go to some of the sites you think might be a problem and see what happens. You could even download the package that doesn’t come with an installer so you can just delete the folder if you decide not to use it.
3: It’s hard to say how much of a risk you’re taking, though you sound a lot like me in terms of taking reasonable precautions. Until just recently I would have said you’re probably not at any great risk, but now you can’t even be sure that trusted websites you visit every day haven’t been compromised to install a Trojan on your system without your knowledge. They never said which big websites got hit, but imagine if one of them was Amazon.com? Or The New York Times? Or Stupid Evil Bastard? If you visit those sites daily then by the time you read a news report of the problem it may have already affected you. With that particular flaw it didn’t matter if you had completely up-to-date Windows patches, virus scanner and so on and all you had to do to catch it was visit the website. The only thing that might have saved you if you were a victim would have been a software firewall reporting that something was trying to get out onto the net. Even then if the keylogger had installed itself as an IE Browser Helper Object then it would never trip the firewall as it would be seen as part of IE.
So how much risk are you taking? Honestly, I don’t know. Probably less than a lot of folks and switching to Mozilla/Firefox isn’t going to make you completely risk free either. For me it was a combination of the lower risk and the fact that Firefox does things IE doesn’t such as the aforementioned popup blocker and the tabbed browsing. All of that together is why I use it more often than not.
With the upcoming release of Windows XP Service Pack 2 things will definitely improve (assuming you’re running XP). The popup blocker in IE is very effective and they’ve made some significant changes to the dialogues that popup when something tries to install itself on your system. It’s also a big help that there will be an option in IE that lets you see all the Browser Helper Objects that are installed and remove them (not possible currently) along with ActiveX controls. Will it be enough to bring IE to a reasonable level of security? That seems to be a matter of debate, but it should help a lot in my opinion.
In summary, security is only part of the reason most folks have made the switch. For many it was the initial impetus, but it was the other goodies that came with it that convinced them it was worth making the effort. Back when I first started in PCs I was a Netscape fan, but I dropped the browser when it was clear that it was at a severe disadvantage to Internet Explorer. I’m dropping IE now for similar reasons. YMMV.