The Press Democrat printed an alarming article today under an even more alarming headline: “Government suggests Web users avoid Internet Explorer.” The article was picked up from Newsday.
Before I comment on the article, you must understand there are legitimate reasons to be paranoid and cautious online. Many bad things are going on, and you have more responsibility to avoid them than ever before. You simply may not click freely or you will pay nasty consequences. Here’s my summary of the Rules for Safe Computing – ignore them at your peril!
Despite the alarming article, nothing has fundamentally changed in the world that requires you to drop Internet Explorer. Windows and Internet Explorer can be broken by bad people. Every other operating system and every competing browser can be broken by bad people. The SANS Institute (the group behind the alarming news stories today) maintains a list of the top twenty Internet Security Vulnerabilities – ten for Windows, ten for Unix. One independent group found that Linux, not Windows, had the most security vulnerabilities discovered each year for five years in a row. Every vendor of a product that touches the Internet is responding to security attacks and issuing patches – every single one. Anyone who tells you otherwise is fooling you.
The folks counseling a switch to another browser are motivated by two things: one, the belief that Windows and Internet Explorer will continue to attract more attacks because they are so widely installed; and two, the desire for publicity.
The first concern has some truth to it. But you’re using Windows and Internet Explorer precisely because they are widely distributed and well supported, and because all web sites expect you to be using them. There is safety in obscurity; if you use the Opera browser, for example, you will join a small community using a browser that can’t display some web pages designed for Internet Explorer, and you’ll experience bugs and problems that no one near you will be experiencing. You also might avoid security exploits affecting Internet Explorer. Have you taken a step forward? Looks like sideways or backwards to me.
To be honest, the desire for publicity drives much of the rhetoric. When new exploits are discovered, there are always spokespeople asserting that they are the worst threat in the history of the world and drastic action is required. The spokespeople are almost always affiliated with companies that stand to gain from alarming people. The articles about virus attacks quote people working for antivirus vendors. Today’s article was primarily driven by the SANS Institute’s Internet Storm Center – which discovered the exploit in today’s news and happily gave quotes about how awful it is. Like many others, the SANS Institute will only be profitable if people pay attention to it.
There have been two exploits in the last few days. One would potentially cause information to be transmitted to a server in Russia. The server was taken down almost immediately. Another one could potentially install malicious software on your computer through popups. There are virtually no reported instances of it in the real world.
Today’s news article mischaracterized the advice by CERT (the government’s “Computer Emergency Readiness Team”). “The federal government’s cyberdefense experts, along with other computer gurus, are urging users to consider a switch away from Microsoft’s widely used Internet Explorer because of new security problems.” Take a look at the CERT advisory for yourself. There are six suggestions; using a different browser is last in the list and gets no special emphasis. In fact, CERT warns that using a different browser might “reduce the functionality of sites that require IE-specific features” (in other words, a lot of web sites won’t load any more) and you may be exposed to the problem anyway.
With that in mind, you still might want to increase the security settings in Internet Explorer. You will be turning off or limiting some “insecure” technologies that were created so web sites could do cool tricks. If you increase your security settings, you will cause warning messages to appear frequently and some web sites will stop working – don’t be surprised! Microsoft bears some responsibility for leading us to believe that the cool tricks could be done completely safely, and I hope they are sweating to get patches out the door – and Service Pack 2 can’t come soon enough. But I’m going to keep using Internet Explorer.
Be careful out there!