Published: 19 Aug 2004
Following the discovery that several major financial institutions' Web sites were being used to spread an Internet Explorer exploit, The Register ran the story, "CERT recommends anything but IE."
CERT's point is that enterprises and individual users can reduce their risk exposure by using browsers that aren't as susceptible to Web-based exploits.
So, why are we giving malware writers easy targets? Why aren't we switching to more secure browsers?
When Robert Morris released his famous worm in 1988, it wasn't capable of infecting most Internet-attached systems because there was a healthy diversity of OSes. But, modern worms achieve huge infection rates because we're all running the same operating systems and programs.
Given this apparent problem with IE, should we look to alternatives? Absolutely.
The commercial Opera browser runs on Windows, Unix, Mac and even cell phone OSes. Opera is blindingly fast and relatively inexpensive. But, if commercial tools don't fit your budget, there's Mozilla, the open-source offshoot of Netscape (the original Web browser). Both Opera and Mozilla would help organizations to avoid the next IE exploit.
Microsoft might claim that you're losing interoperability by switching browsers, but this isn't always the case. Some Web pages may not appear as pretty as in IE, but it doesn't go deeper than that. Opera renders pages just as well as IE.
As long as we're considering alternatives, let's look at operating systems. This column was written with Microsoft Word running on a Linux system, using a commercial tool called Crossover Office. Available for $40 for a single license, it allows users to run Microsoft Office, Outlook, Project, Visio, Lotus Notes, Adobe Photoshop, Quickbooks, Efax and other popular apps on Linux. I can even run these as a lesser-privileged user to prevent vulnerabilities in Microsoft software from allowing hackers and worms free rein over my system.
Best of all, from the migration perspective, Crossover Office ships as part of the Debian-based Xandros Linux Desktop, which syncs out of the box with Windows 2000 Active Directory or a Windows NT PDC.
For a long time, Linux enthusiasts have been told, "Users don't care about operating systems, they just want their applications to run." IT managers don't consider Linux for the desktop because they expect to lose application support. Perhaps these worries are unfounded.
Crossover Office isn't the only tool allowing Linux desktops to integrate into the Microsoft enterprise. Novell's Evolution (free) provides Linux users a client for Microsoft Exchange and Novell Groupwise.
Moving from Windows to Linux isn't a new concept, but products like Crossover Office and Evolution are making it easier. IBM, Novell and many smaller players offer migration assistance and consulting, and there are multiple books and training courses.
Whether you only migrate away from IE or wholly to Linux, you can dodge many prodigious and insidious attacks. The alternatives won't make you bulletproof, but they may reduce your risk exposure.
About the author
Jay Beale is the lead developer of Bastille Linux and the editor of Syngress Publishing's Open Source Security series.
Note: This column originally appeared in the August issue of Information Security magazine.
Subscribe to Information Security magazine.