Enterprises Slow to Dump IE

By Matthew Hicks  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

While corporate users may be worried about security holes, they often rely on internal applications and Web sites that only work within Microsoft's dominant Web browser.

The calls to dump Internet Explorer may be getting louder, but they are falling largely on deaf ears among enterprise users.

IT managers and users say that while the rash of security flaws associated with IE has drawn new attention to its vulnerabilities and has led some individuals to switch browsers, enterprises are reluctant to change browsers because of their reliance on IE-specific intranet applications and Web sites.

Following a series of critical security flaws tied to IE, the U.S. Computer Emergency Readiness Team last week suggested the use of an alternative browser as one way to avoid potential problems. Its recommendation has drawn widespread attention to rival browsers from the open-source Mozilla Foundation, Opera Software ASA and Apple Computer Inc.

"Mozilla has shown itself to be a capable browser and has only gotten better with each release, but until something bad happens to more people, then the interest in moving to that is not going to be that high," said Dennis Barr, IT manager at civil engineering consulting company Larkin Group Inc., in Kansas City, Mo.

Barr himself uses the open-source Mozilla Firefox browser. Though he prefers to stay off IE, he has had little success persuading his fellow users at the 50-employee company to make a similar move. The biggest hindrance: the lack of support for ActiveX controls in alternatives such as Mozilla, he said.

ActiveX controls, among other things, provide multimedia functionality and interactivity on Web sites. While alternative browsers can support similar functionality using other methods, many sites have opted to specifically support IE and ActiveX. Even if they switch, users will need to revert to IE for certain sites, such as to use Microsoft's own Windows Update site, Barr said.

"Most people here are just interested in doing their job," he said. "Unless someone is really inclined to have an additional layer of complication, they stick with IE."

Click here to read more about an effort among non-IE browser makers to create an alternative to ActiveX plug-ins.

While enterprises might be reluctant to make a widescale switch off IE, IT managers and consultants are beginning to seriously suggest that individual users turn to alternatives.

To Internet marketing consultant Carson McComas, security woes with IE have almost reached a point of no return. Through his consulting company, FrogBody, based in Spokane, Wash., he often fields technical questions from clients, including queries about IE security problems.

"Things have to get pretty painful for them to switch, and that's beginning to happen," he said. "Instead of fixing IE, I help them switch browsers."

Microsoft is promising to beef up security in IE with the forthcoming Service Pack 2 update to Windows XP. In fact, many of the current woes would not occur if SP2 were already in use.

But Microsoft says it won't offer SP2 security to older versions of Windows. Click here to read more.

"We know that all of the recent attacks in the past 12 months would not be possible if Service Pack 2 had been in the market," said Gary Schare, a director in Microsoft's Windows client division.

Next Page: Individuals are better off without IE, security pros advise.

In the meantime, Microsoft has rolled out a mixed bag of fixes for IE. In response to the Download.Ject attack, Microsoft last week issued a security update for making configuration changes to Windows. But the Redmond, Wash., company still is working on a comprehensive security patch for IE, Schare said.

"We wanted to get something out rapidly to help make people safer while we work on a comprehensive fix," he said. "It's going to take us a few more weeks to get it done."

Microsoft's Schare downplayed calls to move to non-IE browsers, saying that security advisories such as the recent one from CERT have included since last year the suggestion of using other browsers as one of many options for closing security holes.

He also said users need to look at more than security when deciding whether to use a different Web browser, such as whether the applications and Web sites they use will be compatible with non-IE browsers.

Daniel Miessler, an IT security engineer with a financial services company in Georgia, said he suggests that individual users consider ditching IE both because of its security gaps and because of its lack of support for Web standards. Before IE's most recent security issues, the Microsoft Certified Systems Engineer wrote a story for the Lockergnome Web site outlining reasons to dump IE.

"IE can be secured, [but] there are very few people who are into security and who can do that," he said. "Ninety-nine percent of people using IE cannot secure it, and even if they could, they're busy and they just want to use their browser."

Downloading a new browser such as Firefox or Opera is often easier than following complicated configuration changes suggested by Microsoft and security researchers or downloading patches, he said. Security researchers and CERT have suggested that IE users turn off ActiveX and Active scripting, among other things.

Click here to read Security Center Editor Larry Seltzer's take on disabling IE scripting.

"If you just use it as a browser, then it's a hundred times more secure to do so with Mozilla or Opera," Miessler said.

Check out eWEEK.com's Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page

Matthew Hicks As an online reporter for eWEEK.com, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for eWEEK.com. Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...