In the dog box
We have a bullet with IE's name on itGeoff Palmer | Monday, November 01 2004
If Internet Explorer was a dog, someone would have shot it long ago. It’s been quietly savaging users for years; bypassing security, giving up confidential information and acting as a vector for all manner of viruses, worms, Trojans, key loggers and spyware.
Perhaps you can’t lay all the blame at IE’s kennel, but there’s easily enough for a dozen convictions. Earlier this year, in Vulnerability Note 713878 (see more page 18), the US Computer Emergency Readiness Team advised, “There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface, and ActiveX.” It went on to say that it’s “possible to reduce exposure to these vulnerabilities by using a different web browser ...”
Even Microsoft’s own Slate magazine piled into it in June suggesting replacing it with Firefox for a faster, less troublesome and more secure browsing environment (find it on our cover CD).
How bad does it get? Use IE to visit a compromised website and you can become the victim of a “drive-by download”. If you’re lucky, you’ll just get bombarded with hard-to-remove advertising popups, but it can get much worse. It’s reckoned that up to two million PCs worldwide are now “zombies” — compromised machines that, unbeknownst to their owners, can be used to relay spam, spread viruses or recruit more zombies. According to Reuters, you can rent a zombie network to do your bidding for a mere $US100 per hour.
Crime is where the internet is heading. In the past, most viruses were the result of misplaced curiosity, bravado or a desire for notoriety. Nowadays many are propagated for financial gain. Last year’s Bugbear.b worm, for example, exploited IE’s dodgy MIME header handling to send sensitive data — including cached passwords — to a selection of public email addresses. The code contained more than a thousand bank domain names and was specifically targeted at financial institutions. Vincent Weafer, senior director of development at Symantec, recently told the Australian Financial Review, “... what we’re seeing now is a movement away from script kiddies to more significant demand for profit”.
According to Google, 90% of search requests come from users of Internet Explorer 6. A further 5% come from earlier versions of the browser. If you’re heading a criminal gang looking to exploit system weaknesses, who are you going to target? I’m not saying that using IE is a guaranteed way of getting mugged. But neither is wandering around the south side of Los Angeles in a t-shirt bearing the legend “Hello, I’m a tourist”.
You’ve only to look at IE’s release history to see evidence of a monopoly in action (or should that be “monopoly inaction”?). In the mid-90s, Netscape ruled the browser roost. IE version 1.0 appeared in August 1995 followed by version 2.0 three months later and version 3.0 nine months after that. Version 4.0 hit the streets in October 1997 and by the time 5.0 came out (October 1999), Netscape was essentially dead and buried. But by then Microsoft was up to its neck in an antitrust suit brought against it by the US Department of Justice. It lost the suit in April 2000, appealed, then reached a settlement with the DoJ in November of the following year — a month after the last full version upgrade of Internet Explorer was released. There have been none since.
IE’s also a classic example of bloatware. A Firefox download requires less than 5MB of disk space, Mozilla 12MB, Opera 16MB and Netscape a fairly hefty 29MB, while IE weighs in at over 50MB. (Note that Firefox doesn’t include email or news functionality. All the others do.) And it’s not as though you’re sacrificing speed — IE’s consistently slowest of the bunch — or features. For years now Opera’s standard installation’s included tabbed browsing, mouse gestures, the ability to save every open window in a session, and a control menu that lets you instantly alter how the browser responds to cookies, popup windows and animated graphics.
But perhaps the most disturbing thing about IE is that even if you use a different browser you can never quite escape its curse. That US-CERT advisory I quoted earlier goes on to warn “that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine”.
The latest Windows XP Service Pack is supposed to finally tighten some of the browser’s notorious slackness. Whether it does so or not remains to be seen, but you can bet it’s being carefully probed by hackers and crooks around the world. It’s also scant consolation to the legions of Windows 2000, ME and 98 users who’ve been sold a pup. Time to call in the Society for the Protection of Computer Autonomy and put the slathering, overweight, bug-ridden brute out of its misery.
How to choose the best tablet for you
101 great websites:
You haven't heard of yet
We ask the pros for building tips