Which browser should you use?

PETER THEOBALD, CEO of IT Secure, one of India’s leading specialist network security firms, expounds on the dangers lurking in Microsoft’s Internet Explorer

UNTIL recently, that would have been a stupid question to ask.

After all, more than 95 percent of the world uses Microsoft’s Internet Explorer (IE) for that purpose. But after a slew of security loopholes discovered in IE during the past few months, security-conscious users are looking at alternatives. In fact, no less than a US government security body—The Computer Emergency Readiness Team (CERT) recommends using alternate, non-Microsoft browsers as one of the six possible responses to deal with the vulnerabilities discovered in IE.

Why is there such a problem? What CERT is concerned about is that a computer user running IE can get compromised just by viewing an attacker’s Web page—allowing the attacker to run the code of his choice on the user’s machine and hijack the user’s privileges. What this means is that even surfing the Web is not 100 percent safe anymore. Until Microsoft releases a patch for this problem, even using an alternate browser may not be enough. This is because using a different Web browser will not remove IE from a Windows system, and other programmes may invoke IE, the WebBrowser ActiveX control, or the HTML-rendering engine (MSHTML), and thus exploit the vulnerability.

CERT therefore recommends sending and receiving mail in plain text format (not HTML), applying the Outlook E-mail Security update, keeping anti-virus software up-to-date, and not following unsolicited web links because they could lead you to an attacker’s page. CERT suggests that if you continue to use IE, you should consider Disable Active scripting and ActiveX. This will result in a loss of functionality—but that is the price for security.

The main reason for the sudden call for alternatives to IE is the discovery that vulnerabilities in it do not seem to be isolated incidents. In early June 2004, two previously unknown security flaws in IE were exploited to install a toolbar (on victims’ computers) that triggered pop-up ads. One of these flaws allowed the attacker to run a programme on a victim’s machine, while the other enabled the malicious code to ‘cross zones’ or run with higher privileges than normal. The net result was that it was possible for an attacker to upload and install programmes on the victim’s computer just by inducing him to visit a particular webpage. This is what CERT was getting worked up about.

Towards the end of June 2004, a security company, Secunia, issued a bulletin warning of the recurrence of a flaw in versions 5.01, 5.5 and 6.0 of IE. The problem—apparently a minor one—was supposedly fixed six years ago when it appeared in versions 3.0 and 4.0 of the IE browser, but now it has made a re-appearance. However, what seems to be more of a concern than the vulnerability is this: how did a company of the stature of Microsoft allow it to happen, despite their Quality Assurance and Quality Control processes?

Indeed, it was not long before a malicious programme was discovered that exploited the vulnerabilities. It installed itself through a pop-up ad, and was designed to read keystrokes and steal passwords when victims visited any of nearly 50 targeted banking sites.

That was not the end of the bad news. The next big thing was a virus called Download.JECT—or Scob—that used IE as a vehicle for installing a worm on the user’s PC. It was designed to pass on information from the user’s PC to a website—which was luckily traced and shut down. What was particularly worrying about JECT was that it exploited a vulnerability that was not publicly announced by Microsoft, and hence the patch was not available. This was different from the usual pattern where hackers exploit vulnerabilities that Microsoft announces. These are easier to fix because Microsoft releases the patches to fix the vulnerability at the same time as the vulnerability announcement.

Microsoft did issue a work-around that would prevent the worm from doing damage, but it didn’t really solve the problem. This was demonstrated by a security researcher in July who identified another flaw that could serve the same purpose, and that isn’t fixed by Microsoft’s patch.

It is easy to blame Microsoft for all this but one has to also recognise the scale of the problem. IE is the default standard for browsers worldwide, running on millions of PCs, and so it presents a very large target for hackers. The ubiquity and homogeneity of IE, which is one of its biggest strengths, is turning out to be its weakest point as well. What’s more, since the IE browser is intricately linked to the Windows operating system (OS), changes made in IE have an impact on the OS itself, so they have to be very carefully managed.

So should computer users drop IE and go for Opera, Mozilla, Firefox or Netscape? For corporate users this is not an easy decision because IE may be a key part of their enterprise IT infrastructure. Home users can change more easily, but will run the risk of losing functionality i.e. they will be unable to take advantage of the features of several popular websites. This is one question to which there are no easy answers. What most people are likely to do is wait and watch for Microsoft to release a comprehensive solution for all these problems.

And perhaps do a good bit of praying on the side—that they don’t get hit until the patch arrives.

The author may be reached at petert@itsecure.com