Still more reasons to avoid Internet Explorer

Highlighting the obvious: Firefox good, IE bad.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio

Michael Horowitz

July 12, 2008 9:48 a.m. PT

3 min read

A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.

On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.

The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.

Bringing up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).

Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?

Old Versions of Software

Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.

A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." That's just asking for trouble at a time when simply viewing a web page can infect a computer.

Many computer users are non-techies and the self-updating system for software needs to take them into consideration in choosing defaults, error messages and status messages.

Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.

Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.

One of the many problems with the Microsoft update environment is the schedule. Firefox has no schedule, Internet Explorer does. Or rather, Microsoft does. Big companies need a schedule. Microsoft has argued many times that having a schedule for releasing bug fixes is a good thing.

Perhaps it is a good thing for the big companies that Microsoft caters to - but it's not a good thing for you and me. The net result is that Microsoft releases Internet Explorer bug fixes once a month. Mozilla releases Firefox bug fixes when they're ready.

Which do you prefer?

Update. July 6, 2008: Tuesday July 8th is Patch Tuesday and according to Ryan Naraine at ZDNet there will be no fixes to Internet Explorer, which currently suffers from several known bugs. Quoting:

"These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat. There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!"

Update. July 7, 2008: Yet another IE related bug was reported today - Microsoft probing ActiveX attacks targeting Access feature. Firefox doesn't do ActiveX, one of many reasons it's safer. But, perhaps the most telling point of all is this quote "Eventually, Microsoft may provide a security update for the vulnerability...". May provide? What does that say about Microsoft?

Update. July 7, 2008: A commenter made a good point, Windows 2000 users have access to the latest version of Firefox, but are restricted by Microsoft to IE version 6. And speaking of operating systems, anyone needing to use both Macs and Windows can find a comfortable home with Firefox.

See a summary of all my Defensive Computing postings.