Internet Explorer. Better the Devil You Know?

Better the Devil We Know?

Image: Steve Dinn


 
Over the past few days, the polemic over which browser is the “most secure” has reignited, largely due to the recent zero-day vulnerability in Microsoft’s Internet Explorer. The extent of the vulnerability has led to an overwhelming chorus of well-meaning advice  to switch to an alternative browser. This  has been repeated by security experts, CEOs and even the German government (again), but just how realistic, and more importantly how helpful, is it?
 
Security is not based on knee-jerk reactions to individual events; security is dependent on building a strategy that lowers exposure and risk over a period of time. It should also avoid change for change’s sake as the unfamiliarity that adoption of any new technology engenders brings with it its own set of very human vulnerabilities.
 
The two most popular alternatives to Internet Explorer (and the ones getting most of the current recommendations) are Google’s Chrome and Mozilla Firefox; neither of these is immune to vulnerabilities or zero-days. In fact if you consider the available evidence regarding the rate of occurrence of vulnerabilities, you could certainly justify your continued use of Internet Explorer.
 
According to this blog post, in 2011 Google’s Chrome had an all time high of 275 new vulnerabilities reported, the current peak of an upward trend since its day of release. Mozilla Firefox, while currently trending down from its 2009 high, still had a reported 97 vulnerabilities. Microsoft’s Internet Explorer has been trending gradually down for the past five years and 2011 saw only 45 new vulnerabilities, less than any other browser except Apple’s Safari, which also had 45. Of course raw numbers of vulnerabilities are almost meaningless unless we consider the respective severity, but there again, of the “big three” the statistics favour Internet Explorer. If zero-day vulnerabilities have to be taken into consideration too, they don’t really do much to change the balance, Google Chrome 6, Microsoft Internet Explorer 6 and Mozilla Firefox 4. Of course different sources offer completely different statistics, and simple vulnerability counts are no measure of relative (in)security of browsers, particularly in isolation. However, it cannot be ignored that vulnerabilities exist in every browser.
 
The simple truth is that we pay undue attention to zero-day vulnerabilities such as this one, the very name strike fear even into the hearts of people who aren’t really sure what the phrase means. Enterprises, but also individuals have a hard time keeping their browsers up to date with just the patchable vulnerabilities that far outnumber the occasional zero-days that we see. In any case attacks are increasingly aimed not at browsers but at application plug-ins like QuickTime, Flash or Acrobat that can be used in multiple different flavours of browser on multiple Operating Systems. Either that or they are simply attacks aimed at the individual using the browser (like phishing, pretexting or other social engineering attacks).
 
Face facts, your browser will not keep you safe, whoever made it. You need to take steps to keep yourself safe, whichever browser you choose.
 
Every browser has its flaws, vulnerabilities and patches (or lack of them). It’s different strokes for different folks and various security tools or techniques require varying degrees of familiarity with the browser, with technology or with threats in general in order to effectively protect you without ruining your Internet experience beyond redemption.
 
In most cases the best advice is to stick with the browser with which you are most familiar but to take steps to secure it, including applying security patches as soon as they become available (MS12-063 that fixes this particular zero-day is available here). If you suddenly switch to using a browser with which you are unfamiliar, your lack of familiarity may leave you less secure than you were before.
 
Ultimately security software is as necessary for a PC as a seatbelt is for a car and it should be doing a much better job at protecting you from these kinds of vulnerability and exploit, whether or not a patch is available. If you want to get an idea of how that is working out, then this report might be a good starting point.
 

13 thoughts on “Internet Explorer. Better the Devil You Know?

  1. Pingback: In a Zero-Day World, It’s Active Attacks that Matter | My Blog

  2. Pingback: אקספלורר, כרום ופיירפוקס: מי הכי בטוח? [דעה] | Newsgeek

  3. Pingback: In a Zero-Day World, It’s Active Attacks that Matter |Trax Asia™

  4. Pingback: Indagadores |Seguridad informatica |Seguridad en internet » En un mundo de día cero, es Ataques activos that Matter

  5. Pingback: In a Zero-Day World, It’s Active Attacks that Matter — Krebs on Security

  6. hwangeruk

    J.R. and Marcin you are both wrong.
    Adblock is available for IE
    also
    Blocking of Javascript.
    All browsers don’t do the above without extra effort from default.
    I use all the browsers for different reasons in different places. I’ve seen malware get through them all in my line of work.

    Reply
  7. Pingback: IE, Chrome, Firefox三巨頭,漏洞數量比一比 | 雲端防毒是趨勢

  8. J.R.

    My experience is similar to Marcin Marciniak’s: Firefox with NoScript & AdBlock+ do really well. IE, for me, is only used on a very limited basis. I don’t believe Chrome or Opera have NoScript or equivilents yet. Correct me if I’m wrong, please.

    Reply
  9. Marcin Marciniak

    You’ve scored a point. But there are lies, bigger lies and statistics. For me the most important reason AGAINST Internet Explorer (which I consider light years better than Safari for Windows) is lack of proper content filters (NoScript and Adblock Plus – rules!). Nothing similar is available for IE from Microsoft. Proper use of NoScript decreases number of crappy things that your browser can retrieve on it’s own. I wish I had similar simple tool for IE 6 years ago. The company in question is running centrally updated and managed Firefox (via Active Directory) with proper NoScript settings – for 4 years. Number of alerts on IPS and firewall come down to near zero immediately after migration (!). They blocked all Web request that seem to come from IE on a firewall (User-Agent and so). It’s not the best solution ever, but it works. For years now. There weren’t even a single alert from AV (first Nod32 then yours, that is) on workstations after migration I told about.
    Microsoft learned a lession, at least IE is updated faster than before. In case of critical vulnerabilities used in the wild they issue a patch in less than 10 days. That’s impressive, but still lagging after FF. Maybe in IE 10 there will be such a tool, similar to NoScript, Adblock Plus and Ghostery. Without them I will not use IE at all.

    Reply
  10. aGerman

    Read the statement by the BSI. It does NOT recommend to ditch IE for good as you imply, it recommends to use an alternative browser until the flaw in IE has been fixed.
    The only reason they’re doing this, is also that the work-around MS has published is not available in German (EMET is English only), so that there’s no work-around available.

    Reply
  11. Pingback: ste williams » Redmond promises emergency IE bug fix on Friday (zero day + 5)

  12. Elfsun

    I quite agree with your point of view.Every browser has its flaws, vulnerabilities.The one that suitable for you is the best.I’m now using a small browser called Avant.My friend often let me change it to chrome or firefox, but I have used it for several years now and It works very well in my computer.I don’t think I need to change a browser although it is not that famous.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>