|
 The
latest version of IE is 6, and it has certainly accumulated an
impressive record of holes: 153 since 18 April 2001, according
to the SecurityFocus
Vulnerabilities Archive. There have been some real doozies
in there. For instance, last August, Microsoft issued a patch
that fixed a hole that the company described this way: "It
could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for
the attacker to exploit this vulnerability without
any other user action." Oh, is that all? Well, that's
super - simply visit a Web page, and you're 0\/\/N3d, d00d!
A little over a week ago, the SecurityFocus Vulnerability
Database reported the "Microsoft
Internet Explorer Modal Dialog Zone Bypass Vulnerability,"
which "may permit cross-zone access, allowing an attacker
to execute malicious script code in the context of the Local
Zone." That was just one of the six reported so
far this month - and we're only halfway through!
In fact, it's gotten so bad that now spyware creators (AKA,
scumbags) are using flaws in IE to surreptitiously
install the I-Lookup search bar (or one of several others)
into the browser. Again, the user doesn't need to do
anything - just visit a Web site or click on a URL in an email.
The results? Your home page is changed, a bunch of new bookmarks
show up in your Favorites, and popup windows for porn sites open
constantly.
I could go on
and on.
Look, let's be honest with each other. We all know this is true:
IE is a buggy, insecure, dangerous piece of software, and the
source of many of the headaches that security pros have to
endure (I'm not even going to go into its poor support for Web
standards; let that be a rant for another day). Yes, I know
Microsoft patches holes as they are found. Great. But far too
many are found. And yes, I know that Microsoft has promised that
it has changed its ways, and that it will now focus on
"Trustworthy Computing." But I've heard too many of
Microsoft's promises and seen the results too many times. You
know, fool me once, shame on you; fool me twice, shame on me.
Who's shamed when it's "fool me the 432nd time"? Who's
the fool?
We're security pros, and we know the score. It's time. It's time
to tell our users, our clients, our associates, our families,
and our friends to abandon Internet Explorer.
A better browser: Firefox
On Monday, the Mozilla
Foundation released its latest preview release of Mozilla
Firefox, available for download
and ready to run. As most of you probably already know, the
Mozilla browser is great, but it's also a huge software project,
encompassing a Web browser, an email program, an address book, a
Web page editor, and much, much more. Mozilla Firefox is an
effort to pull out the browsing component, resulting in a
faster, more focused, and more innovative Web browser. And you
know what? It's working.
I've been using Firefox for more than a year, and it's performed
admirably. I've experienced a little bit of bugginess here and
there - after all, it's just now getting to 0.9, with the full
1.0 release expected at the end of the summer - but on the whole
it's been just fine, certainly good enough for full-time use.
Its feature set is enviable: pop-up blocking, tabs, integrated
search, an awesome level of customizability, and excellent
support for Web standards. But it has really shone (as has the
Mozilla Project as a whole, actually) in the area of privacy and
security.
All software has bugs, and none is totally "secure".
As has been said so many times, security is a process, not a
product. So I'm quite aware that Firefox has had security
issues, and will have more in the future as sure as the sun
rises. But the record so far with Firefox has been positive.
Security issues are not common, but when they are found, they
are openly discussed and fixed quickly. This is very good, and
security pros should appreciate such responsiveness.
In addition to a good track record in the past, Firefox and the
Mozilla Foundation are taking a proactive approach to securing
the Web browser in the future. The privacy and security settings
available in Preferences are intelligent and effective, and the
browser itself does not accept ActiveX controls, a key
vulnerability in IE. Firefox uses XPI files to install themes,
extensions, and other add-ons. Recently, new changes
to the browser's handling of XPIs were introduced, including
a three second countdown when installing XPIs, in order to give
the user time to read the dialog box, and an optional XPI
whitelist, which will allow XPI installations only from approved
sites. Both are good ideas; in particular, the latter should be
enabled by security pros on the machines they oversee, as it
will greatly reduce the likelihood of miscreant installs (the
link above implies Firefox is not implementing the XPI whitelist;
Mozilla
bug 240552 contravenes this).
As people who care about security - and who so often work with
people who care nothing about security - it's our responsibility
to spread the word about a better Web browser that does not
constantly compromise the basic security of our computers and
networks. Why is IE the most widely-used Web browser on the Net?
It's not because of quality, and certainly not because it's
better than the alternatives. In fact, IE hasn't
really been improved in years, and other browsers now offer
far more innovative
features
and capabilities.
It's because Microsoft leveraged
its monopoly to force IE down the throats of users. And in a
case of kicking users while they're down, Microsoft has pledged
to tie
IE even closer to the Windows operating system,
guaranteeing plenty of security problems in the future.
It's all about the marketing. Microsoft owns the desktop, so
they can bundle IE with every copy of Windows. To combat that,
security pros are going to have to engage in counter-marketing.
Sit down with the computer users you oversee, and explain to
them the security issues associated with IE, and the benefits of
moving to Firefox. If you need help, a short piece entitled
"Why
You Should Switch to Firefox" may help. If you're
feeling nervous about the not-yet-finished status of Firefox,
just wait a bit longer, and then start evangelizing it, but be
aware that lots of folks have been using it for quite some time,
happily and successfully.
I already know one of the objections I'm going to get in emails
from my readers: "My bank, fill-in-name-here, requires
Internet Explorer to work!" Let me deal with that point
now, in an effort to reduce the email I'll get. First of all, this
problem is decreasing all the time. Several years ago, many
more Web sites were written to work with IE only, but now,
thanks to the efforts of the Mozilla Foundation, Opera, and
Apple (who will actually contact the owners of sites and help
them to get their sites to work with other browsers),
coupled with the increasing awareness of Web standards among
developers, the vast majority of Web sites work in all modern
browsers.
Second, if your bank (or e-commerce site, or whatever site that
matters to you) doesn't work with Firefox, email, call, and
write them (all three can be an effective combination) and, in a
polite tone, inform them that their site isn't working and ask
them to fix it. If a site does work in Firefox, email,
call, and write the owners and thank them. Positive feedback can
do wonders.
Finally, if you have to use IE, you have to use IE. But use it
only with the site(s) that require it. The people reading this
are smart enough to use Firefox 98% of the time, and then switch
to IE when necessary. But is your mom? Here's a suggestion for
you to help Mom: install Firefox and tell her to use that when
she want to "use the Internet." Rename the Internet
Explorer icon to "First National Bank" or whatever it
is that Mom uses, and change the home page to http://www.firstnationalbank.com.
Then tell Mom that Firefox is for the Internet, but there's a
new program that's just for her bank, and the icon is right on
her desktop. When she gets done banking, close her "bank
program" go back to Firefox. (Feel free to substitute
"Sue in marketing" for "Mom" above if
necessary)
I'm tired of vulnerabilities in Microsoft's Web browser that
take over computers, install spyware and God
knows what else, and ultimately cause us to spend hours
cleaning up messes on the computers of clients, friends, and
family. How much money, time, and energy have we all spent
fixing the problems caused by IE? It's time for security pros -
the folks that should know better - to start dumping IE and
start promoting Firefox, a better Web browser. Enough is enough.
How many times are we going to put out the fires that IE starts,
only to get stomped on, again and again?
Disclaimer:
Installation of the FireFox Browser onto your computer is done
at your own risk. PM Communications will not accept any responsibility
for any adverse affects caused by the installation of Firefox or
any software that you may install on your computer. If you have
any questions or need technical support for Firefox, please
contact The Mozilla Corporation
directly. PM Communications does NOT provide technical support
for the Firefox Browser. |
