June 28, 2004 3:11 PM PDT

IE flaw may boost rival browsers

A major security hole discovered in Microsoft's Internet Explorer last week has become a golden marketing opportunity for alternative browsers such as Mozilla and Opera that are unaffected by the flaw.

To avoid falling prey to a concerted attack aiming to steal log-on information and passwords, some security experts advised Web surfers to either turn off some Internet Explorer (IE) features or switch to another browser as the best immediate fix. Unknown attackers who had taken control of several Web servers used the flaw last week to install a remote-access program, dubbed JS.Scob.Trojan, onto the PCs of visitors to those sites.

"I hope that Microsoft will come up with a patch soon," said Johannes Ullrich, chief technology officer for the Internet Storm Center, a site that monitors network threats. "Until they do, you basically have two choices: Disable JavaScript in Internet Explorer or install another browser."

News.context

What's new:
Some security experts have advised Web surfers to turn off some Internet Explorer features or switch browsers to avoid falling prey to a concerted attack aiming to steal log-on information and passwords.

Bottom line:
The IE flaw could tilt security-conscious companies and home users in favor of adopting an alternative browser--and perhaps chip away at Microsoft's 95 percent-plus share of the Web browser market.

For more info:
Track the players

Last week's broad attack has been blunted by Internet engineers that disconnected the Russian site that hosted the Scob Trojan horse program from the Web. However, the latest vulnerability could tilt security-conscious companies and home users in favor of adopting an alternative browser--and perhaps chip away at Microsoft's dominant share of the Web browser market.

At least 130 Web sites were still attempting to infect visitors as of Sunday, according to Internet security firm Websense, which discovered that more than 200 of its customers attempted to download the Trojan horse from the malicious Russian site in the past week. None of the servers were top-rated Web sites, but they all ran Microsoft's Internet Information Service 5.0 Web software and Secure Sockets Layer, or SSL, encryption, the firm said.

Non-Microsoft browsers, such as the Opera browser and the Mozilla and Firefox browsers made by the Mozilla Foundation, don't have many of the vulnerable technologies and tend to focus more on just providing Internet browsing features, keeping the project size smaller, said Hakon Wium Lie, chief technology officer of Opera Software, which makes the browser of the same name.

"Our code base is small, compared to other browsers, and by actively addressing problems that arise, we end up with a highly secure browser," Lie said.

Such a focus differs from Microsoft, which has chosen to tightly integrate IE into the operating system, in part to sidestep antitrust issues. A representative of the software giant was not available for comment.

The suggestion to use other browsers also underscores some security researchers' arguments that software diversity can improve security.

Borrowing a term from agriculture and the fight against pests, software developers and security experts have warned about the hazards of "monoculture." The term refers to the widespread farming of a single variety, making the entire crop vulnerable to a single pest. Historians pin such disasters as the Irish potato famine on monoculture.

Mozilla acknowledged that much of the value of using its software, or that of Opera, stemmed from the hazards of monoculture rather than any inherent security superiority.

Microsoft's browser currently dominates the Internet landscape, with more than 95 percent of Web surfers using the browser, according to WebSideStory, a Web analytics firm. Mozilla, on the other hand, makes up 3.5 percent, and Opera accounts for 0.5 percent of all users of the sites monitored by WebSideStory.

"Since there is such a disproportionate use of IE on the Internet right now, it does make it a very high-profile target," said Chris Hofmann, the Mozilla Foundation's director of engineering. "That's what people who are writing exploits are targeting, because that's where they get the biggest bang for the buck."

Hofmann called the war against software homogeneity one of the raisons d'etre of his group.

"If we were in a world where there were less of a monoculture for browsers, it would make it harder to design exploits that would affect that much of the marketplace," Hofmann said. "That's one of the driving forces of the Mozilla Foundation--to provide choices so that someone can't come up with an exploit that affects nearly the whole population."

IE a sitting duck?
But Mozilla claims some inherent security advantages as well. Internet Explorer is a fat target for attackers, in large part because it supports powerful, propriety Microsoft technologies that are notoriously weak on security, like ActiveX.

Security experts also noted that Web surfers using non-Microsoft operating systems, such as Linux or Apple Computer's Mac OS, were not affected by last week's attack.

Among security groups advising a browser switch is the U.S. Computer Emergency Readiness Team (US-CERT), the official U.S. body responsible for defending against online threats. The group on Friday advised security administrators to consider moving to a non-Microsoft browser among six possible responses.

"There are a number of significant vulnerabilities in technologies relating to" IE, the advisory stated. "It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

The advisory noted that Internet Explorer has had a great many security problems in several of its key technologies, such as Active X scripting, its zone model for security and JavaScript. However, the group pointed out that turning off certain features in IE increases the security.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


"Using another Web browser is just one possibility," said Art Manion, Internet security analyst with the CERT Coordination Center, which administers US-CERT. "We don't recommend any product over another product. On the other hand, it is naive to say that that consideration should not play into your security model."

CERT also noted that people who opt for non-IE browsers but who continue to run the Windows operating system are still at risk because of the degree to which the OS itself relies on IE functionality.

Mozilla's Hofmann recommended that Windows users who want to ditch Internet Explorer increase their security level in Windows' Internet options to help thwart those kinds of attacks. While Windows comes by default with those options on "medium," Hofmann said that setting them to "high" would have offered sufficient protection against last week's exploit.

He also encouraged Web developers to stop writing Web sites that rely on ActiveX. Game and photo-uploading sites are among the worst offenders, he said.

"We encourage people not to use these proprietary technologies that we've seen security vulnerabilities associated with," Hofmann said. "ActiveX is one of the biggest areas where these exploits have occurred, and from these recent exploits, you can see that exposing users and making that technology available has some real danger. Sites need to rethink what they're doing to protect users."

12 comments

Join the conversation!
Add your comment
IE is "the one"
as much as I am not a big fan of monopoly, but I have to admit that IE rules!

On my laptop, I have Opera 7.50, Netscape 7.1, and IE 6. Most companies write codes directly for IE. If you have Outlook Web Access, the choice of browser is clear: IE. If you have Bank of America account, the choice is clear: IE. Ironically, even if you use hotmail or yahoo mail, in order to take advantage of all features, you have to use IE.

Even with as many flaws as it has, Microsoft products are becoming mature and stable. I remember working and installing windows 3.11, NT 3.x, 4.0, etc... always had to reboot and gave (all of us) blue screen of death and so on. But Win2000 did and still does an amazing job. In our company where I am responsible for IT infrastructure, we didn't even see the need to upgrade to win2003.

Having said that, most of our web-based applications are IE friendly. Even those apps from a Unix background have an IE ready front-end.

Personally, I don't see, at least in the near future, people migrating from IE ot Opera or Netscape.

I must add that I love Opera's interface and it's tabulated paging... but it just doesn't work the same IE does with tables and dhtml and javascripts and java.

well, that's all.
Posted by (1 comment )
Reply Link Flag
the IE misnomer
it is true that many web dev teams write specifically for IE. why this has occured is debatable but probably due to a lack of IE dev for 3+ years and the need to find creative workarounds for the deluge of issues IE has with XML, CSS, JavaScript, etc.

I have used Mozilla for over 2 years now and the latest release of FireFox 0.9 -- only 4.7MB on Win32 -- is the best thing that could happen to a web developer. Not only does it force us to use W3C standards, but it comes with excellent debugging facilities as opposed to the dizzying "Error occured on page" msgs with the occasional impotent Windows Script Debugger...

Anyway, just thought I would speak up for the little guy! By the way, I use every feature on BofA.com with greater confidence through Mozilla firefox.

more info:
<a class="jive-link-external" href="http://www.mozilla.org/products/firefox/" target="_newWindow">http://www.mozilla.org/products/firefox/</a>

cross platform CMS that works in mozilla:
<a class="jive-link-external" href="http://www.enthusiastinc.com" target="_newWindow">http://www.enthusiastinc.com</a>
Posted by (2 comments )
Link Flag
Writing codes directly for Ineternet Explorer?
If HTML is so universal, if XML is so extensible, then why would
anyone have to write custom code JUST for Internet Explorer?

Well, because Microsoft implements proprietary technology that
only works with Explorer, doesn't support certain standards
correctly, or, it quite simply renders the code WRONG and
people have to code around the faults in the render engine.
Since explorer is the most widely used browser, that often leads
to companies writing two entirely different webpages: one that
works with Explorer, and another that works with absolutely
everything else.

Explorer is not the dominant browser because it's good, it's the
dominant browser because Microsoft illegally used its dominant
position in the market place to kill off all other competition.
Having to write custom code (not because you want to or
because you think the browser is great) just so you can support
the "number one" browser on the market is stupid.

People need to wake up and move away from Explorer, indeed,
Windows all together. There are so many better products out
there from all sorts of great vendors if they're given a chance.
Posted by olePigeon (39 comments )
Link Flag
Standards?
That's because IE and pages coded for it don't adhere to standards (yes, there are some things the others don't supply - but not in 95% of the pages).

IE is much better with SP2 though, until someone figures out how to bypass the security.
Posted by Stupendoussteve (28 comments )
Link Flag
Ummmm, wasn't JavaScript the vulnerability??
I agree that ActiveX is not secure, but the exploit was with Javascript technology. That was highly undermentioned in this article. I also agree with Pat's statement regarding the way alternative browsers handle the most common elements of the most popular web pages - DHTML, JavaScript, and TABLES!!! I realize that this is due to IEs popularity and IEs methods for handling these elements dictates how most developers code, but until there's consistency in that area people will continue to use IE.

I also have to say that Norton Internet Security does a great job alerting users to the presence of ActiveX and Javascripts (when set up properly). It also gives you the option to allow this per website. I think that if you're connecting to the internet, I highly suggest this product or similar ones such as ZoneAlarm Pro.

As for the monoculture discussion, I love how open source advocates think that their products are so superior. I don't feel that at all. They're great if you want to sacrifice the full functionality of their propietary counterparts. Secondly, it is easy to claim security when you're not the big target. If these products had equal or better market share, they would be exploited just the same as Microsoft's.
Posted by jamie.p.walsh (288 comments )
Reply Link Flag
superior?
well, i try not to enter tech religious wars but had one correction here. I suppose many people might look at one software app as 'better' than the other for various reasons but ultimately it is all in progress. software is never done -- it is always developing.

this is the big win with open source (OS) software. imagine if any Microsoft partner could release a patch for the latest trojan? we would have had it within hours, not weeks...

there is a large team available for this purpose on many fronts with OS software nowadays and this is good for joe customer like me. :D

<a class="jive-link-external" href="http://osdl.org/about_osdl/members/" target="_newWindow">http://osdl.org/about_osdl/members/</a>
<a class="jive-link-external" href="http://www.jboss.com" target="_newWindow">http://www.jboss.com</a>
<a class="jive-link-external" href="http://www.mysql.com" target="_newWindow">http://www.mysql.com</a>
<a class="jive-link-external" href="http://www.openoffice.org/" target="_newWindow">http://www.openoffice.org/</a>
<a class="jive-link-external" href="http://www.opengroupware.org/" target="_newWindow">http://www.opengroupware.org/</a>

thx.

jc
Posted by (2 comments )
Link Flag
No, it's Internet Explorer.
It's not JavaScript, but how Microsoft implemented the
technology into Internet Explorer. The flaw does not effect any
other browser regardless if they're using JavaScript.

Which is probably why I use a Mac to avoid all those problems.
Posted by olePigeon (39 comments )
Link Flag
Netscape > IE > FireFox
I used to swear off IE until IE 4.0, when Netscape started getting bloated. IE has been great, and i've used it until Firebird 0.8 was released, and renamed FireFox. Now FireFox 0.9 is out, and it's great! Tabbed windows, easy to use extensions, Flash/Shockwave/Java support. Livejournal tie-ins, and themes, plus the pop-up blocking which is unsurpassed, and it's ease of use... I can't say enough about it! It's small, streamlined, and Mozilla.org even provides instructions on how to load Firefox onto a USB drive so you can bring your browser with you wherever you go! You can't beat that!

I've had a few security run-ins with IE, and so far, nothing with Firefox. I can't give up IE, because certain companies only support that, but overall... Firefox is awesome, I can't deny the truth that it's time to switch!

Note: Oddly enough, there must be something wrong with news.com that I can't post this with Firefox, and need to use IE!
Posted by Jahntassa (158 comments )
Reply Link Flag
No problems with FireFox here....
Odd....no problems here.
Posted by Jonathan (832 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.