Is it finally time to abandon IE?

[zridling]

Yesterday's BBC story on IE's latest security flaw makes me wonder whether it's time to give up on IE and [permanently] move on to another browser. Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat." Further, "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. As far as I understand it, that means there is a real danger that Internet Explorer 6, 7, and 8 users could be opening the door to cyber criminals to allow them to ransack the contents of your hard drive."

What to do?
- Make sure anti-virus software is up to date.
- Run Internet Explorer 7 or 8 in "protected mode."
- Set Internet Explorer zone security setting to "High."
- Windows users should enable Automatic Updates so that they get any patch that is issued ASAP.

Bruce Schneier has long held that Microsoft sees security as a marketing problem rather than a technical problem. How many more chances do we give IE, or is it finally time to switch, given the many good choices available?

[Josh]

Or just wait for a patch as again, I have not been affected by a single security exploit which wasn't activex related since IE6 SP2. Every time a new security hole is found, the fanatics jump at the chance to bad mouth microsoft. I have stayed patched for years and have never been exploited by IE, again, since V6 SP2.

[mrainey]

I've been using Windows exclusively for the past dozen years or so (but not IE for the past five - just don't like it).  I stay patched and try to use common sense.  In all that time, nothing has taken control of or otherwise "zombified" any of my computers.    I'm pretty sure of that, because I don't get porn popups and my bank account hasn't been cleaned out.

Knock on wood, I guess.

[Josh]

That, and calling for users to switch due to security holes is just sheer idiocy. Every product has security holes, some get more attention because the product is used far more and by more people. The products used less get noticed less when a hole is found. A hacker is not going to spend hours trying to exploit a hole in a product that only 1-2% of the users use. To get noticed, you have to exploit what is in wide use. Put firefox in IE's shoes and you will see the same thing. How many times have I had to install a second update (3.03 to 3.04) just to fix a problem that the last update 2 days prior introduced? Microsoft at least takes time to fix and test their patches.

[justice]

Just dont run IE as an administrator and then this flaw is already a lot less severe. most other flaws are not applicable when run as a limited user.

[Josh]

Plus, what if I were to drop every product that had a security hole? I wouldn't even be allowed to use my computer with the exception of maybe reversi from Windows 3.0

[app103]

Being a Windows user and giving up IE 100% is not as easy as you might think. It's not as simple as installing and using something else as your default browser.

There are a great number of applications that use IE's rendering engine in many ways. Many of them even depend on it for their primary functionality.

One example would be a desktop RSS reader that when you click a link in a feed, opens the page in a tab of the reader. Most of them that do this are using IE and very few give you an option to use an alternative rendering engine. And many do not give you the option to open links in your external default browser.

I also know of at least one application that has an alert bar that uses IE to display messages related to the availability of application updates/upgrades and status of the network it connects to.

And then there is applications like Weather Watcher, that use IE to display weather data from a server.

If you use any applications like these, you are still using IE, even if you are using an alternative like Firefox or Opera for your default browser.

Now, how do you get Windows developers to stop using IE in their applications, when it is so much easier to use it than using something else? (for some languages it's just a matter of double clicking)

And if they use it, and there is a security issue belonging to IE, it's not their responsibility to fix it...it's a big corporation that has plenty of developers and can afford to put a bunch on it that has to fix the issue...namely, Microsoft.

Do you think small developers are going to want to write and maintain their own browser engine? Do you think if they did that it would be safer to use their software? Do you think they are going to want to increase the size of a simple application to include a copy of a different engine in case the user doesn't have Firefox installed?

And what about when there is a security issue with Firefox? (yes, it does happen) Then they are right back at the same spot they were in when they were depending on IE.

So what would be the point in increasing the amount of work it takes to produce what should be a simple application if the end result is worse or no different than keeping it simple and using IE?

[fenixproductions]

2app103
I agree with you in few parts. Internet Explorer is not used in development but some ActiveX control (called: Microsoft Web Browser) delivered within only.

We should also remember that there is no other good enough free web control. There is something called Mozilla AcitveX but its development stopped few years ago (2005). Opera sucks in this field too. I will not even mention about Safari or Chrome

On the other hand: some developers overuse it because of many reasons (like tight deadlines or laziness). The best example of such behaviour is PSI from Secunia. They are using it for almost whole GUI (screens).

[housetier]

Josh, I don't want to be an idiot. So what can I do when IE apparently is not secure?

[Josh]

Where did I say you were an idiot? If I said that or implied that somewhere in my post, please point it out to me as I will correct it. What I did say was that telling a user to switch because a security hole exists is not the right answer. Most of these exploits require a bit of user interaction for them to function. A lot of them won't function in a normal user mode. My statement about idiocy, again, was not directed at a particular user, but the idea that we should switch products when it has a security hole. Software is programmed by man, man by nature is prone to error, thus, software is prone to error.

What can you do? Educate yourself. Many users are trained by themselves and out of habit to click yes automatically, or whatever makes the message box go away. Many people install programs and do not take the time to read the screens and then complain when they have hundreds of pieces of malware on their machine.

IE might have security holes, but please show me, how many have working exploits in the wild and what is the percentage of users affected by said holes? I don't mean what is the POTENTIAL number of affected users, I want to know what the ACTUAL affected user numbers are.

[zridling]

Indeed, no software (and no OS) is completely secure (repeat 3 times and click your heels), therefore it's really a question of where you draw the line. Since IE is a repeat offender, how many more strikes do you give it before you give up?

If you're willing to live with the hassle and ongoing risks, then your chances of being one of the 2% -- or whatever this week's number is -- is worth it. I thought IE7 would knock a lot of these recurring threats down, but it doesn't appear so. I don't know, but does UAC help with these attacks if someone tries to install something on your system, or does UAC only apply to the OS?

[Josh]

I receive alerts alot of the times. When it comes to IE installing something, you get prompted when a control tries to install itself (ActiveX). Not once has something gotten by me that I didn't personally choose to install. Security really boils down to a matter of how comfortable a user is with the tools they are given. If they are happy with their A/V, Firewall, Ad removal tool, Anti-spyware tool and hardware router? Then I guess to them the risk is worth it. To each their own. I have qualms with the idea of switching to a SUPERIOR product if it is justified, but switching to another product which has it's own set of flaws just to get rid of another set of flaws isn't really a justification or cause to switch, TO ME.

IE has proven rock solid to me. Granted, I don't use it as much as I used to. I use it all the time where I am now because it's what the government computers use, but I guess it proves that IE can be very secure because the gov't and US Military rely on it. They have recently authorized firefox for the users who want to use it, but as app pointed out, a lot of the applications the US Military uses rely on IE (websites). Firefox does not support smart card authentication very well and as such is not as accepted in the community.

[Lashiec]

Is it finally time to abandon IE? How many more chances do we give IE, or is it finally time to switch, given the many good choices available?

That depends of your security practices. If you patch Windows regularly, you run the browser with limited rights (or use Vista), and you're behind a firewall (hardware or software), I guess it's OK to continue with it. Personally, I switched long time ago. Well, I never switched because IE never was my main browser (unless I was forced to use it), but that's another story.

IE might have security holes, but please show me, how many have working exploits in the wild and what is the percentage of users affected by said holes? I don't mean what is the POTENTIAL number of affected users, I want to know what the ACTUAL affected user numbers are.

That you have never been infected, or that there are not actual numbers doesn't downplay the severity of the hole. Given the time window between the hole is discovered and patched, it's almost impossible to quantify how many people was infected, and if it was due to the 0-day exploit or not, there are many variables in play, so you can't have reliable statistics. But it happens. I've ever witnessed a live exploit of this particular hole, thank heavens for AV and DropMyRights.

In any case, the patch is right round the corner, so patch as soon as you can. And that's specially important for the IE users who are not as security-savvy as the users around these forums, for one reason or another.

[justice]

Yeah this latest one has infected Abit's website and 20.000 websites are infected daily.

[40hz]

Josh, I don't want to be an idiot. So what can I do when IE apparently is not secure?

-housetier (December 17, 2008, 08:25 AM)

Extremetech put up a few quick&dirty articles on workarounds to the problem. Worth a read since there's a lot of hysteria and bad information floating around the web about the problem.

Beware: All IE Versions Vulnerable To Attack
http://www.extremete...,2845,2336805,00.asp

How to Safeguard Against New IE Vulnerability
http://www.extremete...TRSS02129TX1K0000532

[Dormouse]

To stay protected, it pays to be informed about risks as they occur, and to have options.

I use Opera, and FF, and increasingly Iron/Chrome and occasionally ie. I see few advantages to using ie, so I avoid it, partly for the benefits of the other browsers but also for the reduced risks of not using the  most prevalent programs. If I see a risk with one, I switch to using the others until it is sorted.

I use the same approach for most types of programs, though still use XP more than Linux.

[f0dder]

I switched away from IE quiet a while ago, and I haven't looked back since - there's no features in IE that I miss in FireFox, and with IE7 and onwards the only advantage IE had over FF (faster loading speed) disappeared (in fact, it loads slower than FF with a bunch of extensions now, and tabs open slower as well). Sure, FireFox isn't bugfree, but I can't remember the last exploit it had that allowed code execution - most flaws have been relatively limited-scope stuff like cross-site scripting that require a fair amount of work to successfully exploit. Add noscript and adblockplus to the mix, and well...

Sure, there's applications that use the IE browser control internally (and I'd stay away from any email client doing this!), but you don't generally use those apps to browse the internet at random - the infection vector is pretty small with those.

And of course IE is going to be attacked more than other browsers because of it's market dominance, but it's not like there isn't security research going on targeting the other browsers... and the holes in IE have by far been the most severe. Moving to another browser is a good idea - or at least use Vista with UAC and IE8 in protected mode. Or if you insist on an administrative account or the likes, use something like DropMyRights to reduce the attack vectors.

[40hz]

Corrective patch is now available from Microsoft 17-Dec-2008 via Windows Update or direct download.

[Josh]

Pretty quick patch if you ask me

[CWuestefeld]

As Josh said, people are quick to jump all over MS, but other parties have just as many problems. Perceptions aside, FF has had as many days vulnerable to critical exploits as IE (sorry, I don't have citation handy, but I have seen the actual numbers). Flash has had problems, and I believe that Adobe Acrobat Reader has had a critical exploit sitting unpatched for months.

A coworker sent me this quote this morning (emphasis mine):

“Microsoft (NSDQ:MSFT) said Tuesday that the company intends to release an out-of-band patch for a monster error affecting all versions of the Internet Explorer Web browser, which has caused hackers to launch malicious attacks to steal information and take over computers without any user intervention.”

http://www.crn.com/security/212500766

How can they say that the error actually causes the hackers to exploit it?

Anyway, app103 is going off the deep end. Even if you want to ditch IE because of this, there's no reason to eradicate it from your machine: the exploit can only be ... exploited when using IE to surf.

My own NANY 2009 entry, LifeSaver Diary, uses IE for the display and editing of diary entries. As long as you trust the developer not to inject exploitative code into the browser, there's absolutely nothing else to worry about. Surely you're not going to hack into your own system by entering malicious diary entries.

[Darwin]

I'm sort of happy that this happened. I've been using, and loving Maxthon for years (started using it when it was in beta years ago, version 0.7x) and have tried many times to switch to Firefox. This latest issue has forced me to use it, get to know it, and to bend it to my will. I love it! Only thing I miss are Maxthon's mouse gestures. The add-ins for Firefox are clunky.

[Stoic Joker]

As Josh said, people are quick to jump all over MS, but other parties have just as many problems. Perceptions aside, FF has had as many days vulnerable to critical exploits as IE (sorry, I don't have citation handy, but I have seen the actual numbers). Flash has had problems, and I believe that Adobe Acrobat Reader has had a critical exploit sitting unpatched for months.

-CWuestefeld (December 17, 2008, 12:37 PM)

Quite true, this is the first real IE Security Hole that has been found in a while. The other batch of nasties that have showed up as of late were specific to plug-ins that are used (to exploit) all browsers currently on the market. Flash (which sadly is Adobe these days) had its share of holes and between being way more powerful then it should be for a graphics plug-in, and being developed by a graphics company with no clue about security outside of piracy... is apt to be a PITA for some time to come.

Then there is Sun's Java with ALL the VMs memory preallocated as writable, Cripes! Who's bright Idea was that? I've hated it ever since there last fight with MS when they wanted everyone to have the "Full Benefit" of their complete package instead of the stripped down version MS was providing. The stripped down version was lighter, faster, and safer IMO. I refuse to install Java on anything these days, it's just too bloody risky.

I use IE, I like IE, I have no problem with FF ... But the last time the (Media Circus and so called) Security Mavens started chanting switch to FF it got clobbered with new exploits two months after the (Lemmings) public started to move to it.

All the (System Crippling baby-sitter) security suites in the world will not help the typical uninformed end user that will randomly click on anything that shows up on the screen just to get back to what they were doing. Reduced permissions (both simple & free) have however quickly proven effective as if the user doesn't have permission to break the machine...neither does the bug.

The only thing that will truly "Fix" the internet security issue is a change of attitude. People need to stop thing of their computers in the context of a TV or radio, and start thinking of it in the (exact) same context as their car.

Not paying attention on the Interstate highway, you die (or have a costly repair).

Not paying attention on the information highway, you die (think identity theft, etc.) or have a costly repair.

Same Same...It's not a friggin Radio...

[Darwin]

Well, as mouser has just pointed out - the IE patch is out. Now I can start comparing Maxthon and Firefox back to back.

[MrCrispy]

I wish Firefox had Protected Mode. It really makes IE on Vista so much more secure.

[f0dder]

I wish Firefox had Protected Mode. It really makes IE on Vista so much more secure.

-MrCrispy (December 17, 2008, 04:50 PM)

DropMyRights?

Btw, one thing is a vulnerability "severity" rating - another is how bad it actually is. Cross-site scripting is sorta bad, and might be classified as critical... but it's nowhere near as bad as code execution, even if both are rated "critical".