2004: Internet Explorer's year of shame

Internet Explorer has been springing security leaks all year. Here's a convenient guide to the Microsoft browser's annus horribilis
Written by Munir Kotadia, Contributor

Internet Explorer has had a year to forget. IE owns around 95 percent of the browser market and is relied upon by the majority of computer users as their primary interface with the Web.

However, since the start of the year, around a dozen new security vulnerabilities have been found in either the browser itself or in the browser's interface with Windows.

Some of the most important problems have included: a flaw that allowed phishers to fool the address bar into displaying a false URL; a way of disguising malicious executable files as "safe" documents; numerous vulnerabilities that could allow an MSBlast-type worm to spread quickly; a flaw that allowed Web sites to install a toolbar on the victims' computers and triggers pop-up adverts; a vulnerability that enabled pop-up adverts to read keystrokes and steal passwords; and most recently, the discovery of a method of bypassing the computer's security in order to run malicious programs on a Web surfer's computer.

Despite the long list of security flaws, Microsoft insists its browser is safe to use -- with certain precautions -- and is, unsurprisingly, adamant that users should not be tempted to switch over to an alternative browser.

Stuart Okin, chief security officer at Microsoft UK, said IE is a "very strong" browser and reiterated that there isn't a magic solution to fixing all the security vulnerabilities in complex code -- no matter who has written it.

"There are always going to be vulnerabilities in software. It doesn't matter what browser, application or operating system you use," said Okin.

According to Okin, all known vulnerabilities in IE will be addressed in the forthcoming Service Pack 2 for Windows XP, which is expected before the end of this summer.

However, numerous organisations -- including The Computer Emergency Response Team, the official US body responsible for defending against online threats -- are advising companies to seriously consider alternative browser technologies.

Among the proponents for change is Simon Perry, the vice president of security at Computer Associates. According to Perry, larger companies are less vulnerable to IE's security problems but small firms should be using an alternative.

"Medium to large businesses have the capability to look at vulnerability and patch management systems. The difficulty for these firms is a move away from IE will pretty much outweigh the security advantages," Perry said.

However, Perry advises smaller companies to switch over to an alternative.

"Small businesses should be seriously looking at alternatives because they are less likely to be able to maintain very good security around the browser with vulnerability management. Smaller businesses should seriously be looking at changing browsers," said Perry.

Browser alternatives include Mozilla, Firefox, Opera and Nestcape -- although no browser is immune to security problems. Today, developers of Mozilla released a fix for a vulnerability that affected PCs running Windows XP that use the Mozilla browser.

Editorial standards