Is It Time to Ditch IE?

Other Steps

Despite reports to the contrary, US-CERT hasn't recommended dropping Internet Explorer as the only--or even the best--way to combat online threats. "US-CERT does not recommend one specific browser or software product over another," states US-CERT's Manion.

Instead, the US-CERT vulnerability note suggests dumping IE as the last of several strategies for handling a flaw in which a Web page in the Internet Zone (where IE invokes a number of safeguards against attacks) can trick IE into running JavaScript code in the much-less-secure Local Machine Zone, where programs are assumed to be known to the computer user.

Other measures that US-CERT recommends include disabling Active scripting (which encompasses JavaScript) and ActiveX controls in both the Internet and Local Machine zones; applying security updates for Microsoft Outlook; sending and receiving mail using the script-proof plain-text format; using an updated antivirus program; and avoiding links embedded in unsolicited e-mail, instant messages, or Web forums (see August's Internet Tips).

Even when the US-CERT vulnerability note finally suggests using a different browser, it says that doing so may prevent Web users from using all of the features of key Web sites. The solution isn't bailing out of IE, according to TruSecure's Cooper, adding that doing so would be like "stamping out a flea on your back with a tractor trailer." Both he and Manion instead recommend simply adding known, legitimate sites to IE's Trusted Zone after tightening security in the Internet and Local Machine zones.

Concerns about IE's flaws may further decrease as users install Windows XP Service Pack 2, which became available in early August. Cooper, for example, particularly lauds SP2 for incorporating new IE features that protect users from attempts to invoke or install malicious software via a Web page. Manion likes the way SP2 prevents Web sites from altering IE's interface--for example, by hiding address and status bars that show the real name of a Web page, which allows perpetrators of phishing attacks to make their pages look much more believable. (Phishing is the use of realistic-looking Web pages or e-mail messages purportedly from banks or other financial institutions that request recipients to enter their user names and passwords, which then go directly to the attackers.)

Still, Microsoft's new service pack is not a panacea. "I have no doubt that some sort of attack will be discovered that can work against IE after XP SP2," warns Cooper. But at the very least, he says, SP2's new safeguards will make the problem of not knowing that an attack has occurred "dramatically less likely--if not eliminating it entirely."

Subscribe to the Security Watch Newsletter

Comments