Has IE dug itself a hole?

When another security hole was uncovered in Microsoft Internet Explorer last week, the U.S. Computer Emergency Readiness Team issued six workarounds to minimize vulnerability, including a suggestion to switch to another browser.

When another security hole was uncovered in Microsoft Internet Explorer last week, the third in the past month, the U.S. Computer Emergency Readiness Team issued six workarounds to minimize vulnerability, including a suggestion to switch to another browser. Although the idea of ditching IE created lots of industry buzz, the reality of such a move is much different.

“Impossible,” says Jim Knight, senior desktop systems analyst for a $2.7 billion global restaurant company he didn’t want identified.

“It would take a complete rewrite of quite a few applications and would be similar to switching from Windows to Linux for us,” he says. “We have too many applications that require IE 5.5 or greater, and if we were to switch browsers more than half of our client base would be unable to perform their jobs.”

US-CERT’s advice to switch came with a caveat, in that using a browser other than IE could reduce features when viewing IE-specific Web sites and that IE, which is baked into the Windows operating system, still would be used with various applications. US-CERT also suggested disabling Active X, which was at the heart of the most recent vulnerability, and maintaining updated anti-virus software and refraining from clicking URLs within e-mail.

Also: Microsoft aims to save $1 billion this fiscal year

The IE caveat wasn’t news to those who have tried to switch browsers but keep getting pulled back to IE because of its proprietary scripting features and deep integration with Windows. IE is used to render HTML within many Web-based applications that run on Windows.

Keith Mann, network engineer for Harrison School District Two in Colorado Springs, says: “We tried to be an all-Netscape shop, but we ran into too many applications that don’t work without IE. We can’t do Windows Update downloads with Netscape.” Windows Update is the Microsoft site that provides security patches for Windows software.

Mann, who says the growing list of IE vulnerabilities is why he wants out, says the inability to leave IE can be traced to developers who have had to decide how to prioritize their time. With IE owning 94% of the browser market, according to Web analytics firm OneStat.com, Mann says Web developers naturally use the Active X and scripting controls that are proprietary to IE and not supported in other browsers such as Netscape and Mozilla.

Despite the complications of moving from IE, discovery of the security hole last week led to a one-day spike in downloads of Mozilla, the second-leading browser, from 100,000 to 200,000, according to the Mozilla Foundation.

“If developers don’t start writing to the broader Web standards then we won’t have any choice outside IE,” Mann says.

Experts agree that browser choice is something hard to come by these days.

“There is not a real good answer for the enterprise,” says John Pescatore, an analyst with Gartner. “IE is really bad. It is riddled with security problems, but it is pretty much impossible for companies to move away from it.”

He predicts that corporations would see on average about 3% of Web-based applications break if IE were replaced. While that appears to be a small number, he says it could include critical applications and would foster costly spikes in help desk calls.

In addition, others say moving to another browser won’t guarantee a secure environment. They say if other browsers had the market share and scrutiny that IE has, they too could be security risks.

“Until those browsers are vetted on the level that IE is vetted, we don’t know what exposures are there,” says Rob Enderle, president of consulting firm Enderle Group. Furthermore, he says, developers of those browsers don’t have a generally accepted enterprise support infrastructure to address security issues and vulnerabilities.

Just last week, one was exposed in the Mozilla Application Suite, which includes the forthcoming Firefox browser and Thunderbird e-mail client. The Mozilla Foundation released a patch for its Windows software only. The vulnerability allowed attackers to inject rogue programs onto Windows systems.

Chris Hoffman, engineering director for the Mozilla Foundation, disputes claims that the open source browser is not ready for the enterprise market.

“Mozilla came from Netscape, which was used by a number of large enterprises,” he says. “It’s attractive with its cross-platform support and strong security architecture.”

Mozilla builds its trust model around local applications themselves and uses dialog boxes that let users approve or reject any code that a Web site might try to download to a desktop. “Microsoft hides some of that from the user,” Hoffman says.

Microsoft says changes are coming, and the first will be in Windows XP Service Pack 2, due out in the next 60 days. Microsoft is making changes to IE’s domain/zone security model, including a Local Machine Zone Lockdown that will prevent zones from sharing privileges through Active X. That scenario was part of the exploit of the latest IE security hole.

Microsoft, however, has not committed to making the same architectural changes on older operating systems. According to Gartner, less than half of the Windows client installed base runs XP.

“We’re evaluating how much work it would take to do that [backward-compatibility] and if users would deploy it,” says Gary Schare, director of Windows client security for Microsoft. Microsoft also is planning new IE innovations that could be released with its Longhorn version of Windows, which is due in 2007, or separately before that time.