It's been a rough summer for Internet Explorer. A rash of vulnerabilities in the most widely used browser has allowed attackers to spread particularly vicious malware at an unprecedented rate. From exploiting a gaping hole in order to load a keystroke logger from a Russian site to manipulating help features to run arbitrary code, the sheer number of these flaws is driving some people to consider dumping IE in favor of another browser. Organizations ranging from U.S. CERT to BusinessWeek magazine have advised people to consider using another browser to ride out this vulnerability storm. People often tell me that I should jump on a soapbox and advise folks to move off of IE to help improve their security. But is ditching IE a reasonable way to go?
Let's first consider the chances that the IE onslaught will relent in the near future. IE certainly has had numerous vulnerabilities, and they show no sign whatsoever of letting up. I'm not convinced this is because IE is inherently less secure than other browsers. Instead, it's just a much bigger target. Malware developers focus on IE, given its vast market share. With this motivation for the bad guys, I don't think we'll see a near-term decrease in the number of IE-based exploits. Microsoft has said that Windows XP Service Pack 2 will fix a lot of these problems. But, if we use history as our guide, we can easily foresee a bunch of new security holes ripe for the picking by clever attackers.
So, does that mean you should drop IE altogether? Before jumping to conclusions, you need to calculate carefully the cost of such a change. For home users surfing the Net for fun and e-commerce, switching from IE has virtually no cost. Both the free Firefox and the commercial Opera browsers are wonderful, and support all kinds of nifty functionality. So, if you have a home computer, go ahead and give an alternative browser a shot. You just might like what you see.
For more information on this topic, visit these SearchSecurity.com resources:
Unfortunately, things are not quite so simple in the corporate space, where we face hundreds, thousands or tens of thousands of laptops and desktops, often using homegrown Web-based applications. IE is extremely entrenched in such companies and replacing it with another browser entails major costs, including:
- Direct deployment costs: Installing software on thousands of systems could be a major time investment. Check to see whether your current software deployment tools can help deploy a browser other than IE.
- Management costs: Many organizations are managing their browsers using Microsoft IE Admin Kit (IEAK) or Group Policy. Make sure you check on the flexibility of enterprise management capabilities of competing browsers. Generally, they are far less integrated into Windows and can be harder to manage.
- Application porting costs: This is the big one. If you have any homegrown Web applications or Web services, check to see if they'll run on something other than IE. Many will not. I've seen several financial institutions and consulting firms that use specialized financial and time-reporting tools that could only work with IE. Tens of thousands of dollars would be required to make them compatible with another browser. Locked in? For many organizations, the answer is, "You betchya!"
- User awareness costs: Some users can jump to a new browser and instantly adapt. Other users are so subservient to the swirling blue icon that they can't easily move to another browser without at least a small briefing on its capabilities. Make sure you price in the costs of preparing and delivering such a briefing.
- Help desk and admin training: Beyond end users, your help desk and technical staff will have to support a new environment. Make sure you consider the costs of their training, which will likely be higher than end user training.
Believe me, as a security guy, I wish I could say that security trumps all other issues. However, we've got to very carefully weigh the costs and benefits of ditching IE. If your cost-benefit analysis shows that a switch from IE is worth it, by all means make the switch. If not, batten down your hatches, because the storm doesn't appear to be letting up yet.
About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).