The calls to dump Internet Explorer may be getting louder, but they are falling largely on deaf ears among enterprise users.
IT managers and users say that while the rash of security flaws associated with IE has drawn new attention to its vulnerabilities and has led some individuals to switch browsers, enterprises are reluctant to change browsers because of their reliance on IE-specific intranet applications and Web sites.
Following a series of critical security flaws tied to IE, the U.S. Computer Emergency Readiness Team last week suggested the use of an alternative browser as one way to avoid potential problems. Its recommendation has drawn widespread attention to rival browsers from the open-source Mozilla Foundation, Opera Software ASA and Apple Computer Inc.
“Mozilla has shown itself to be a capable browser and has only gotten better with each release, but until something bad happens to more people, then the interest in moving to that is not going to be that high,” said Dennis Barr, IT manager at civil engineering consulting company Larkin Group Inc., in Kansas City, Mo.
Barr himself uses the open-source Mozilla Firefox browser. Though he prefers to stay off IE, he has had little success persuading his fellow users at the 50-employee company to make a similar move. The biggest hindrance: the lack of support for ActiveX controls in alternatives such as Mozilla, he said.
ActiveX controls, among other things, provide multimedia functionality and interactivity on Web sites. While alternative browsers can support similar functionality using other methods, many sites have opted to specifically support IE and ActiveX. Even if they switch, users will need to revert to IE for certain sites, such as to use Microsoft’s own Windows Update site, Barr said.
“Most people here are just interested in doing their job,” he said. “Unless someone is really inclined to have an additional layer of complication, they stick with IE.”
While enterprises might be reluctant to make a widescale switch off IE, IT managers and consultants are beginning to seriously suggest that individual users turn to alternatives.
To Internet marketing consultant Carson McComas, security woes with IE have almost reached a point of no return. Through his consulting company, FrogBody, based in Spokane, Wash., he often fields technical questions from clients, including queries about IE security problems.
“Things have to get pretty painful for them to switch, and that’s beginning to happen,” he said. “Instead of fixing IE, I help them switch browsers.”
Microsoft is promising to beef up security in IE with the forthcoming Service Pack 2 update to Windows XP. In fact, many of the current woes would not occur if SP2 were already in use.
“We know that all of the recent attacks in the past 12 months would not be possible if Service Pack 2 had been in the market,” said Gary Schare, a director in Microsoft’s Windows client division.
In the meantime, Microsoft has rolled out a mixed bag of fixes for IE. In response to the Download.Ject attack, Microsoft last week issued a security update for making configuration changes to Windows. But the Redmond, Wash., company still is working on a comprehensive security patch for IE, Schare said.
“We wanted to get something out rapidly to help make people safer while we work on a comprehensive fix,” he said. “It’s going to take us a few more weeks to get it done.”
Microsoft’s Schare downplayed calls to move to non-IE browsers, saying that security advisories such as the recent one from CERT have included since last year the suggestion of using other browsers as one of many options for closing security holes.
He also said users need to look at more than security when deciding whether to use a different Web browser, such as whether the applications and Web sites they use will be compatible with non-IE browsers.
Daniel Miessler, an IT security engineer with a financial services company in Georgia, said he suggests that individual users consider ditching IE both because of its security gaps and because of its lack of support for Web standards. Before IE’s most recent security issues, the Microsoft Certified Systems Engineer wrote a story for the Lockergnome Web site outlining reasons to dump IE.
“IE can be secured, [but] there are very few people who are into security and who can do that,” he said. “Ninety-nine percent of people using IE cannot secure it, and even if they could, they’re busy and they just want to use their browser.”
Downloading a new browser such as Firefox or Opera is often easier than following complicated configuration changes suggested by Microsoft and security researchers or downloading patches, he said. Security researchers and CERT have suggested that IE users turn off ActiveX and Active scripting, among other things.
“If you just use it as a browser, then it’s a hundred times more secure to do so with Mozilla or Opera,” Miessler said.