commentary Last week, and for the second time this year, Microsoft released a security patch for its popular Web browser, Internet Explorer. The patch corrects flaws that could allow malicious users to execute code on your computer.
Why does IE need so many security fixes? I don't think it's because hackers target Internet Explorer more than Netscape (a common defense offered by IE supporters). Rather, I think Internet Explorer is inherently vulnerable because it is so tightly bound to the Windows operating system. In the future, we will find more IE vulnerabilities, which hackers will find ways to take advantage of.
THAT'S WHY I suggest you take a serious look at the other Web browsers, such as Netscape and Opera. If one browser continues to dominate the Internet, it's easier for hackers to wreak havoc worldwide through one attack.
The latest IE patch, MS02-015, supercedes the previous patch, MS02-005, and includes fixes for several Internet Explorer vulnerabilities discovered earlier this year. The new vulnerabilities identified in MS02-015 involve Internet cookies and object tags placed on HTML pages. They affect IE versions 5.01, 5.5, and 6.0 running on most versions of Windows
The first new vulnerability affects the way Internet Explorer handles scripts embedded within an Internet cookie. Cookies are files used by some Web sites to gain information about their visitors; often cookies are used to monitor visitors' behavior, or to simplify the login process by saving your username and password.
Apparently, Internet Explorer ignores whatever security rules you set for the Web site at which a cookie originates. For example, if you receive a cookie from a Restricted Zone Web site, IE saves the cookie outside the secure area you set. This allows malicious scripts within the cookie to be executed the next time you visit the site.
The second new vulnerability involves object tags in HTML pages. It allows a malicious user to build a Web page that includes an object tag that opens any program installed on a victim's computer.
BY RELEASING a cumulative patch, Microsoft makes it possible for you to fix all vulnerabilities identified and resolved by Microsoft in Internet Explorer 5.01, 5.5, and 6. Unfortunately, these vulnerabilities are not the only serious security holes in IE. Software engineers Tom Gilder and Thor Larholm have documented several other vulnerabilities affecting the browser.
Two months ago, I wrote a column explaining why it might be time to bail from Internet Explorer. Since then, I've received lots of e-mail asking me which browser I would recommend. Maybe I'm in the minority, but I'm a loyal Netscape fan. Whenever there's a new vulnerability to be patched in Netscape (I admit it's not perfect, either), I know there'll be a point upgrade available from Netscape, whether you are running 4.7x or 6.x. The same is true with Opera, another secure browser option.
What I don't understand is why we all put up with Microsoft's piecemeal security updates. Why doesn't Microsoft retire 5.01, 5.5, and 6.0, and release Internet Explorer 6.1? How many service packs and patches are you willing to download to secure your browser? It seems like too much hassle to me.
If you're ready to check out a new browser, you can download Netscape 4.79, Netscape 6.2, or Opera at ZDNet Downloads.
AOL, which owns Netscape, is considering breaking free of Internet Explorer and bundling Netscape in its free AOL CDs. You can set yourself free, too. Together we can diversify the Internet, and possibly save it from more debilitating hack attacks in the future.
Are you ready to give up Internet Explorer? Why or why not? Do you have any secure browsers to recommend? TalkBack to me below.