Should IE stay or should IE go?

Microsoft's dominant browser is being challenged by open source upstart Mozilla Firefox, but in our testing neither browser scores a knockout punch.

Don't go ripping out Microsoft's Internet Explorer just yet.

It certainly has proven vulnerable to attack in the past, and the constant patching to add the latest security updates can be a nuisance. CERT last year even warned people to stop using Internet Explorer. And Mozilla Foundation's Firefox has been getting a lot of buzz lately - to the tune of 25 million downloads in less than 100 days on the market.


Attack profiles: Browsers go head-to-head in common attack scenarios

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter


But our testing of both browsers shows that it's not an easy decision - particularly in an enterprise environment. Internet Explorer's vulnerability to attack might in part be because it's rich in features and thereby presents a larger "attack surface." On the other hand, Firefox's perceived edge in security comes with a price - fewer features and possible inability to access some Windows-based Web applications.

So before you make a decision, weigh the trade-offs. One compromise to consider is using Internet Explorer internally and Firefox for pure Web browsing.

Our hands-on test focused on security rather than ease of use. Our Internet Explorer 6.0 implementation ran on a Windows XP client (a WinBook Pentium 4 with 512M bytes of RAM) with Service Pack 2, and the latest Microsoft updates. With the help of VMware Workstation, we installed Mozilla Firefox 1.0.1 on the same system inside its own virtual machine. This test machine was connected to the Internet through a 384K bit/sec DSL line.

We used the browsers side by side for a variety of tasks such as reading public Web sites, checking e-mail with Microsoft Outlook Web Access, and accessing our Apache-based Web server to reach internal resources and management tools. Additionally, we tried surfing to known hacker Web sites to see how the browsers would behave when under attack.

Accessing conventional Web sites, such as CNN or Yahoo, gave similar results. They both block pop-ups and offer a variety of plug-ins to support additional forms of data such as Macromedia Flash or Adobe PDF files.

However, the key difference is that because Internet Explorer contains Windows-related features that are not available in Firefox - Active X, .Net, Active Server Pages - it is difficult, if not impossible, to use some Web-based applications with Firefox.

Both Internet Explorer and Firefox have facilities to digitally sign plug-ins. However, the signature feature is not ubiquitously used, and users are quite likely to accept and execute unsigned and potentially dangerous code.

This is why you should back up your browser with an intrusion-prevention system or adequate anti-virus (ours was running F-Secure's Anti-Virus Client Security), that can detect, notify and/or block malicious code that arrives through the browser.

Rendering architectural conclusions

So does Firefox's architecture make it fundamentally more secure? What we found is that Firefox is not necessarily a more secure implementation of a browser. It simply has fewer features to attack.

It supports fewer and less complex scripting mechanisms so it is not as easy to write powerful, dangerous code inside a Web page that can attack it.

It is not as tightly integrated with any particular operating system. This means there are fewer ways the browser uses operating system-specific features. That means there is less of a chance for an exploit to use the browser as an interface into the underlying operating system.

Also, the open source nature of the code sometimes, but not in a guaranteed manner, provides more peer review of the code and faster turnaround for fixes to vulnerabilities.

The enterprise game plan

It's not realistic to think that you can totally stop using Internet Explorer, especially if your users must access servers that use the rich features it supports over an internal network or through the public Internet.

Can you start selectively using Firefox? If you have a purely browser-based environment, with standards-based scripting and plug-ins, then you can consider this.

Will it make your environment perfectly secure against browser-based attacks? No. Firefox - like other browser alternatives - is not perfect, but the attack surface can be reduced significantly if you use fewer complex features, such as sites that deliver ActiveX through Web pages.

If your network comprises thousands of users, then this can be a difficult change to execute. On the other hand, it makes sense to compare the cost of securing Internet Explorer with add-on client security products or intrusion-prevention devices to the cost of simplifying/standardizing your browser-based infrastructure.

What to do?

The risk of a browser-based attack against an enterprise network is significant. From a risk management point of view, it is definitely a good idea to look at browser alternatives to Internet Explorer purely based on the sheer number of clients running it. But the environment might not let you remove it because your shop might have built up access to necessary internal resources using Microsoft's technology based on Internet Explorer.

One possible solution would be to mandate the use of Firefox for external access and reserve Internet Explorer for inside-the-enterprise use. Policy-enforcement tools can help implement this sort of a mandate.

Security measures external to the browser, such as application firewalls, intrusion-detection and prevention systems , and the use of policy enforcement systems to ensure clients only access trusted Web sites, can also be considered to address the browser risk.

New releases are coming up

Both Microsoft and Mozilla are actively working to make their browsers more secure. Internet Explorer was updated with XP SP2 to provide better checking on data delivered to plug-ins (MIME type vs. file-extension checking) and to provide more capabilities to digitally sign active scripts that are delivered to the browser. Microsoft has also moved up plans for Internet Explorer 7.0 to later this year.

Mozilla also has issues a point release of Firefox and has plans for another revision next month. Both browsers support the use of encrypted connections over SSL/TLS and authenticated Web sites. With this feature, you can control which sites users can access in an authenticated manner through digital certificates at the server and username/passwords, certificates or hardware tokens at the client.

— Rodney Thayer

Microsoft Internet Explorer Ships as part of Windows.

Price:

Pros:

Complex scripting allows sophisticated delivery of services over the Web.

Commercial browser implementation available with support and maintenance.

Integrates well with Microsoft and other vendors’ browser/Web server-based offerings.

Continued enhancements to security, recently examples being delivery of XP Service Pack 2 and announcement of Internet Explorer 7.

Encryption and authentication facilities available to strongly control browser access to data.

Cons:

Complex scripting provides remote access to poorly defended system interfaces that were never designed for other than local and/or strongly authenticated use.

In some cases, known vulnerabilities are not corrected for some time and thus exploits exist in the wild for which there is no browser update. An example is the XP SP2 pop-up problem (go to www.nwfusion.com, DocFinder: 6325, for details), which was announced in December 2004 and which still exists in Internet Explorer 6 on XP SP2 as of early this month.

Firefox, Mozilla Foundation Free.

Price:

Pros:

Standards-based browser doesn’t use proprietary features.

Popular open source project is well supported by an active community, which in some cases facilitates faster repairs.

Source code available for review.

More encryption features (certificate support for Online Certificate Status Protocol, more recent SSL/TLS cipher suites).

Simpler implementation means less attack surface and fewer paths into lightly defended local system interfaces.

Cons:

No commercial support available.

Less compatibility with proprietary, but de facto, standard Web features such as ActiveX. No guarantee of open source development team will address new vulnerabilities any faster than a commercial implementation.

Learn more about this topic

Thayer is a private network security consultant in Mountain View, Calif. He can be reached at rodney@canola-jones.com.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT