Long before Internet security became a mainstream concern,
many users chose to dump Microsoft’s Internet Explorer and switch to other Web
browsers, most notably products from Netscape. And given IE’s checkered
security history, that trend continues—particularly thanks to the growing popularity
of the Firefox browser.

However, while I’ll be the first to criticize Microsoft,
I’ll also say that companies shouldn’t be so quick to look to alternative Web
browsers. As anyone who has switched to an alternative Web browser has
discovered, security isn’t always the only issue. Companies often focus so intensely
on security that they manage to overlook areas that are just as vital—such as functionality.

It’s an undeniable fact that IE sports some functionality
that simply isn’t present in other Web browsers. In addition, a considerable
number of Web sites don’t function properly if you’re not using IE to access
them.

Over the years, Microsoft has adamantly maintained that IE is
a part of Windows—not an add-on. In fact, the software giant has spent a great
deal of time and money ensuring that users can’t easily remove IE from Windows.
(It is, however, much easier to disable IE on your
system.)

If your organization has decided that using IE on a regular
basis exposes it to security risks, it’s not necessarily wrong. The majority of
browser-hijacking malware targets IE—and for good reason. Hackers are taking
advantage of features designed to make IE more extensible to create malware that
takes over the operation of IE.

For example, a primary way that spyware and adware infest a
Windows system is via the use of the Browser
Helper Objects (BHOs) that alter IE’s behavior. This is another case of the
common conflict between functionality and security—to the detriment of average
users.

The security of the Web browser itself is often a primary
motivation for searching for an IE replacement. In the past, exploitable
programming errors in IE have resulted in viruses and other malware infesting a
Windows system.

But this is the point where most organizations go astray in
their logic: They assume that switching to an alternative browser will keep
them safe. Yet, just because IE has suffered from security issues before
doesn’t guarantee that a replacement Web browser won’t experience similar
issues.

Yes, IE is a common target for hackers, but that’s primarily
due to its popularity. Malware authors typically focus on frequently used
software, and IE is no exception. And as the popularity of other Web browsers
grows, they begin to attract more
attention from hackers.

In fact, Firefox—arguably the most common IE alternative—has
seen its fair
share of exploitable security problems in recent months. And that means
users are stuck between a rock and a hard place.

While it’s possible to improve security in IE, it’s quite
difficult for most people. Although Microsoft has made improvements that allow people
to specifically manage add-ons in IE6, the majority of users are still unaware
of how to use any of these features.

However, using an alternative Web browser that doesn’t
support ActiveX prevents users from accessing those Web sites that require it. This
is perhaps the largest issue when it comes to not using IE. Despite the overwhelming
evidence that using proprietary technologies on Web sites is a horrible idea, Web
sites that require IE are actually quite common. And even after years of
criticism, Microsoft still remains resistant to fully implementing W3C
standards.

There are also differences in how different Web browsers
process XML and CSS. While larger Web sites compensate for many of these
issues, others do not. And even some Web sites that don’t use proprietary
Microsoft features simply won’t work using alternative Web browsers due to subtle differences in how all Web browsers process HTML, JavaScript, or Java. Despite claims to the contrary, Java is anything but portable.

Regardless of the reasoning, companies need to realize that it’s
not always feasible to simply abandon IE. If your organization has decided to
stop using IE based on the premise that another browser’s security is better, it’s
making a questionable assumption that might prove to be more trouble than it’s
worth.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.