IE flaw may boost rival browsers

A major security hole discovered in Microsoft's Internet Explorer last week has become a golden marketing opportunity for alternative browsers such as Mozilla and Opera that are unaffected by the flaw.

To avoid falling prey to a concerted attack aiming to steal log-on information and passwords, some security experts advised Web surfers to either turn off some Internet Explorer (IE) features or switch to another browser as the best immediate fix. Unknown attackers who had taken control of several Web servers used the flaw last week to install a remote-access program, dubbed JS.Scob.Trojan, onto the PCs of visitors to those sites.

"I hope that Microsoft will come up with a patch soon," said Johannes Ullrich, chief technology officer for the Internet Storm Center, a site that monitors network threats. "Until they do, you basically have two choices: Disable JavaScript in Internet Explorer or install another browser."

News.context

What's new:
Some security experts have advised Web surfers to turn off some Internet Explorer features or switch browsers to avoid falling prey to a concerted attack aiming to steal log-on information and passwords.

Bottom line:
The IE flaw could tilt security-conscious companies and home users in favor of adopting an alternative browser--and perhaps chip away at Microsoft's 95 percent-plus share of the Web browser market.

For more info:
Track the players

Last week's broad attack has been blunted by Internet engineers that disconnected the Russian site that hosted the Scob Trojan horse program from the Web. However, the latest vulnerability could tilt security-conscious companies and home users in favor of adopting an alternative browser--and perhaps chip away at Microsoft's dominant share of the Web browser market.

At least 130 Web sites were still attempting to infect visitors as of Sunday, according to Internet security firm Websense, which discovered that more than 200 of its customers attempted to download the Trojan horse from the malicious Russian site in the past week. None of the servers were top-rated Web sites, but they all ran Microsoft's Internet Information Service 5.0 Web software and Secure Sockets Layer, or SSL, encryption, the firm said.

Non-Microsoft browsers, such as the Opera browser and the Mozilla and Firefox browsers made by the Mozilla Foundation, don't have many of the vulnerable technologies and tend to focus more on just providing Internet browsing features, keeping the project size smaller, said Hakon Wium Lie, chief technology officer of Opera Software, which makes the browser of the same name.

"Our code base is small, compared to other browsers, and by actively addressing problems that arise, we end up with a highly secure browser," Lie said.

Such a focus differs from Microsoft, which has chosen to tightly integrate IE into the operating system, in part to sidestep antitrust issues. A representative of the software giant was not available for comment.

The suggestion to use other browsers also underscores some security researchers' arguments that software diversity can improve security.

Borrowing a term from agriculture and the fight against pests, software developers and security experts have warned about the hazards of "monoculture." The term refers to the widespread farming of a single variety, making the entire crop vulnerable to a single pest. Historians pin such disasters as the Irish potato famine on monoculture.

Mozilla acknowledged that much of the value of using its software, or that of Opera, stemmed from the hazards of monoculture rather than any inherent security superiority.

Microsoft's browser currently dominates the Internet landscape, with more than 95 percent of Web surfers using the browser, according to WebSideStory, a Web analytics firm. Mozilla, on the other hand, makes up 3.5 percent, and Opera accounts for 0.5 percent of all users of the sites monitored by WebSideStory.

"Since there is such a disproportionate use of IE on the Internet right now, it does make it a very high-profile target," said Chris Hofmann, the Mozilla Foundation's director of engineering. "That's what people who are writing exploits are targeting, because that's where they get the biggest bang for the buck."

Hofmann called the war against software homogeneity one of the raisons d'etre of his group.

"If we were in a world where there were less of a monoculture for browsers, it would make it harder to design exploits that would affect that much of the marketplace," Hofmann said. "That's one of the driving forces of the Mozilla Foundation--to provide choices so that someone can't come up with an exploit that affects nearly the whole population."

IE a sitting duck?
But Mozilla claims some inherent security advantages as well. Internet Explorer is a fat target for attackers, in large part because it supports powerful, propriety Microsoft technologies that are notoriously weak on security, like ActiveX.

Security experts also noted that Web surfers using non-Microsoft operating systems, such as Linux or Apple Computer's Mac OS, were not affected by last week's attack.

Among security groups advising a browser switch is the U.S. Computer Emergency Readiness Team (US-CERT), the official U.S. body responsible for defending against online threats. The group on Friday advised security administrators to consider moving to a non-Microsoft browser among six possible responses.

"There are a number of significant vulnerabilities in technologies relating to" IE, the advisory stated. "It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

The advisory noted that Internet Explorer has had a great many security problems in several of its key technologies, such as Active X scripting, its zone model for security and JavaScript. However, the group pointed out that turning off certain features in IE increases the security.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"Using another Web browser is just one possibility," said Art Manion, Internet security analyst with the CERT Coordination Center, which administers US-CERT. "We don't recommend any product over another product. On the other hand, it is naive to say that that consideration should not play into your security model."

CERT also noted that people who opt for non-IE browsers but who continue to run the Windows operating system are still at risk because of the degree to which the OS itself relies on IE functionality.

Mozilla's Hofmann recommended that Windows users who want to ditch Internet Explorer increase their security level in Windows' Internet options to help thwart those kinds of attacks. While Windows comes by default with those options on "medium," Hofmann said that setting them to "high" would have offered sufficient protection against last week's exploit.

He also encouraged Web developers to stop writing Web sites that rely on ActiveX. Game and photo-uploading sites are among the worst offenders, he said.

"We encourage people not to use these proprietary technologies that we've seen security vulnerabilities associated with," Hofmann said. "ActiveX is one of the biggest areas where these exploits have occurred, and from these recent exploits, you can see that exposing users and making that technology available has some real danger. Sites need to rethink what they're doing to protect users."

IE is "the one"

as much as I am not a big fan of monopoly, but I have to admit that IE rules!

On my laptop, I have Opera 7.50, Netscape 7.1, and IE 6. Most companies write codes directly for IE. If you have Outlook Web Access, the choice of browser is clear: IE. If you have Bank of America account, the choice is clear: IE. Ironically, even if you use hotmail or yahoo mail, in order to take advantage of all features, you have to use IE.

Even with as many flaws as it has, Microsoft products are becoming mature and stable. I remember working and installing windows 3.11, NT 3.x, 4.0, etc... always had to reboot and gave (all of us) blue screen of death and so on. But Win2000 did and still does an amazing job. In our company where I am responsible for IT infrastructure, we didn't even see the need to upgrade to win2003.

Having said that, most of our web-based applications are IE friendly. Even those apps from a Unix background have an IE ready front-end.

Personally, I don't see, at least in the near future, people migrating from IE ot Opera or Netscape.

I must add that I love Opera's interface and it's tabulated paging... but it just doesn't work the same IE does with tables and dhtml and javascripts and java.

well, that's all.

[jamie.p.walsh]

Ummmm, wasn't JavaScript the vulnerability??

I agree that ActiveX is not secure, but the exploit was with Javascript technology. That was highly undermentioned in this article. I also agree with Pat's statement regarding the way alternative browsers handle the most common elements of the most popular web pages - DHTML, JavaScript, and TABLES!!! I realize that this is due to IEs popularity and IEs methods for handling these elements dictates how most developers code, but until there's consistency in that area people will continue to use IE.

I also have to say that Norton Internet Security does a great job alerting users to the presence of ActiveX and Javascripts (when set up properly). It also gives you the option to allow this per website. I think that if you're connecting to the internet, I highly suggest this product or similar ones such as ZoneAlarm Pro.

As for the monoculture discussion, I love how open source advocates think that their products are so superior. I don't feel that at all. They're great if you want to sacrifice the full functionality of their propietary counterparts. Secondly, it is easy to claim security when you're not the big target. If these products had equal or better market share, they would be exploited just the same as Microsoft's.

[Jahntassa]

Netscape > IE > FireFox

I used to swear off IE until IE 4.0, when Netscape started getting bloated. IE has been great, and i've used it until Firebird 0.8 was released, and renamed FireFox. Now FireFox 0.9 is out, and it's great! Tabbed windows, easy to use extensions, Flash/Shockwave/Java support. Livejournal tie-ins, and themes, plus the pop-up blocking which is unsurpassed, and it's ease of use... I can't say enough about it! It's small, streamlined, and Mozilla.org even provides instructions on how to load Firefox onto a USB drive so you can bring your browser with you wherever you go! You can't beat that!

I've had a few security run-ins with IE, and so far, nothing with Firefox. I can't give up IE, because certain companies only support that, but overall... Firefox is awesome, I can't deny the truth that it's time to switch!

Note: Oddly enough, there must be something wrong with news.com that I can't post this with Firefox, and need to use IE!