Why you should think twice before ditching Internet Explorer

by Jonathan Yarden | Oct 14, 2005 7:00:00 AM

Tags: Web browsers, Jonathan Yarden, Microsoft Internet Explorer, Web browser, security, Internet Security Focus Newsletter

Takeaway: If your organization has decided that using IE on a regular basis exposes it to security risks, it's not necessarily wrong. But switching to an alternative Web browser isn't necessarily the right decision either. Find out why even long-time Microsoft critic Jonathan Yarden says companies shouldn't be so quick to look to alternative Web browsers.

Long before Internet security became a mainstream concern, many users chose to dump Microsoft's Internet Explorer and switch to other Web browsers, most notably products from Netscape. And given IE's checkered security history, that trend continues—particularly thanks to the growing popularity of the Firefox browser.

However, while I'll be the first to criticize Microsoft, I'll also say that companies shouldn't be so quick to look to alternative Web browsers. As anyone who has switched to an alternative Web browser has discovered, security isn't always the only issue. Companies often focus so intensely on security that they manage to overlook areas that are just as vital—such as functionality.

It's an undeniable fact that IE sports some functionality that simply isn't present in other Web browsers. In addition, a considerable number of Web sites don't function properly if you're not using IE to access them.

Over the years, Microsoft has adamantly maintained that IE is a part of Windows—not an add-on. In fact, the software giant has spent a great deal of time and money ensuring that users can't easily remove IE from Windows. (It is, however, much easier to disable IE on your system.)

If your organization has decided that using IE on a regular basis exposes it to security risks, it's not necessarily wrong. The majority of browser-hijacking malware targets IE—and for good reason. Hackers are taking advantage of features designed to make IE more extensible to create malware that takes over the operation of IE.

For example, a primary way that spyware and adware infest a Windows system is via the use of the Browser Helper Objects (BHOs) that alter IE's behavior. This is another case of the common conflict between functionality and security—to the detriment of average users.

The security of the Web browser itself is often a primary motivation for searching for an IE replacement. In the past, exploitable programming errors in IE have resulted in viruses and other malware infesting a Windows system.

But this is the point where most organizations go astray in their logic: They assume that switching to an alternative browser will keep them safe. Yet, just because IE has suffered from security issues before doesn't guarantee that a replacement Web browser won't experience similar issues.

Yes, IE is a common target for hackers, but that's primarily due to its popularity. Malware authors typically focus on frequently used software, and IE is no exception. And as the popularity of other Web browsers grows, they begin to attract more attention from hackers.

In fact, Firefox—arguably the most common IE alternative—has seen its fair share of exploitable security problems in recent months. And that means users are stuck between a rock and a hard place.

While it's possible to improve security in IE, it's quite difficult for most people. Although Microsoft has made improvements that allow people to specifically manage add-ons in IE6, the majority of users are still unaware of how to use any of these features.

However, using an alternative Web browser that doesn't support ActiveX prevents users from accessing those Web sites that require it. This is perhaps the largest issue when it comes to not using IE. Despite the overwhelming evidence that using proprietary technologies on Web sites is a horrible idea, Web sites that require IE are actually quite common. And even after years of criticism, Microsoft still remains resistant to fully implementing W3C standards.

There are also differences in how different Web browsers process XML and CSS. While larger Web sites compensate for many of these issues, others do not. And even some Web sites that don't use proprietary Microsoft features simply won't work using alternative Web browsers due to subtle differences in how all Web browsers process HTML, JavaScript, or Java. Despite claims to the contrary, Java is anything but portable.

Regardless of the reasoning, companies need to realize that it's not always feasible to simply abandon IE. If your organization has decided to stop using IE based on the premise that another browser's security is better, it's making a questionable assumption that might prove to be more trouble than it's worth.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Print/View all Posts Comments on this article

Somewhat misleading... nanobot@... | 10/14/05

Somewhat ? Tony Hopkinson | 10/14/05

Should the title have been.... Mad-H | 10/17/05

The problem just prevails... laoshu@... | 10/17/05

His page Validates (sort of) WebWatcher | 10/17/05

It isn't browser-specific nanobot@... | 10/17/05

Agree jdgretz | 10/18/05

IE is slow & unreliable khanolkardilip@... | 10/18/05

M$+IE=rule the world, or at least try. jcrobso@... | 10/17/05

Why? noyoki | 01/12/06

Gah! DIE ACTIVEX DIE jmgarvin | 10/14/05

That was hilarious Dr Dij | 10/14/05

[ot] Homer's company jfs-tr@... | 10/14/05

lol jmgarvin | 10/17/05

good question apotheon | 10/18/05

Sold jmgarvin | 10/18/05

eww apotheon | 10/18/05

Penitrode Too Old For IT | 10/19/05

ROTFLMAO jmgarvin | 10/20/05

~blink~.....~blink~ Jaqui | 10/14/05

the only way to be sure apotheon | 10/17/05

You funny Chief Bottle Washer | 01/12/06

sniff, sniff, you smell that mjwx | 01/12/06

And mess up your hair? Chief Bottle Washer | 01/12/06

3 people you shouldnt p1ss off mjwx | 01/12/06

Again with Idiotic dribble Chief Bottle Washer | 01/13/06

Well Oz_Media | 01/13/06

Well met. Chief Bottle Washer | 01/13/06

Smell funny or funny smell? jdclyde | 01/13/06

An iPod . . . ? apotheon | 01/13/06

Used mine once jdclyde | 01/13/06

hah apotheon | 01/13/06

Alternative View Too Old For IT | 10/17/05

IE doesn't support various W3C standards as well! jmgarvin | 10/17/05

Global Standards vs. Microsoft "Standards" red_wolf@... | 10/18/05

Back in the late `90's ... Too Old For IT | 10/19/05

True, true Chief Bottle Washer | 01/12/06

poppycock apotheon | 10/18/05

MS follows the gold standard: geobeck | 10/27/05

BS andruk | 10/31/05

Coors Gold? Chief Bottle Washer | 12/22/05

Who you teasing? jdclyde | 01/13/06

feature vs. function apotheon | 01/13/06

that's insane jdw242 | 10/14/05

Write on Chief Bottle Washer | 01/12/06

Why? I.T.Services@... | 01/14/06

Internet Explorer is definitely less secure nanobot@... | 10/14/05

Most users don't want to be fussed with more than one browser onsiter | 10/17/05

Security & Standards aside Tony Hopkinson | 10/17/05

Reality vs Ideal rickk@... | 10/17/05

Put it this way: apotheon | 10/17/05

"Just work"? andruk | 10/31/05

Uh, what? apotheon | 11/02/05

So what? Chief Bottle Washer | 01/12/06

Precisely, what you suggested Chief Bottle Washer | 01/12/06

Your kids ! Tony Hopkinson | 10/17/05

your "son" @ the p0rn sites? I.T.Services@... | 01/14/06

Ship of Fools Too Old For IT | 10/19/05

U.S. Gov't doesn't want to be fussed with more than one browser Too Old For IT | 10/19/05

Gov't step backwards... oromis | 01/14/06

null seadooboy | 10/18/05

I'm confused... Moonlight_Gambler | 10/17/05

Personally I'm glad he's on their side as well Tony Hopkinson | 10/17/05

Pragmatism Rulz canopic@... | 11/07/05

GO MICROSOFT! Chief Bottle Washer | 01/12/06

sellout? techn0gichida | 10/17/05

Sellout? Growup I.T.Services@... | 01/14/06

tabbed windows... Jaqui | 01/15/06

no kidding apotheon | 01/15/06

Tabbed browsing Vetch_101 | 10/10/06

You guys kill me.... ESchlangen | 10/17/05

Easy reply red_wolf@... | 10/18/05

Hit the nail on the head geobeck | 10/27/05

I did think twice -- two years ago bblackmoor@... | 10/17/05

Flame Bait! jc2it | 10/17/05

Perhaps you might want to reverse those numbers? Nemesis"T"Warlock | 10/18/05

!0 Out of 2 Customers ? Tony Hopkinson | 10/18/05

Justified jc2it | 10/28/05

IE is the Poorest Browser! jc2it | 10/28/05

think again jdgeek | 10/17/05

You said it brother Chief Bottle Washer | 01/12/06

BG is god Balmer is jesus mjwx | 01/12/06

That's because you clean up their crap Chief Bottle Washer | 01/12/06

as long as you remember your place mjwx | 01/12/06

MR? Chief Bottle Washer | 01/13/06

Safari DC Guy | 10/17/05

Change your name to Mac Guy Chief Bottle Washer | 01/12/06

so superior mjwx | 01/12/06

Creating friendly domains? Chief Bottle Washer | 01/12/06

Utter Falicy jbush@... | 10/17/05

If you build it, you want them to see it. fizzwidget68@... | 10/17/05

Getting it right! mac934 | 10/21/05

Please submit to Microsoft Chief Bottle Washer | 01/12/06

Questions for the author red_wolf@... | 10/18/05

Firefox Vulnerabilities jbush@... | 10/18/05

difference in development methodology apotheon | 10/18/05

null jbush@... | 10/18/05

null jbush@... | 10/18/05

indeed apotheon | 10/18/05

$500 finders fee red_wolf@... | 10/19/05

paging Scott Adams... geobeck | 10/27/05

In addition to one of your points... geobeck | 10/27/05

You should think twice before KEEPING Internet Explorer! annonymous@... | 10/18/05

Another point: IE is easier to maintain mulvinator@... | 10/18/05

Firefox Is Easier To Maintain bushh@... | 10/18/05

Easier To Maintain, But... jbush@... | 10/18/05

Is that irony I smell? apotheon | 10/18/05

No, that is just IE burning brain cells you smell... jmgarvin | 10/19/05

Yeah . . . apotheon | 10/19/05

huh? mulvinator@... | 10/19/05

browsers apotheon | 10/19/05

Pedantry jbush@... | 10/19/05

Dear god...why would I do that? jmgarvin | 10/19/05

why apotheon | 10/20/05

Or Web Developer jbush@... | 10/20/05

IE testing apotheon | 11/02/05

Bells and Whistles Chief Bottle Washer | 01/12/06

Not anymore Chief Bottle Washer | 01/12/06

Not anymore Chief Bottle Washer | 01/12/06

Ummm... jbush@... | 01/12/06

MS Office Pull out? I think not. Chief Bottle Washer | 01/12/06

Oh well jbush@... | 01/15/06

Someone said... jmgarvin | 10/19/05

Well that's great... mulvinator@... | 10/19/05

Point... jbush@... | 10/19/05

yes, indeedy apotheon | 10/20/05

You're right... geobeck | 10/27/05

True, but... andruk | 10/31/05

You Got It Backwards; Code Your Website To Standards! tommyb | 10/22/05

very misleading andruk | 10/31/05

my bad andruk | 10/31/05

What has more impact? jbush@... | 11/01/05

Acid2 apotheon | 11/02/05

Functionality So What robert.cox | 11/08/05

I'm actually starting to run into sites that don't render properly in IE roaming | 10/10/06