Still more reasons to avoid Internet Explorer

A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.

On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.

The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.

Bringing up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).

Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?

Old Versions of Software

Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.

A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." That's just asking for trouble at a time when simply viewing a web page can infect a computer.

Many computer users are non-techies and the self-updating system for software needs to take them into consideration in choosing defaults, error messages and status messages.

Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.

Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.

One of the many problems with the Microsoft update environment is the schedule. Firefox has no schedule, Internet Explorer does. Or rather, Microsoft does. Big companies need a schedule. Microsoft has argued many times that having a schedule for releasing bug fixes is a good thing.

Perhaps it is a good thing for the big companies that Microsoft caters to - but it's not a good thing for you and me. The net result is that Microsoft releases Internet Explorer bug fixes once a month. Mozilla releases Firefox bug fixes when they're ready.

Which do you prefer?

Update. July 6, 2008: Tuesday July 8th is Patch Tuesday and according to Ryan Naraine at ZDNet there will be no fixes to Internet Explorer, which currently suffers from several known bugs. Quoting:

"These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat. There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!"

Update. July 7, 2008: Yet another IE related bug was reported today - Microsoft probing ActiveX attacks targeting Access feature. Firefox doesn't do ActiveX, one of many reasons it's safer. But, perhaps the most telling point of all is this quote "Eventually, Microsoft may provide a security update for the vulnerability...". May provide? What does that say about Microsoft?

Update. July 7, 2008: A commenter made a good point, Windows 2000 users have access to the latest version of Firefox, but are restricted by Microsoft to IE version 6. And speaking of operating systems, anyone needing to use both Macs and Windows can find a comfortable home with Firefox.

See a summary of all my Defensive Computing postings.

[chltmdwp2]

ok.... is internet explore 7 included also? if it is, i'm changing it to firefox

[chltmdwp2]

i prefet internet explore because i know how computer works. so i'm not like uneducated people, like most ppl does, who dosent' know when to update. so yeah i'm not so worried about using INternet Explorer

[Lerianis]

Actually, Internet Explorer 7 is not anywhere near as dangerous as Internet Explorer 6 and before. Also, with Internet Explorer 8, most of the problems will be fixed, with nothing being able to be downloaded without user consent.

[BrandonLive]

The first link seems to go to an IE6-only vulnerability. How can anything for IE 6 be "unpatched." Just install IE 7.

Sure, the second link goes to a moderate IE 7 vulnerability that was recently discovered. But you make it sound like Firefox doesn't have any unpatched vulnerabilities which was not true the last time I checked.

[pdk001]

i want to use a linux with firefox, but there is nothing with linux(include firefox) in horrible ******* korea. such as internet banking(most important for me), some VOD's and flash etc..
this is a reason that's why i hate ******* korea

[knack4]

This has gone on and on and on for years and years and years.
IE has NEVER been secure. It is, I am quite sure, the centerpiece of more compromise and intrusion and loss and expense for its users than any other software application in all history. It will undoubtedly never be surpassed.
I run an IT service, serving a stable and expanding customer base of several hundred home and business clients for the past 15 years. The overwhelming majority of intrusions and infections I see are accomplished by way of IE. A vast number of additional problems are also IE-related.
I almost wish Microsoft were a Japanese concern. The fools who coded this garbage would have suicided long since, and we'd either have fresh talent fixing the damned thing, or (perhaps better) it would have gone the way of the dodo.
All but a stubborn few of my clientele use Firefox. (I'm called often by those few.)

[knack4]

This has gone on and on and on for years and years and years.
IE has NEVER been secure. It is, I am quite sure, the centerpiece of more compromise and intrusion and loss and expense for its users than any other software application in all history. It will undoubtedly never be surpassed.
I run an IT service, serving a stable and expanding customer base of several hundred home and business clients for the past 15 years. The overwhelming majority of intrusions and infections I see are accomplished by way of IE. A vast number of additional problems are also IE-related.
I almost wish Microsoft were a Japanese concern. The fools who coded this garbage would have suicided long since, and we'd either have fresh talent fixing the d#mned thing, or (perhaps better) it would have gone the way of the dodo.
All but a stubborn few of my clientele use Firefox. (I'm called often by those few.)

[jjoensuu]

"Also, with Internet Explorer 8, most of the problems will be fixed"

cute. When will version 8 be available, and if MOST problems are fixed, what are left remaining? A few that allow a remote user to take over your system? And a couple of zero-day bugs?

Microsoft is one ridiculous company. But at least they are doing better than the U.S. auto and airline industries, at the moment. And they are not complaining about their largest operation expense being "high wages". Well that would be crazy, considering that wages FOR THE MAJORITY of workers in the U.S. are high only if they are compared with those in some 3rd world nation.

[Brunhilde52]

I've used FIrefox for years, since my son discovered it in his High School Cisco class. It's easy, user friendly, and I love it! However, I have to use IE occasionally for specific functions, meetings, etc. It always makes me nervous.

[t8]

IE eill never be secure because it is part of the Windows Kernel. In other words the core of Windows has a direct link to the rest of the word through the Internet. Microsoft made IE part of the Windows kernel to win a court case against Netscape. Microsoft argued that IE wasn't an application but was part of Windows. So after pretty much getting away with bundling an application and killing its competition as a result, Microsoft must lie in the bed it has made and deal with the fact that Windows is extremely complex and IE as a browser needs to be open to the Internet. I think more and more people are seeing just how clunky, dangerous, and old fashioned Windows really is. The most efficient platform out there is the Web. It has a much better design and look for Google to basically be the builders of the most popular Internet OS.

[morrie 52]

The ability to have a multitude of add ons to assist your net experience with Firefox and the speed of the 3 flavour I do not no any reason (ok some people have page problems)for not running Firefox,but when their is a basic security issue the reason becomes overwhelming.

[SpeedyDemon]

BrandonLive said, "How can anything for IE 6 be "unpatched." Just install IE 7."

For Windows users using less than XP this requires upgrading to XP or better because MS has "chosen" to not offer IE 7 on Win2K or below. They did that as an arm twist to make people upgrade. Upgrading always equals more $$$ for MS.

Lerianis said," Also, with Internet Explorer 8, most of the problems will be fixed, with nothing being able to be downloaded without user consent."

If this happens it will be a Microsoft first. MS releases software, allows outsiders to find the vulnerabilities for them at no cost to them (but often at great expense to affected end users) and then attempts to patch.

pdk001 said, "i want to use a linux with firefox, but there is nothing with linux(include firefox) in horrible ******* korea.

Not in Korea? Linux is everywhere. You've just got to download it, install it, make some software additions to handle all that commercialized 3rd party, Windows oriented media and you're good to go. Of course this requires a bit of learning on your part. Unwillingness to learn a little bit is the biggest stumbling block for most people.

[Bakero2008]

If only Firefox did not get bulkier and slower with more and more bugs each update, then I would use IE less. # is so bad on my computer, it is next to useless. If MS does nothing, and Firefox continues on the same path it is now where setting download records is a major focus, IE will become the only choice for many.

[Galley]

I dumped IE for Opera back in '99. Since I became a Mac user two years ago, I've been using Safari. I use it on my work PC as well.

[dvanburen]

This is news? Only the uninformed masses use IE, though 7 was a big improvement.

[rick47591]

I've tried firefox 2 and 3 and dislike both of them. They're slow to load, many of the movies I want to watch on the net will lock up if using firefox. I also had to manually install my roboform professional. I also tried to transfer all of my favorite websites from ie but firefox would not let me save any adult sites. i also am able to download up to 10 different downloads at the same time using ie6 but not firefox. Another feature that ie6 has that neither firefox 2 or 3 have is the picture toolbar which i use several times everyday. Firefox has too much fluff.

[firefoxluva95]

Here's the deal with IE8. They claim standards compatibility yet they don't get very far on the Acid3 test, not the Acid2 test, the Acid3 test.

Sure I'd say Firefox has a slow startup if you have 2GB or less of RAM. However, once it gets going, the pages render faster than IE. As for transferring bookmarks from IE, if one way doesn't work, you should know how to export it as an HTML file and import it into Firefox. Also, not everyone uses the picture toolbar in IE so that would be considered "extra fluff" to us and therefore Firefox lets you choose what to add using addons. Firefox 3 I would say is a lot faster and less bulkier than Firefox 2. Out of all the releases, I'd say Firefox 2 was the worst.

The download record was something for fun. What a world we would be in if nobody had any fun around there. I'm sure you've seen how the people at Google go at it, playing pool and having fun with their dog, taking a moment of the day to have fun and not do a single bit of work. I guess you expect Mozilla employees to just sit there and endure carpal tunnel syndrome.

[ghormax]

The best solution is to abandon Windows entirely and switch to Linux, at least for surfing the web! Nowadays you can even install Ubuntu Linux as an application in Windows and then surf from there. I, however, prefer the Linux only solution. And since I have moved from Windows to Ubuntu at home, I am always annoyed when I have to use Windows at work. Ubuntu was quick to install (less than an hour) and works with plug and play. Ubuntu also updates are also as easy as Mozilla updates. It's safe and easy to use. It developed as fast as Windows 3.1 to Windows XP in about a year! And best of all, new releases of the operating system (as the first install) are free. I am waiting for more improvements soon!

[jthunder]

I suggest just stop using IE. The world worst browser. Just dont use it, or just dont use Microsoft at all. I stopped using any Microsoft software in my machine, and now I am very happy. No bugs and no more bugs. For a multibillion dollar company and over paid employees, they cant even fix a simple bug. And more so, they ask you to call a 900 number and pay for something they can not resolve or something they cant even answer.

Set that aside, Firefox 3.x, oh my god, its the best. I for now, stop temporarily using Safari 3.x for Firefox. Its so like Safari. Its so inteligent like Safari. The best Firefox ever. Hopefully, in the future, Safari does not copy their browser UI from Apple. Its so Apple like, but I dont blame them. Apple's so friendly and very very pretty always, and very safe. I switched everything to Apple and never a single virus, anywhere I go. They cant even attach itself to apple safari or Apple OSX. Of course, Ineed to be carefull sometimes, but its so exremely safe.

Apples, update, its very friendly and extremely nice. NEVER will use any MICROSOFT powered machine. NO MORE BUGS, NO MORE PROBLEMATIC AND VERY BUGGY OS FOR ME. THEY ENVELOPE ALL BUGS WITH NEW BUGS. LOOK AT THEIR OS, THEY DONT FIX HE BUGS, THEYHIDE IT WITH A NEW CODE WITH NEW BUGS. THATS WHY THEIR OS IS SO BIG, AND IT TAKES A LIFETIME TO BOOT. LOOK AT APPLE, I HIT THE POWER KEY, ITS UP ALREADY. I NEVER HAVE TO REBOOT IN 10 MONTHS AND NO PROBLEM. EXTREMELY SAFE AND VERY VERY VERY NICE..

[mayamouse]

While I don't like IE's flaws and Microsoft is definately slow to fix things I will also say that trumpeting how well Firefox updates is also a bit presuming. There is a fine line where updating too often causes people to disable the feature that checks for updates thus defeating the purpose as well. If every day I launch the browser and it tells me I have to wait while it updates I am going to grow tired of the feature fast.