For or Against Internet Explorer?
I read a brilliant post on ZDnet today by Ed Bott about the recent exploit of Adobe, Google and other companies that lead to criminal damage. A lot of media channels have tabled this exploit as reason to abandon Internet Explorer and, while there is an inherent trust issue with Internet Explorer (which is explained in depth in the report and summarised below), the fear induced by other media reports should be taken with a pinch of salt, and if you adopt good security practice if you are using IE (or any browser or operating system for that matter), you will be as safe as you can be.
The key message from the report is:
- The recent attacks and exploits were targeted. This means that the attackers chose specific key individuals who they knew had weak security and then attacked a cocktail of different security vulnerabilities to create the exploit and cause the damage. Unless you are a key individual in key organisations (like Google) you are unlikely to experience this kind of attack.
The report summary at the end suggests:
If I’m currently using IE6, what should I do?
Please switch to a more modern browser if possible. The best way is to upgrade to a more recent version of Windows. Neither Windows Vista nor Windows 7 will run IE6. If you must use IE6, be aware of its inherent vulnerabilities and take extra security precautions.
Is there a safe way to continue to use IE6?
If you must use IE6, the safest way to do so is in a virtual machine, with security settings for the Internet zone set to High and Active Scripting disabled. Add the list of known sites that require IE6 for access (including applications running on your corporate intranet) to the Trusted Sites zone. Use the virtual machine only for access to those sites, and do everyday web browsing in a more modern and secure browser.
So, should I stop using Internet Explorer?
That’s a choice only you can make, and you shouldn’t let anyone use fear or exaggeration to scare you into making a hasty or ill-considered decision.
In my opinion, if you don’t have overriding compatibility or support issues, there are several good reasons to prefer alternative browsers such as Firefox or Google Chrome to any version of Internet Explorer. For starters, both Mozilla and Google have generally been faster at releasing updates to security issues than Microsoft. If it’s true that Microsoft knew about this issue for more than four months before delivering a fix, that’s a big argument against trusting IE.
And, right or wrong, security by obscurity is real. Although other browsers have serious vulnerabilities, Internet Explorer is the one with the target on its back. Those other, less popular products might be targeted someday, but at least for now most in-the-wild exploits simply don’t work on anything except Internet Explorer.
If you do decide to switch default browsers, just remember that doing so is only one relatively small step in a comprehensive security program. And if you have assets that bad guys are likely to target, your security challenges are enormous, and the stakes are getting higher every day.
I recommend anybody who is browsing the Internet read the report for a better understanding of security issues surrounding both this attack and browsers and operating systems in general. Being better informed helps you make better decisions about what to do.
For me, I use three browsers – Internet Explorer (most UK government websites only work with this browser sadly, even though they insist on general compatibility through the Disability Discrimination Act – but that’s another story for another day), FireFox (great for debugging websites sites), and Google Chrome. For me they are a toolkit for working on the web, and I use the best tool for the job.
How about you? Have you abandoned IE for another browser because of these attacks? If so, why and which one?
As always, would love to hear from you in the comments.
Related Reading from this Blog
Subscription Options:
