Despite Security Flaws, Internet Explorer Resists Decline and Fall
Fred Cohen, principal analyst at The Burton Group, told the E-Commerce Times that releasing a patch prematurely can cause more problems than the vulnerability itself. Indeed, the IE patch's tardiness appears to have had little effect on the browser market, according to Dennis Barr of the Larkin Group.
03/23/04 4:14 AM PT
Microsoft is still top dog in a newly invigorated brawl over the browser space, despite some security flaws and a somewhat sluggish development schedule.
Although alternative browsers may offer more secure portals to the Web, many IT managers in corporate America are reluctant to move away from IE -- preferring, instead, to gamble on Microsoft's release of Internet Explorer 6 for XP Service Pack 2, which is slated to become available in the first half of this year.
"I'm happy for the most part with Microsoft's current products, but I'm waiting for them to get further along in their Trustworthy Computing work before I can say that I'm completely happy with them," Dennis Barr, manager of information technology at the Larkin Group, a Kansas City, Missouri-based civil engineering consulting firm, told the E-Commerce Times. "IE needs work, but they seem to be seeing that fact with the upcoming Windows XP SP2 release."
"I'm hoping that some of the things [IE] lacks will begin to appear from Microsoft," Barr added. "If that happens, I would have to re-evaluate my opinions about IE. Specifically, those features include better isolation of browser processes from the computer as a whole -- sandboxing, tabbed browsing -- and the option to open a group of related sites as tabs simultaneously, a better print preview, really good pop-up control and a few others."
In fact, according to the Redmond, Washington-based software company, IE 6 for XP SP2 will:
- block unauthorized file downloads and pop-up windows;
- prevent pop-up windows from obscuring or replacing the user interface in Windows and IE dialog boxes;
- check for signatures on downloaded executables and prompt or warn the user;
- enforce stricter matching between file type and MIME type to prevent IE from being spoofed into running an executable that claims to be a JPEG file;
- fix all known MSRC issues;
- prompt users before running code downloaded from the Internet, even if the code was encoded in .zip format or downloaded via Messenger;
- and provide an add-on manager that lets users or network administrators disable unwanted IE add-ons.
In the meantime, companies striving to erode IE's market share have a large target. IE has 94.8 percent of worldwide browser market share, according to OneStat, an Amsterdam, Netherlands-based provider of real-time Web site analytics. Breaking it down, IE 6.0 has 68.1 percent of the market, IE 5.5 takes 13.8 percent, and IE 5.0 holds 11.8 percent, the company found.
Second-place Mozilla took just 1.8 percent of the market, according to OneStat's most recent report, released in January, while Opera 7.0 had 0.8 percent. IE 4.0 had 0.7 percent, and Safari took 0.48 percent.
On the other hand, "at IE's peak a year and a half ago, 95 percent of visitors to Salfara's Web site used Internet Explorer," said Stephen Morley of informational Web site Salfara.com. "Although new content has appeared on the site, its target audience has not changed, and now fewer than 80 percent of visitors use IE. The trend has been consistently downward."
Indeed, IE's market share, though still dominant, has slipped slightly. In July 2003, all versions of IE commanded 95.4 percent of global browser usage share, according to OneStat. Mozilla took 1.6 percent, while Netscape Navigator 4.0 and Opera 6.0 each represented 0.6 percent of the market. But IE 6.0's portion of the overall IE pie grew between July 2003 and January 2004: In July 2003, that version represented 66.3 percent of the total browser use, OneStat stated.
Although Larkin has almost completely standardized on IE, Barr said he personally prefers Mozilla because of its inability to run ActiveX controls and its tabbed browsing capabilities.
"I made a point of mentioning the inability of Mozilla to run ActiveX controls because that, to me, is one of the ways that IE remains vulnerable to attack," Barr said. "Despite my own preference for Mozilla, most people don't want the downside of not being able to run ActiveX controls. So you can see I'm caught in something of a Catch-22: The thing that I consider a security vulnerability is viewed by most people as an operational asset."
User education and comfort with browser technology have caused some people to look elsewhere for this type of software, Morley said. "While users of alternative browsers have had features like tabbed browsing and automatic pop-up blocking for years, IE users have had to rely on third-party add-ons for these features, and they are now beginning to see what they're missing," he noted.
"The Internet will not wait for Microsoft to catch up -- support in alternative browsers for emerging technologies is already advanced, and with new versions of XHTML and CSS nearly here, people will switch browsers in order to get the most out of the Web."
The Mozilla Factor
Like Barr, Morley said he prefers Mozilla to other browsers due to its advanced, standards-compliant rendering engine.
"This forms the basis of a number of open-source browsers, including Galleon, Camillo and Firefox," he said. "Firefox is Mozilla's official next-generation Web browser and, although still in the prerelease stage, it is already attracting the attention of the industry. Firefox 1.0 will be released this summer for Windows, Mac and Linux, and in the coming year we should expect to see it become the most popular browser."
Although he has never used it, Barr has heard favorable comments about Opera.
"Some of the IE supplements and enhancements I've tried include Avant Browser for IE, Amaya from W3C and MyIE. Most of them irritated me for one reason or another, and I had to remove them," Barr said. "The thing to consider in alternative browsers is whether they support the Web sites that people in an enterprise regularly access, and whether they work with applications within the enterprise."
Although Microsoft encountered some criticism for a perceived sluggish response to some vulnerabilities in IE, accuracy -- not speed -- is more important when delivering patches, some executives said.
"Security response requires a balance between time and testing, but Microsoft will only release a security bulletin that is as well-engineered and thoroughly tested as possible -- whether that is a day, week, month or longer," a Microsoft spokesperson told the E-Commerce Times. "In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue."
Fred Cohen, principal analyst at The Burton Group, told the E-Commerce Times that releasing a patch prematurely can cause more problems than the vulnerability itself.
"If the change isn't right and it causes tens of millions of systems to crash, that's not good," he said, adding that once an enterprise has received a patch, it must ensure the patch does not create problems for its computing environment.
Indeed, the IE patch's tardiness had little impact on the browser market, Barr agreed.
"I consider it almost criminal to delay a patch if there's a demonstrated vulnerability present in a huge number of systems," he said.
"However, on the other hand, sometimes a hastily released patch causes more problems than it solves. Obviously, you have to get the right patch out as early as possible and as widely distributed as possible. In the case of the general user, I'm not sure the issue with the patch for IE was that prominent on their radar.
"Now that patches have been released," he said, "I've been applying them as rapidly as I can. But for the average user at home, I'm not sure there's a real sense of urgency."