2004: Internet Explorer's year of shame

2004: Internet Explorer's year of shame

Summary: Internet Explorer has been springing security leaks all year. Here's a convenient guide to the Microsoft browser's annus horribilis

TOPICS: Security

Internet Explorer has had a year to forget. IE owns around 95 percent of the browser market and is relied upon by the majority of computer users as their primary interface with the Web.

However, since the start of the year, around a dozen new security vulnerabilities have been found in either the browser itself or in the browser's interface with Windows.

Some of the most important problems have included: a flaw that allowed phishers to fool the address bar into displaying a false URL; a way of disguising malicious executable files as "safe" documents; numerous vulnerabilities that could allow an MSBlast-type worm to spread quickly; a flaw that allowed Web sites to install a toolbar on the victims' computers and triggers pop-up adverts; a vulnerability that enabled pop-up adverts to read keystrokes and steal passwords; and most recently, the discovery of a method of bypassing the computer's security in order to run malicious programs on a Web surfer's computer.

Despite the long list of security flaws, Microsoft insists its browser is safe to use -- with certain precautions -- and is, unsurprisingly, adamant that users should not be tempted to switch over to an alternative browser.

Stuart Okin, chief security officer at Microsoft UK, said IE is a "very strong" browser and reiterated that there isn't a magic solution to fixing all the security vulnerabilities in complex code -- no matter who has written it.

"There are always going to be vulnerabilities in software. It doesn't matter what browser, application or operating system you use," said Okin.

According to Okin, all known vulnerabilities in IE will be addressed in the forthcoming Service Pack 2 for Windows XP, which is expected before the end of this summer.

However, numerous organisations -- including The Computer Emergency Response Team, the official US body responsible for defending against online threats -- are advising companies to seriously consider alternative browser technologies.

Among the proponents for change is Simon Perry, the vice president of security at Computer Associates. According to Perry, larger companies are less vulnerable to IE's security problems but small firms should be using an alternative.

"Medium to large businesses have the capability to look at vulnerability and patch management systems. The difficulty for these firms is a move away from IE will pretty much outweigh the security advantages," Perry said.

However, Perry advises smaller companies to switch over to an alternative.

"Small businesses should be seriously looking at alternatives because they are less likely to be able to maintain very good security around the browser with vulnerability management. Smaller businesses should seriously be looking at changing browsers," said Perry.

Browser alternatives include Mozilla, Firefox, Opera and Nestcape -- although no browser is immune to security problems. Today, developers of Mozilla released a fix for a vulnerability that affected PCs running Windows XP that use the Mozilla browser.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Does anyone remember Bill Gates earlier this year. He proclaimed that since so many IE holes had been filled, IE is as secure, if not more secure than it's rivals browsers?

  • Internet explorer has been shamed from birth.
    Used to kill netscape, forced onto all my windows servers. Why the hell does Microsoft think it is essential to have a web browser on a server ?

    It has always been playing catch up with alternatives like opera and firefox/mozilla. It's features are primative when compared to said browers.

    I hate internet explorer but not because it is a shite browser but because of all the web sites that are "internet explorer only" run by web developers that have never heard of standards.
  • I think that it was a Mr Okin of Microsoft UK who made that claim really. But if I remember any probability theory at all from college, it's that the number of bugs left to find in a piece of software has absolutely nothing to do with the number of bugs that have already been found...

    Fortunately, none of my important websites (such as my bank's, the BBC etc) require their customers to use proprietary Microsoft technologies to access them. So I'll just say "Nuts to I.E.!" and leave it at that.
  • yes, IE has its flaws, but don't you think it's because there's so many people out there LOOKING for flaws in it? many of the flaws are so obscure, almost no one would ever fall for them--though of course, some were quite serious. however this whole issue of IE being a leaky ship ready to spew your secrets across the internet is simply not true. also, today (july 9th) a security hole was found in mozilla. see the story at

    so much for alternative browsers! and note, internet explorer has an auto update feature which has probably patched all the flaws out there by now, since it is automatically activated.
  • You IE fanboys fail to note that Mozilla is not embedded into the operating system as IE is heavily integrated. If there are software flaws in Mozilla, it is pretty tame compared to the worse consequences posed by security holes in IE----because Microsoft wanted so badly to integrate its IE browser into the operating system.

    Also, the Mozilla foundation cares so much about their product, they were able to come up with the software update within 24 hours. Compare this to Microsoft, who sat on their butts for several weeks before coming up with a patch.

    Also, Mozilla is not to blame for the SHELL: security bug---Microsoft was supposed to have fixed this bug in their Windows Service Pack 1 update. Apparently, they have not fixed it, according to some sources. So, you have these Mozilla developers getting the bad rap, when it should have been Microsoft being blamed for this problem.

    Mozilla all the way!!!
  • of course the mozilla fan above would also note that microsoft has highlighted the shell problem several times--it is the single biggest problem that resulted from 'embedding' IE and other internet programs into windows. yes, it was 'fixed', by restricting access from IE to the SHELL: command. the handler was never meant to be used in an internet environment in the first place.
    since IE has already fixed this problem, why did mozilla developers wait this long to restrict access? so much for vigilance--or maybe they just assumed that any problem that hits IE has nothing to do with them. and so much for the argument that 'embeddin' programs causes more vulnerability--here's an external program (mozilla) suffering a problem said to affect only 'embedded' programs!
    as for microsoft's patching schedule, that has to do with simplifying corporate patching, as has been explained time and again.
    i'm not saying any browser is better, just trying to keep give a little perspective here.
  • The IE browser is going to go the way of the Microsoft IIS web server. Nobody has used that for any serious work for ages now, following a string of security concerns -- everyone swapped their sites onto Apache/Linux, which are lower maintenance, and cheaper to boot.

    Now, more and more, we (I work for a large ISV) see customers dropping IE and going to safer and more capable alternatives and indeed I am in the middle of certifying some of our software for Mozilla (so far it has Just Worked). Regarding the SHELL: exploit the fault is still at least half Microsoft's because Mozilla on Macintosh, Unix and Linux are not affected -- ONLY Windows, as usual, has suffered, so once again, it was MS's code that had the holes.

    If you feel the effort spent in constantly patching and repatching such a lame old browser is worthwhile, then that's fine, but do be aware that in a commercial setting, such effort brings additional expense but delivers no value. This alone will effectively bring to an end the reign of IE as the browser of choice in work settings.
  • It's just like Microsoft claims, ..."All software has 'BUGS'".


    Oh Yeah, that's right, ...the "Mozilla problem" actually originated in Microsoft's *ILLEGAL decision to 'integrate' THEIR OWN 'web-browser' directly into the 'Operating-System'.

    *"Illegal" according to the 'Official-Findings' of EVERY 'Federal-Court' in the last U.S. 'Anti-trust' case (which 'documented' Microsoft's attempt to unfairly expand their 'industry-monopoly' by creating a 'technological-barrier' [disadvantage] to ALL competition, both then present, OR, which might have arisen in the future).

    And, as a matter of fact, "IE" ACTUALLY DOES also contain this very same FLAW. HHMMM...

    So, that's "one" serious security-flaw in "Mozilla", which was actually caused DIRECTLY by Microsoft, (...which, by the way, still hasn't effectively FIXED the very HOLE, THAT WAS CREATED BY THEM [Microsoft] in the first place) ...verses HOW MANY "Windows-IE" FLAWS, ...just a minute, let me check the exact-time.

    OOPS... sorry that took so long, a few DOZEN 'ZOMBIED' "MS-IIS-Servers" just 'PING-SWEPT', my ISP looking for 'vulnerable' "MS-Windows IE-machines".

    ...Any way, ...YOU GO MICROSOFT (remember, the 'WINNER' writes the 'history-books').
  • I can understand accepting the rules of gravity. But is it a rule of nature, that all software has bugs?

    Studies years ago (Michael Fagan et. al.) have demonstrated, that formal code inspections can facilitate the development of zero defect software. The extra cost in the development phases were about 15%. Imagine the ROI for a company like Microsoft!

    Microsoft has got the power to do better. But there seems to be some knowledge, skill or attitude gaps within the system.
  • To MS Fan

    "The winner writes the history books"

    That book is now available from it's authors website at www.mozilla.org
  • Oh GIRL
    The world of ever fast moving tech is giving me so much fun ; and I am getting savvy about it all every day . Been enjoying the fast moving world of Search Engines where big business like on the High Street are relegating smaller ones ranking to "oblivion " .

    Yes , for some time I have noticed my IE disappearing from `radar `when the icon is clicked on , and have really had serious messing up with my site in the past .

    Yet all I did was tap into Google to ask ; ` what is Internet explorer , and who owns it ?

    And voila ! I got to read up all the informative talks about IE . As one of your submitted ` rather stick to the DEVIL I know ---which is MICROSOFT .