Users growing vexed by Explorer Technical flaws with Microsoft's Web browser have some looking for more secure alternatives.
By Bob Mims The Salt Lake Tribune
Pete Ashdown, pictured in the network operations center is the president and founder of Xmission in Salt Lake City, the area's oldest, most successful ISP, having endured the dot-com collapse and several stages of internet evolion.
(Francisco Kjolseth/The Salt Lake Tribune)
For nearly a decade, Microsoft's Internet Explorer has been the overwhelming choice for navigating the World Wide Web.
But today, the once seemingly unassailable dreadnought of cyberspace is the target of ever-more-frequent broadsides from viruses, worms and tech-savvy identity pirates. The good ship Explorer appears to be taking on water.
Secunia Ltd., a Copenhagen, Denmark-based Internet security firm, notes Microsoft released 39 Explorer security advisories between January 2003 and this month, 17 of them classified as highly or extremely critical. In the past week and a half, Bill Gates' beleaguered programmers have released a patch to address seven new potential security breaches - three of them "critical" flaws affecting Explorer.
For years, Microsoft's freely distributed application has owned up to 95 percent of the browser market. But 2004 is fast becoming Explorer's year of discontent, and patience is growing thin.
In a "vulnerability note" issued June 10, the U.S. Computer Emergency Readiness Team (US-CERT) warned holes in Explorer could allow a hacker to steal passwords, credit card numbers and other private information. The agency provided a detailed list of technical "workarounds," but ended by simply recommending use of a different browser.
"There are a number of significant vulnerabilities in technologies relating to the [Internet Explorer] domain/zone security model," US-CERT's Art Manion wrote, suggesting use of "a different Web browser, especially when browsing untrusted sites."
This past week, for the first time ever, San Diego-based Web analytics company WebSideStory noted a drop in Explorer's dominance: between June and mid-July, the browser's share of the market dipped from 95.48 percent to 94.42 percent.
Other Web watchers put Explorer's share much lower, however. The most recent, July 20 tally from more than 12,000 hosts in 81 countries that use the Engineering Workstations server operated by the University of Illinois gave versions of Explorer 73.2 percent; Netscape and its near-clones (such as Mozilla) 15 percent; and others, including Norwegian-developed Opera the remainder.
While such statistics give Explorer's competitors a glimmer of hope, Microsoft keeps a poker face.
"Microsoft shares our customers' concerns regarding security, but we have not seen a significant shift in usage from Internet Explorer," company spokeswoman Tina Austinson says. "We certainly encourage customers to examine all options. [But] most customers . . . will continue to see [Internet Explorer] as their best choice."
Despite Explorer's recent woes - including Microsoft's recent admission that it could be a year before it patches a browser design gaffe that can allow downloads of malicious code by unsuspecting personal-computer users - Austinson says Explorer's overall functionality will remain hard to beat.
But US-CERT has hardly been alone is raising the specter of browser bailout. Joining the hue and cry have been a plethora of security experts and tech publications, online and off.
Brent Huston, a columnist for Security.ITWorld.com, wrote this month that risks associated with both Explorer and Microsoft's Outlook e-mail programs had become so onerous that, "it might be time to consider dumping them completely from your organization's deployments."
Pete Ashdown, founder of longtime Salt Lake City Internet service provider Xmission, agrees that while Explorer's dominance has made it a favorite hacker target, it would appear Microsoft [also] has made some crucial mistakes in its design . . .
Microsoft has a tendency to 'featurize' its software, and that is usually its downfall, he adds, pointing specifically to Explorer's ActiveX scripting component, along with its links to other Microsoft word-processing and data applications.
Ashdown long since has switched browsers himself, favoring Mozilla Firefox, the latest freely distributed, collaborative effort of "open source" programmers across the globe.
Salt Lake City computer consultant Mike Biesele went further, replacing his Windows-based PC with an Apple Powerbook. He runs the new Safari browser.
Any browser can be hacked, Biesele maintains. But Explorer's close association with the Windows operating system - and its widespread use - make it perpetual prey for hackers and virus writers.
Carey Nachenberg, chief researcher for the Symantec Security Response Team, stresses that only constant vigilance will keep both anti-virus and intrusion prevention companies like his, and PC users themselves, a step ahead of the Web's anarchists.
"The Internet is constantly evolving. It's not about only securing the browser, but securing all the new functionality constantly being integrated into new versions of browsers," he says. "The biggest concern is user surfing habits. Users also need to use the existing security settings [e-mail filters, firewalls, pop-up killers] already available in the browser."
Chris Hofmann, engineering director for The Mozilla Foundation, hails Firefox's relatively small and simple "security zone architecture" - one not burdened by Explorer's complex incorporation of settings affecting not just an individual PC's Web navigation but other programs and associated networks.
But even Mozilla isn't perfect, Hofmann admits. Two weeks ago, developers announced their own serious security flaw, along with a patch to fix it.
"We encourage individual users and organizations to take a more detailed look at . . . the major browsers and make an informed decision," Hofmann suggests. "We see users switching to Mozilla technology and staying with it because of a strong security foundation and improved ease of use."
The venerable Netscape, which briefly dominated the market before Explorer came along, still sees itself as a strong player in any alternative browser uprising.
"A significant number of Netscape users use us primarily because they feel we have a more secure browser [than Explorer]," spokesman Andrew Weinstein says. "Netscape has had a very good track record on safety and security issues."
Christen Krogh, Opera engineering vice president, also says it's time for Explorer users to switch, and he would love to see his company's tiny market share grow.
"All browsers experience security issues from time to time. But . . . [Internet Explorer] has been dealt the most severe blows recently," he says. "I would certainly recommend end users choose an alternative vendor, both for the sake of [security] issues, and because other offerings are better."
But Jon Lal, president of Winferno Software, says it doesn't have to be a choice between accepting Explorer's flaws, or going with a little-known competitor. In fact, his company depends on Explorer loyalists wanting to stay with their familiar, if flawed, browser.
At $29.95 a copy, Winferno has sold more than 300,000 copies of its Secure IE product, which purports to plug Explorer's holes while protecting against spyware (programs that secretly invade a PC and report data back to their source), pop-up advertising and browser-specific viruses and worms.
"The popularity of Secure IE is more about the popularity of [Internet Explorer] itself," Lal says. "As hackers find new ways to do dodgy things, we do our best to stay one step ahead.
"In this case, technology creates opportunities, both for the good guys and the bad."