Is It Time to Ditch IE?

Art Manion of the Department of Homeland Security says that Internet Explorer's unique features increase its vulnerability.
Photograph: David Aschkenas
This summer the Department of Homeland Security's cybersecurity wing suggested that people use a different browser to deal with Internet Explorer's continuing security flaws. Could this be the beginning of the end for Microsoft's Web browser dominance?

Don't bet on it. Recently discovered flaws in the Mozilla browser illustrate that it is not immune to exploits (see "In Search of a Safer Browser"). Also, Windows XP Service Pack 2 provides new protections against IE-specific attacks (IE's tight integration with Windows prevents you from uninstalling it, anyway). Still, with no end in sight to Web-based attacks, neither alternative--patching IE or switching to a non-Microsoft browser--is by itself sufficient to ensure online safety.

Popular Target

IE's sway is impressive: In June, IE's global browser usage share was 95 percent, according to the Web analytics firm WebSideStory.

But that ubiquity has also subjected IE, and Microsoft, to sustained attacks from virus and worm writers and browser hijackers looking for the biggest returns. According to TruSecure Corporation Chief Strategist Russ Cooper, moving to another browser would provide only a temporary solution: "If people did switch en masse, the attackers would simply switch their target."

Still, market dominance is not the only reason for the Microsoft browser's disproportionate share of attacks. Art Manion, Internet security analyst for US-CERT, the operational arm of the National Cyber Security Division at the Department of Homeland Security, says IE's unique features increase its online vulnerability. Examples include IE's security zones; its support for scripted ActiveX controls and for scripts that let Web sites hide browser menus and toolbars; and Dynamic HTML support. "Other browsers simply do not have these features," Manion adds.

Microsoft continues to put out patches for newly discovered flaws. But after a flaw that had been previously repaired reappeared in a new patch, US-CERT issued a vulnerability note recommending that Web users might want to consider a different browser. Around the same time, in early July, WebSideStory reported that for the first time in years, IE's market share had dropped by a percentage point, to 94 percent.

IE's preeminence is unlikely to decline significantly, however. Despite long-standing efforts by Web-standards organizations, many companies continue to employ Microsoft-proprietary scripting and HTML extensions that make their sites fully functional only when viewed using Internet Explorer. And even when you do set up a different default browser, some features of Windows--including the crucial Windows Update patch mechanism, Windows Messenger, and Outlook Express--invoke IE regardless of your default browser choice.

Subscribe to the Security Watch Newsletter

Comments