To IE or Not to IE, a Security Question

Microsoft may have won the browser wars, but the recent
emergence of a malicious, sophisticated enemy could start pushing users away
from Internet Explorer (IE).

Last week’s multi-stage malware
attack
confirmed what we already knew. Malicious hackers are one step
ahead of the guys in charge of software security. And, if Redmond is to
keep pace and stay true to its “trustworthy computing” mission, it has to
bite the bullet and back port the forthcoming Windows XP security
enhancements to
older operating systems.

The latest attack, where corporate Web servers were hijacked and used to
infect consumers via IE, exposes the glaring inadequacies of the world’s
most
widely used browser. It has also prompted a high-profile warning
from the U.S. government’s Computer Emergency Readiness Team (US-CERT) that
IE is too insecure for the average user.

The US-CERT advisory included this kicker: “There are a number of
significant vulnerabilities in technologies relating to the IE domain/zone
security model, the DHTML object model, MIME-type determination, and
ActiveX. It is possible to reduce exposure to these vulnerabilities by using
a different Web browser, especially when browsing untrusted sites.”

To its credit, Microsoft is on the verge of releasing a massive security-centric IE overhaul
in Windows XP SP2 that will address IE’s most significant shortcomings. But
unless the company back ports those fixes to older operating systems —
especially Windows 2000 — those folks may just migrate to rival
browsers to protect themselves.

According to statistics from Jupiter Research, more than 70 percent of
all businesses are running Windows 2000 on the desktop. Even worse, a
whopping 40 percent of large enterprises are still running the archaic NT
4.0 operating system. Even after product support for Windows 2000 expires,
the projection is for only half of all enterprises in the U.S. to upgrade to
XP.

The bottom line: Many users have yet to migrate to its latest OS. As the
industry leader, Microsoft has to deal with it. Period.

At every opportunity, Microsoft executives have preached the “security is
our top priority” mantra, but that message will ring hollow if the security
fixes remain exclusive to Windows XP.

At the height of the Download.Ject Trojan attack, Microsoft added this line to a critical alert: “Important: Customers who have deployed Windows XP Service
Pack 2 RC2 are not at risk.” Well, what about non-XP users? Don’t they
count?

The risks to consumers are growing. Within the last year alone, Microsoft
has issued
four cumulative patches for IE 6.0, all rated “critical.”

In all fairness, Microsoft faces a real conundrum because of the
complicated nature of creating, testing and releasing patches. It has been
more than 22 days since the appearance of a zero-day
exploit
but, even though the company hinted it would go outside its
monthly security update cycle to issue a fix, the flaw remains
unpatched.

In the meantime, users remain at risk, and PCs are being commandeered for
use by spammers and identity thieves.

Windows XP SP2 will offer some protection, but only to less than half of all
business users running XP. Microsoft has a responsibility to provide a secure browsing
experience for non-XP users. Or, it runs the risk of falling into the
security-by-PR trap.

Ryan Naraine is a senior editor with internetnews.com

News Around the Web