Why you should think twice before ditching Internet Explorer

by Jonathan Yarden | Oct 14, 2005 7:00:00 AM

Tags: Web browsers, Jonathan Yarden, Microsoft Internet Explorer, Web browser, security, Internet Security Focus Newsletter

Takeaway: If your organization has decided that using IE on a regular basis exposes it to security risks, it's not necessarily wrong. But switching to an alternative Web browser isn't necessarily the right decision either. Find out why even long-time Microsoft critic Jonathan Yarden says companies shouldn't be so quick to look to alternative Web browsers.

Long before Internet security became a mainstream concern, many users chose to dump Microsoft's Internet Explorer and switch to other Web browsers, most notably products from Netscape. And given IE's checkered security history, that trend continues—particularly thanks to the growing popularity of the Firefox browser.

However, while I'll be the first to criticize Microsoft, I'll also say that companies shouldn't be so quick to look to alternative Web browsers. As anyone who has switched to an alternative Web browser has discovered, security isn't always the only issue. Companies often focus so intensely on security that they manage to overlook areas that are just as vital—such as functionality.

It's an undeniable fact that IE sports some functionality that simply isn't present in other Web browsers. In addition, a considerable number of Web sites don't function properly if you're not using IE to access them.

Over the years, Microsoft has adamantly maintained that IE is a part of Windows—not an add-on. In fact, the software giant has spent a great deal of time and money ensuring that users can't easily remove IE from Windows. (It is, however, much easier to disable IE on your system.)

If your organization has decided that using IE on a regular basis exposes it to security risks, it's not necessarily wrong. The majority of browser-hijacking malware targets IE—and for good reason. Hackers are taking advantage of features designed to make IE more extensible to create malware that takes over the operation of IE.

For example, a primary way that spyware and adware infest a Windows system is via the use of the Browser Helper Objects (BHOs) that alter IE's behavior. This is another case of the common conflict between functionality and security—to the detriment of average users.

The security of the Web browser itself is often a primary motivation for searching for an IE replacement. In the past, exploitable programming errors in IE have resulted in viruses and other malware infesting a Windows system.

But this is the point where most organizations go astray in their logic: They assume that switching to an alternative browser will keep them safe. Yet, just because IE has suffered from security issues before doesn't guarantee that a replacement Web browser won't experience similar issues.

Yes, IE is a common target for hackers, but that's primarily due to its popularity. Malware authors typically focus on frequently used software, and IE is no exception. And as the popularity of other Web browsers grows, they begin to attract more attention from hackers.

In fact, Firefox—arguably the most common IE alternative—has seen its fair share of exploitable security problems in recent months. And that means users are stuck between a rock and a hard place.

While it's possible to improve security in IE, it's quite difficult for most people. Although Microsoft has made improvements that allow people to specifically manage add-ons in IE6, the majority of users are still unaware of how to use any of these features.

However, using an alternative Web browser that doesn't support ActiveX prevents users from accessing those Web sites that require it. This is perhaps the largest issue when it comes to not using IE. Despite the overwhelming evidence that using proprietary technologies on Web sites is a horrible idea, Web sites that require IE are actually quite common. And even after years of criticism, Microsoft still remains resistant to fully implementing W3C standards.

There are also differences in how different Web browsers process XML and CSS. While larger Web sites compensate for many of these issues, others do not. And even some Web sites that don't use proprietary Microsoft features simply won't work using alternative Web browsers due to subtle differences in how all Web browsers process HTML, JavaScript, or Java. Despite claims to the contrary, Java is anything but portable.

Regardless of the reasoning, companies need to realize that it's not always feasible to simply abandon IE. If your organization has decided to stop using IE based on the premise that another browser's security is better, it's making a questionable assumption that might prove to be more trouble than it's worth.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Print/View all Posts Comments on this article

Somewhat misleading...nanobot@...  | 10/14/05

Somewhat ?Tony Hopkinson  | 10/14/05

Should the title have been....Mad-H  | 10/17/05

The problem just prevails...laoshu@...  | 10/17/05

His page Validates (sort of)WebWatcher  | 10/17/05

It isn't browser-specificnanobot@...  | 10/17/05

Agreejdgretz  | 10/18/05

IE is slow & unreliablekhanolkardilip@...  | 10/18/05

M$+IE=rule the world, or at least try.jcrobso@...  | 10/17/05

Why?noyoki  | 01/12/06

Gah! DIE ACTIVEX DIEjmgarvin  | 10/14/05

That was hilariousDr Dij  | 10/14/05

[ot] Homer's companyjfs-tr@...  | 10/14/05

loljmgarvin  | 10/17/05

good questionapotheon  | 10/18/05

Soldjmgarvin  | 10/18/05

ewwapotheon  | 10/18/05

PenitrodeToo Old For IT  | 10/19/05

ROTFLMAOjmgarvin  | 10/20/05

~blink~.....~blink~Jaqui  | 10/14/05

the only way to be sureapotheon  | 10/17/05

You funnydragon1@...  | 01/12/06

sniff, sniff, you smell thatmjwx  | 01/12/06

And mess up your hair?dragon1@...  | 01/12/06

3 people you shouldnt p1ss offmjwx  | 01/12/06

Again with Idiotic dribbledragon1@...  | 01/13/06

WellOz_Media  | 01/13/06

Well met.dragon1@...  | 01/13/06

Smell funny or funny smell?jdclyde  | 01/13/06

An iPod . . . ?apotheon  | 01/13/06

Used mine oncejdclyde  | 01/13/06

hahapotheon  | 01/13/06

Alternative ViewToo Old For IT  | 10/17/05

IE doesn't support various W3C standards as well!jmgarvin  | 10/17/05

Global Standards vs. Microsoft "Standards"red_wolf@...  | 10/18/05

Back in the late `90's ...Too Old For IT  | 10/19/05

True, truedragon1@...  | 01/12/06

poppycockapotheon  | 10/18/05

MS follows the gold standard:geobeck  | 10/27/05

BSandruk  | 10/31/05

Coors Gold?dragon1@...  | 12/22/05

Who you teasing?jdclyde  | 01/13/06

feature vs. functionapotheon  | 01/13/06

that's insanejdw242  | 10/14/05

Write ondragon1@...  | 01/12/06

Why?I.T.Services@...  | 01/14/06

Internet Explorer is definitely less securenanobot@...  | 10/14/05

Most users don't want to be fussed with more than one browseronsiter  | 10/17/05

Security & Standards asideTony Hopkinson  | 10/17/05

Reality vs Idealrickk@...  | 10/17/05

Put it this way:apotheon  | 10/17/05

"Just work"?andruk  | 10/31/05

Uh, what?apotheon  | 11/02/05

So what?dragon1@...  | 01/12/06

Precisely, what you suggesteddragon1@...  | 01/12/06

Your kids !Tony Hopkinson  | 10/17/05

your "son" @ the p0rn sites?I.T.Services@...  | 01/14/06

Ship of FoolsToo Old For IT  | 10/19/05

U.S. Gov't doesn't want to be fussed with more than one browserToo Old For IT  | 10/19/05

Gov't step backwards...oromis  | 01/14/06

Hopefully your marketing plan for your personal...seadooboy  | 10/18/05

I'm confused...Moonlight_Gambler  | 10/17/05

Personally I'm glad he's on their side as wellTony Hopkinson  | 10/17/05

Pragmatism Rulzcanopic@...  | 11/07/05

GO MICROSOFT!dragon1@...  | 01/12/06

sellout?techn0gichida  | 10/17/05

Sellout? GrowupI.T.Services@...  | 01/14/06

tabbed windows...Jaqui  | 01/15/06

no kiddingapotheon  | 01/15/06

Tabbed browsingVetch_101  | 10/10/06

You guys kill me....ESchlangen  | 10/17/05

Easy replyred_wolf@...  | 10/18/05

Hit the nail on the headgeobeck  | 10/27/05

I did think twice -- two years agobblackmoor@...  | 10/17/05

Flame Bait!jc2it  | 10/17/05

Perhaps you might want to reverse those numbers?Nemesis"T"Warlock  | 10/18/05

!0 Out of 2 Customers ?Tony Hopkinson  | 10/18/05

Justifiedjc2it  | 10/28/05

IE is the Poorest Browser!jc2it  | 10/28/05

think againjdgeek  | 10/17/05

You said it brotherdragon1@...  | 01/12/06

BG is god Balmer is jesusmjwx  | 01/12/06

That's because you clean up their crapdragon1@...  | 01/12/06

as long as you remember your placemjwx  | 01/12/06

MR?dragon1@...  | 01/13/06

SafariDC Guy  | 10/17/05

Change your name to Mac Guydragon1@...  | 01/12/06

so superiormjwx  | 01/12/06

Creating friendly domains?dragon1@...  | 01/12/06

Utter Falicyjbush@...  | 10/17/05

If you build it, you want them to see it.fizzwidget68@...  | 10/17/05

Getting it right!mac934  | 10/21/05

Please submit to Microsoftdragon1@...  | 01/12/06

Questions for the authorred_wolf@...  | 10/18/05

Firefox Vulnerabilitiesjbush@...  | 10/18/05

difference in development methodologyapotheon  | 10/18/05

My point to a T....jbush@...  | 10/18/05

I see the global access of an open development ...jbush@...  | 10/18/05

indeedapotheon  | 10/18/05

$500 finders feered_wolf@...  | 10/19/05

paging Scott Adams...geobeck  | 10/27/05

In addition to one of your points...geobeck  | 10/27/05

You should think twice before KEEPING Internet Explorer!annonymous@...  | 10/18/05

Another point: IE is easier to maintainmulvinator@...  | 10/18/05

Firefox Is Easier To Maintainbushh@...  | 10/18/05

Easier To Maintain, But...jbush@...  | 10/18/05

Is that irony I smell?apotheon  | 10/18/05

No, that is just IE burning brain cells you smell...jmgarvin  | 10/19/05

Yeah . . .apotheon  | 10/19/05

huh?mulvinator@...  | 10/19/05

browsersapotheon  | 10/19/05

Pedantryjbush@...  | 10/19/05

Dear god...why would I do that? jmgarvin  | 10/19/05

whyapotheon  | 10/20/05

Or Web Developerjbush@...  | 10/20/05

IE testingapotheon  | 11/02/05

Bells and Whistlesdragon1@...  | 01/12/06

Not anymoredragon1@...  | 01/12/06

Not anymoredragon1@...  | 01/12/06

Ummm...jbush@...  | 01/12/06

MS Office Pull out? I think not.dragon1@...  | 01/12/06

Oh welljbush@...  | 01/15/06

Someone said...jmgarvin  | 10/19/05

Well that's great...mulvinator@...  | 10/19/05

Point...jbush@...  | 10/19/05

yes, indeedyapotheon  | 10/20/05

You're right...geobeck  | 10/27/05

True, but...andruk  | 10/31/05

You Got It Backwards; Code Your Website To Standards!tommyb  | 10/22/05

very misleadingandruk  | 10/31/05

my badandruk  | 10/31/05

What has more impact?jbush@...  | 11/01/05

Acid2apotheon  | 11/02/05

Functionality So Whatrobert.cox  | 11/08/05

I'm actually starting to run into sites that don't render properly in IEroaming  | 10/10/06