Is It Time to Ditch IE?
Despite reports to the contrary, US-CERT hasn't recommended dropping Internet Explorer as the only--or even the best--way to combat online threats. "US-CERT does not recommend one specific browser or software product over another," states US-CERT's Manion.
Even when the US-CERT vulnerability note finally suggests using a different browser, it says that doing so may prevent Web users from using all of the features of key Web sites. The solution isn't bailing out of IE, according to TruSecure's Cooper, adding that doing so would be like "stamping out a flea on your back with a tractor trailer." Both he and Manion instead recommend simply adding known, legitimate sites to IE's Trusted Zone after tightening security in the Internet and Local Machine zones.
Concerns about IE's flaws may further decrease as users install Windows XP Service Pack 2, which became available in early August. Cooper, for example, particularly lauds SP2 for incorporating new IE features that protect users from attempts to invoke or install malicious software via a Web page. Manion likes the way SP2 prevents Web sites from altering IE's interface--for example, by hiding address and status bars that show the real name of a Web page, which allows perpetrators of phishing attacks to make their pages look much more believable. (Phishing is the use of realistic-looking Web pages or e-mail messages purportedly from banks or other financial institutions that request recipients to enter their user names and passwords, which then go directly to the attackers.)
Still, Microsoft's new service pack is not a panacea. "I have no doubt that some sort of attack will be discovered that can work against IE after XP SP2," warns Cooper. But at the very least, he says, SP2's new safeguards will make the problem of not knowing that an attack has occurred "dramatically less likely--if not eliminating it entirely."