IE flaw may boost rival browsers

Security researchers suggest that using Microsoft alternatives is one way to surf the Web worry-free.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
A major security hole discovered in Microsoft's Internet Explorer last week has become a golden marketing opportunity for alternative browsers such as Mozilla and Opera that are unaffected by the flaw.

To avoid falling prey to a concerted attack aiming to steal log-on information and passwords, some security experts advised Web surfers to either turn off some Internet Explorer (IE) features or switch to another browser as the best immediate fix. Unknown attackers who had taken control of several Web servers used the flaw last week to install a remote-access program, dubbed JS.Scob.Trojan, onto the PCs of visitors to those sites.

"I hope that Microsoft will come up with a patch soon," said Johannes Ullrich, chief technology officer for the Internet Storm Center, a site that monitors network threats. "Until they do, you basically have two choices: Disable JavaScript in Internet Explorer or install another browser."


What's new:
Some security experts have advised Web surfers to turn off some Internet Explorer features or switch browsers to avoid falling prey to a concerted attack aiming to steal log-on information and passwords.

Bottom line:
The IE flaw could tilt security-conscious companies and home users in favor of adopting an alternative browser--and perhaps chip away at Microsoft's 95 percent-plus share of the Web browser market.

For more info:
Track the players

Last week's broad attack has been blunted by Internet engineers that disconnected the Russian site that hosted the Scob Trojan horse program from the Web. However, the latest vulnerability could tilt security-conscious companies and home users in favor of adopting an alternative browser--and perhaps chip away at Microsoft's dominant share of the Web browser market.

At least 130 Web sites were still attempting to infect visitors as of Sunday, according to Internet security firm Websense, which discovered that more than 200 of its customers attempted to download the Trojan horse from the malicious Russian site in the past week. None of the servers were top-rated Web sites, but they all ran Microsoft's Internet Information Service 5.0 Web software and Secure Sockets Layer, or SSL, encryption, the firm said.

Non-Microsoft browsers, such as the Opera browser and the Mozilla and Firefox browsers made by the Mozilla Foundation, don't have many of the vulnerable technologies and tend to focus more on just providing Internet browsing features, keeping the project size smaller, said Hakon Wium Lie, chief technology officer of Opera Software, which makes the browser of the same name.

"Our code base is small, compared to other browsers, and by actively addressing problems that arise, we end up with a highly secure browser," Lie said.

Such a focus differs from Microsoft, which has chosen to tightly integrate IE into the operating system, in part to sidestep antitrust issues. A representative of the software giant was not available for comment.

The suggestion to use other browsers also underscores some security researchers' arguments that software diversity can improve security.

Borrowing a term from agriculture and the fight against pests, software developers and security experts have warned about the hazards of "monoculture." The term refers to the widespread farming of a single variety, making the entire crop vulnerable to a single pest. Historians pin such disasters as the Irish potato famine on monoculture.

Mozilla acknowledged that much of the value of using its software, or that of Opera, stemmed from the hazards of monoculture rather than any inherent security superiority.

Microsoft's browser currently dominates the Internet landscape, with more than 95 percent of Web surfers using the browser, according to WebSideStory, a Web analytics firm. Mozilla, on the other hand, makes up 3.5 percent, and Opera accounts for 0.5 percent of all users of the sites monitored by WebSideStory.

"Since there is such a disproportionate use of IE on the Internet right now, it does make it a very high-profile target," said Chris Hofmann, the Mozilla Foundation's director of engineering. "That's what people who are writing exploits are targeting, because that's where they get the biggest bang for the buck."

Hofmann called the war against software homogeneity one of the raisons d'etre of his group.

"If we were in a world where there were less of a monoculture for browsers, it would make it harder to design exploits that would affect that much of the marketplace," Hofmann said. "That's one of the driving forces of the Mozilla Foundation--to provide choices so that someone can't come up with an exploit that affects nearly the whole population."

IE a sitting duck?
But Mozilla claims some inherent security advantages as well. Internet Explorer is a fat target for attackers, in large part because it supports powerful, propriety Microsoft technologies that are notoriously weak on security, like ActiveX.

Security experts also noted that Web surfers using non-Microsoft operating systems, such as Linux or Apple Computer's Mac OS, were not affected by last week's attack.

Among security groups advising a browser switch is the U.S. Computer Emergency Readiness Team (US-CERT), the official U.S. body responsible for defending against online threats. The group on Friday advised security administrators to consider moving to a non-Microsoft browser among six possible responses.

"There are a number of significant vulnerabilities in technologies relating to" IE, the advisory stated. "It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

The advisory noted that Internet Explorer has had a great many security problems in several of its key technologies, such as Active X scripting, its zone model for security and JavaScript. However, the group pointed out that turning off certain features in IE increases the security.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"Using another Web browser is just one possibility," said Art Manion, Internet security analyst with the CERT Coordination Center, which administers US-CERT. "We don't recommend any product over another product. On the other hand, it is naive to say that that consideration should not play into your security model."

CERT also noted that people who opt for non-IE browsers but who continue to run the Windows operating system are still at risk because of the degree to which the OS itself relies on IE functionality.

Mozilla's Hofmann recommended that Windows users who want to ditch Internet Explorer increase their security level in Windows' Internet options to help thwart those kinds of attacks. While Windows comes by default with those options on "medium," Hofmann said that setting them to "high" would have offered sufficient protection against last week's exploit.

He also encouraged Web developers to stop writing Web sites that rely on ActiveX. Game and photo-uploading sites are among the worst offenders, he said.

"We encourage people not to use these proprietary technologies that we've seen security vulnerabilities associated with," Hofmann said. "ActiveX is one of the biggest areas where these exploits have occurred, and from these recent exploits, you can see that exposing users and making that technology available has some real danger. Sites need to rethink what they're doing to protect users."