RealTime IT News

To IE or Not to IE, a Security Question

Microsoft may have won the browser wars, but the recent emergence of a malicious, sophisticated enemy could start pushing users away from Internet Explorer (IE).

Last week's multi-stage malware attack confirmed what we already knew. Malicious hackers are one step ahead of the guys in charge of software security. And, if Redmond is to keep pace and stay true to its "trustworthy computing" mission, it has to bite the bullet and back port the forthcoming Windows XP security enhancements to older operating systems.

The latest attack, where corporate Web servers were hijacked and used to infect consumers via IE, exposes the glaring inadequacies of the world's most widely used browser. It has also prompted a high-profile warning from the U.S. government's Computer Emergency Readiness Team (US-CERT) that IE is too insecure for the average user.

The US-CERT advisory included this kicker: "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME-type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

To its credit, Microsoft is on the verge of releasing a massive security-centric IE overhaul in Windows XP SP2 that will address IE's most significant shortcomings. But unless the company back ports those fixes to older operating systems -- especially Windows 2000 -- those folks may just migrate to rival browsers to protect themselves.

According to statistics from Jupiter Research, more than 70 percent of all businesses are running Windows 2000 on the desktop. Even worse, a whopping 40 percent of large enterprises are still running the archaic NT 4.0 operating system. Even after product support for Windows 2000 expires, the projection is for only half of all enterprises in the U.S. to upgrade to XP.

The bottom line: Many users have yet to migrate to its latest OS. As the industry leader, Microsoft has to deal with it. Period.

At every opportunity, Microsoft executives have preached the "security is our top priority" mantra, but that message will ring hollow if the security fixes remain exclusive to Windows XP.

At the height of the Download.Ject Trojan attack, Microsoft added this line to a critical alert: "Important: Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk." Well, what about non-XP users? Don't they count?

The risks to consumers are growing. Within the last year alone, Microsoft has issued four cumulative patches for IE 6.0, all rated "critical."

In all fairness, Microsoft faces a real conundrum because of the complicated nature of creating, testing and releasing patches. It has been more than 22 days since the appearance of a zero-day exploit but, even though the company hinted it would go outside its monthly security update cycle to issue a fix, the flaw remains unpatched.

In the meantime, users remain at risk, and PCs are being commandeered for use by spammers and identity thieves.

Windows XP SP2 will offer some protection, but only to less than half of all business users running XP. Microsoft has a responsibility to provide a secure browsing experience for non-XP users. Or, it runs the risk of falling into the security-by-PR trap.

Ryan Naraine is a senior editor with internetnews.com