Over the past decade, Microsoft Windows has grown from a focused operating system into a desktop swiss army knife. Kick start any new Windows PC and you'll find a web browser (Internet Explorer), e-mail client (Outlook Express), and personal firewall (Windows Firewall). While these default applications simplify computing for end users, they are not always revered by network administrators. Internet Explorer and Outlook routinely make the SANS Top 20 list of Internet Security Vulnerabilities. As a result, many administrators are now taking a hard look at other alternatives.
Exploring other options
Microsoft went to court to defend its right to install Internet Explorer (IE) on every Windows desktop. But code bloat, complexity, and security vulnerabilities have crippled IE in a way that the US Justice Department could not. According to the SANS (SysAdmin, Audit, Network, Security) Institute:
"Internet Explorer contains multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an e-mail. Exploit code for many of the critical Internet Explorer flaws are publicly available. These flaws have been widely exploited to install spyware, adware and other malware on users' systems... In many cases, no patch was available at the time the vulnerabilities were publicly disclosed."
To reduce these concerns, SANS strongly recommends upgrading Windows PCs to Service Pack 2. This long-awaited update included numerous security patches, including an IE Pop Up blocker, an Add On Manager, and many explicit download warnings. For additional detail, see What's New for Internet Explorer and Outlook Express. If you cannot upgrade to SP2 immediately, SANS recommends that you stop using IE and move to an alternative browser.
In fact, IE's security woes have created a healthy demand for alternative browsers. In Part 2 of this series, we will explore several popular free web browsers. Changing browsers can help you avoid IE bugs, old and new. For example, Browser Helper Objects (BHOs)—add on programs executed along with IE—are frequently exploited to install hidden spyware and adware programs. Using an alternative browser can eliminate this BHO threat. IE ActiveX Controls or Active Scripting are also common attack vectors. Using another browser that lacks ActiveX support can effectively neutralize these attacks.
On the other hand, there are many websites that depend on these and other IE features (like Microsoft proprietary HTML tags) for data presentation and user interaction. Moving to another browser can inhibit your ability to use websites that were designed for (or tested only with) IE. To address this issue, many users still keep IE around for emergencies, when they really must access a website that requires IE-specific features intentionally omitted from alternative browsers.
Security is one big reason for using an alternative browser. Although SP2 is widely acknowledged as a significant security improvement for IE, its security model is still complex and intrusive. End users are constantly presented with security decisions, but lack the information or motivation to make sound choices. Too many of us routinely click "Ok" or "Accept" when prompted to continue a web connect or download request.
Furthermore, Microsoft has a big target painted on its back. Attackers have already started picking apart alternative browsers, as, for example, this Top 20 entry shows. But there is no reason to expect that new exploits against IE will diminish. And so the game will continue: exploit, patch, exploit, patch, ad infinitum. Even with automated updates, patching is time consuming and cannot eliminate "zero day" vulnerabilities—exploits for which no fix is already known. On the other hand, deploying an alternative browser to every desktop requires both patch management AND software distribution, so don't overlook these administrative costs.
Finally, there other good reasons why alternative browsers are rapidly gaining favor. Many have capitalized upon common IE complaints, turning them into opportunities for improvement. Alternative browsers can be smaller, simpler, and faster than IE. They can require (and allow) less end user configuration. They may offer more user friendly features like tabbed browsing and mouse gestures. Part 2 of this series will take a closer look at features that contribute to the popularity of other free browsers.
http://www.isp-planet.com/technology/2005/secure_windows_1a.html
