Security problems are driving users away from Internet Explorer. Could the end of Microsoft's Web browser be on the cards?

 border=0 /> </div><BR></div>
This summer the US Department of Homeland Security

Don't bet on it. Recently discovered flaws in the Mozilla browser illustrate that it is not immune to exploits. The Windows XP Service Pack 2 provides new protections against IE-specific attacks (IE's tight integration with Windows prevents you from uninstalling it, anyway).

Still, with no end in sight to Web-based attacks, neither alternative - patching IE or switching to a non-Microsoft browser - is by itself sufficient to ensure online safety.

Popular target

IE's sway is impressive - In June, IE's global browser usage share was 95 per cent, according to the Web analytics firm WebSideStory.

But that ubiquity has also subjected IE, and Microsoft, to sustained attacks from virus and worm writers and browser hijackers looking for the biggest returns. According to TruSecure Corporation Chief Strategist Russ Cooper, moving to another browser would provide only a temporary solution: "If people did switch en masse, the attackers would simply switch their target."

Still, market dominance is not the only reason for the Microsoft browser's disproportionate share of attacks. Art Manion, Internet security analyst for US-CERT, the operational arm of the National Cyber Security Division at the Department of Homeland Security, says IE's unique features increase its online vulnerability.

Examples include IE's security zones, its support for scripted ActiveX controls and for scripts that let Web sites hide browser menus and toolbars, and Dynamic HTML support. "Other browsers simply do not have these features," Manion adds.

Microsoft continues to put out patches for newly discovered flaws. But after a flaw that had been previously repaired reappeared in a new patch, US-CERT issued a vulnerability note recommending that Web users might want to consider a different browser. Around the same time, in early July, WebSideStory reported that for the first time in years, IE's market share had dropped by a percentage point, to 94 per cent.

IE's preeminence is unlikely to decline significantly, however. Despite long-standing efforts by Web-standards organizations, many companies continue to employ Microsoft-proprietary scripting and HTML extensions that make their sites fully functional only when viewed using Internet Explorer.

Even when you do set up a different default browser, some features of Windows - including the crucial Windows Update patch mechanism, Windows Messenger, and Outlook Express - invoke IE regardless of your default browser choice.

Other steps

Despite reports to the contrary, US-CERT hasn't recommended dropping Internet Explorer as the only - or even the best - way to combat online threats. "US-CERT does not recommend one specific browser or software product over another," states US-CERT's Manion.

Instead, the US-CERT vulnerability note suggests dumping IE as the last of several strategies for handling a flaw in which a Web page in the Internet Zone (where IE invokes a number of safeguards against attacks) can trick IE into running JavaScript code in the much-less-secure Local Machine Zone, where programs are assumed to be known to the computer user.

Other measures that US-CERT recommends include disabling Active scripting (which encompasses JavaScript) and ActiveX controls in both the Internet and Local Machine zones, applying security updates for Microsoft Outlook, sending and receiving mail using the script-proof plain-text format, using an updated antivirus program, and avoiding links embedded in unsolicited email, instant messages, or Web forums.

Even when the US-CERT vulnerability note finally suggests using a different browser, it says that doing so may prevent Web users from using all of the features of key Web sites. The solution isn't bailing out of IE, according to TruSecure's Cooper, adding that doing so would be like "stamping out a flea on your back with a tractor trailer." Both he and Manion instead recommend simply adding known, legitimate sites to IE's Trusted Zone after tightening security in the Internet and Local Machine zones.

Concerns about IE's flaws may further decrease as users install Windows XP Service Pack 2, which became available in early August. Cooper, for example, particularly lauds SP2 for incorporating new IE features that protect users from attempts to invoke or install malicious software via a Web page.

Manion likes the way SP2 prevents Web sites from altering IE's interface - for example, by hiding address and status bars that show the real name of a Web page, which allows perpetrators of phishing attacks to make their pages look much more believable. Phishing is the use of realistic-looking Web pages or email messages purportedly from banks or other financial institutions that request recipients to enter their user names and passwords, which then go directly to the attackers.

Still, Microsoft's new service pack is not a panacea. "I have no doubt that some sort of attack will be discovered that can work against IE after XP SP2," warns Cooper. But at the very least, he says, SP2's new safeguards will make the problem of not knowing that an attack has occurred "dramatically less likely - if not eliminating it entirely."

In search of a safer browser

Alternative browsers may not soon eclipse Microsoft's Internet Explorer, but that doesn't mean they can't serve alongside it. US-CERT reports "a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX," and that "it is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

Using different browsers can also change the way you experience the Web. On the one hand, they can stop you in your tracks at Web sites engineered to work only with IE. But on the other hand, you might be pleasantly surprised - alternative browser features missing in IE include password managers and tabbed browser windows.

Rolf Assev, an executive vice president at Opera Software ASA, says that safety concerns rather than new features drive users to the Opera browser. Reports of IE's security flaws have spurred a big increase both in free downloads and in sales. Downloads of the Mozilla Foundation's Mozilla and Firefox browsers have also spiked.

Using a non-Microsoft browser doesn't assure security. Hackers recently exploited flaws - since patched - in both Opera and Mozilla (as well as in the Netscape browser derived from the latter). Still, the fact that these browsers suffer far fewer attacks than IE could make them look like safe harbours, even if only for a little while.