Frustrated by the barrage of security problems surrounding Microsoft Corp.’s Internet Explorer, some enterprises are looking for ways to prevent employees from using the dominant browser and are casting about for alternatives.
But as they turn to removing the browser as a safeguarding measure, some are finding the task not so simple. In fact, doing so can trigger a cascade of negative consequences.
That’s because the file at the heart of IE, iexplore.exe, is used by other services and applications in Windows, most notably the Windows Explorer file viewer. So uninstalling IE can also affect the functionality of Windows Explorer.
Another major hurdle for administrators looking to move away from IE is the fact that many Web sites are optimized for Microsoft’s browser and don’t load properly with others, such as Mozilla and Opera. This is mainly due to IE’s native support for ActiveX and client-side scripting, which other browsers don’t enable by default.
The most recent IE backlash was touched off by a rash of unpatched vulnerabilities discovered in the browser over the past several weeks. The flaws, and the attacks designed to exploit them, are rekindling anger with Microsoft reminiscent of the ill will that swirled around the Redmond, Wash., company’s IIS (Internet Information Services) Web server following the Code Red worm attacks three years ago, industry veterans said. The furor then drove many enterprises to switch from IIS to more secure alternatives such as Apache. That exodus could be replayed with a mass abandonment of IE, they said.
“I think that the Internet security issues are so poorly handled that only particular forms of insanity would suggest that it has ever made sense to allow client-side scripting,” said Joseph Newcomer, a security consultant and founder of FlounderCraft Ltd., in Pittsburgh. “[ActiveX] is a no-brainer. It is so wonderful for staging attacks. I would no more allow this than a Manhattan resident would consider leaving their apartment unlocked.”
Oliver Schneider, an IT administrator at Brandenburg University of Technology, in Cottbus, Germany, left IE installed on his users’ machines but set up a group policy that forbade the execution of iexplore.exe and changed the paths on the machines so that clicking on the IE icon opens Opera. Security was the main driver behind the switch, Schneider said.
“Yes, we had complaints [from users] but nothing serious. Security was a good argument against IE,” Schneider said.
Other administrators have turned to more technical solutions to prevent users from browsing with IE, including the use of a proxy server to filter outbound requests.
Microsoft has acknowledged the problem and has recently reconstituted its IE development team to address it. The company is touting Service Pack 2 for Windows XP, which contains several security upgrades, as a fix for many of IE’s security woes.
“IE is a key value proposition in Windows. We know customers will choose the browser that’s right for them, and they should,” said Gary Schare, director of Windows security product management at Microsoft. “And we readily admit that IE hasn’t been as secure as customers would like or we would like. But we really believe that customers will continue to use IE once they consider all factors.”
But some users said they are not convinced.
“Windows XP SP2 is a stopgap to the larger problem. It is not a solution,” said one administrator at a power equipment manufacturer in the Southwest who is moving his user base to Mozilla. “There is needless interaction inside IE between functionality that 90 percent of the public doesn’t use or need. It’s obviously been considered OK to Microsoft, since they were controlling 97 percent of the browser viewership out there. What is important is that a shift [away from IE] is occurring and Microsoft knows it.”
Some administrators said they believe Microsoft will have a hard time securing IE as long as it remains enmeshed in the operating system. “Microsoft seems to have ignored judgments from U.S. courts on separating the OS and the browser. If Microsoft will ignore a judge, do the rest of us have much of a voice?” said Jacob Bresciani, systems analyst at the University of Alberta, in Edmonton. “Any browser tied in so close to the OS will always be a slightly higher security risk than the others.”
Security experts have long warned about the dangers of the ActiveX and scripting functionality in IE and are not surprised by the new attacks or the frustration they have fueled among IT managers.
Check out eWEEK.com’s Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page