Since its release, Internet Explorer (IE) has been Microsoft's weakest security point. As the most common browser in the world, it is a malicious hacker's most popular target. Nearly 85 percent of the world's computers run IE (see
). By exploiting IE vulnerabilities, hackers and criminals gain the largest possible foothold into the greatest number of potential victim machines.
To decrease the risk of new malicious attacks utilizing IE and to restore consumer confidence, Microsoft created Internet Explorer 7.0. It contains dozens of security and feature improvements. IE 7.0 was pushed down as a critical upgrade for Windows XP Pro near the end of 2006, and is the installed browser of Windows Vista.
Should You Use Another Browser?
Many security "experts" recommend that IE be replaced by some other "more secure" Internet browser. Often they recommend Mozilla Firefox (http://www.mozilla.com/firefox), Safari (http://www.apple.com/macosx/features/safari), Opera (http://www.opera.com), or one of the other less known alternatives (Netscape, Lynx, Konqueror, and so on).
| Note |
Safari and Konqueror are not available natively for the Windows environment. However, both can be installed using emulation or interfacing software.
|
The belief is that because Internet Explorer is the most hacked software target in the world, switching to another browser will make any computer user more secure. And in the short run this statement might be true, albeit with a loss of key functionality.
But if everyone switched browsers to some other popular standard, the malicious hackers would just attack that product, and would probably be just as successful. Hackers hack popular software. They want the most bang for their effort. As a product becomes more popular, so too, does the number of attempts and announced exploits.
For example, Internet Information Server 6 (IIS 6) has a 19 percent worldwide market share in public web servers. Open source Apache (http://www.apache.org) has a 79 percent market share. IIS 6 has had three exploits (http://www.secunia.com/product/1438) since its release in March 2003. Apache 2.x has had over 30 vulnerabilities (http://www.secunia.com/product/73) in the same time period. We can either say that Microsoft IIS 6 is significantly more secure than open source Apache, and that may be likely, or that Apache's wider popularity and availability attracts more hackers. Either way, market share attracts hackers. Similar statistics occur on nearly every product type and platform, with few exceptions.
When Mozilla's Firefox 1.0 (http://www.mozilla.com/firefox) came out in November 2004, it was heralded as the world's best and most secure browser. And a lot of the world bought the hype and switched from IE. Since late 2004, Firefox has garnered anywhere from 8 to 15 percent of the Internet browser market, depending on whose survey you believe.
Firefox is a great, open source browser. But more secure? According to Secunia (http://www.secunia.com/product/4227), Firefox 1.x has had over 35 announced vulnerabilities discovered since its release. Since June 2006, the time period when IE 7 announced its first public security advisory, Firefox 2.x has had 6 advisories to IE 7.x's 9 (as of April 2007). Do you think Firefox will become more or less hacked as it becomes more popular? Browser vulnerability statistics ebb and flow with each month's discovery announcements, but can an Internet browser with nearly as many security advisories as IE be considered the secure alternative?
Other browsers look like less promising security alternatives if their market share is compared to the number of found vulnerabilities (see Table 1).
No single set of numbers measuring only one vulnerability facet can begin to summarize one browser's security over another. The main takeaway idea from Table 1 is that all browsers have holes and exploits, which increase with popularity. This makes sense as more people and hackers use and test the software.
Switching from one browser to another may provide a temporary measure of security, but if the world decides to make a new browser the more popular, the security through obscurity benefit begins to fade. In a large organization, switching all the users from one browser to another may provide a temporary benefit. But after all the hard work and re-education, the security risks may end up the same.
The real answer is that all popular browsers can be used securely to minimize the risk of malicious exploitation. IE 7, in particular, has a very robust, granular, security model. It defeats all the past attacks and raises the bar for future attacks.
But remember that ultimately there is no such thing as a completely secure Internet browser. If you choose to install an Internet browser and connect to the Internet, you have increased the risk of malicious exploitation-regardless of the browser.
High security networks, such as the United States Armed Services classified networks, don't allow their computers to connect to the Internet. If you want to eliminate the risk of an Internet browser attack, don't install an Internet browser or don't allow connectivity to the Internet. But if you simply want to minimize risk as you and your end users browse the Internet, then the rest of this chapter is for you.