With the news of the latest zero-day exploit for IE gaining press around the globe, there seems to be increasing coverage that “security experts” are advising users to stop using Internet Explorer until Microsoft releases a patch for the root problem.
That’s all well and good, but for many people I work with – they don’t have a choice as to what browser to use. A significant portion of my corporate customers for example are still using XP and IE6 – certainly within the corporate customer base there is not a high frequency of browsers other than IE – most users are either unable to install another browser, or simply don’t have a personal reason to.
On the consumer side, the situation is a little different – looking at the latest analytics from our short url service, http://mcaf.ee for example, around two thirds of visitors are using an IE variant (the majority IE 8/9), with Chrome and Firefox splitting most of what’s left between them.
I’ll track the numbers over the next few weeks, but a landslide shift away from IE is not something I expect to see.
And why would people move? The advice, to stop using IE is only valid if you don’t have any protection from exploits – already McAfee, and most of our peers have protection and identification in place for this piece of malware, and if you’re a corporate customer using McAfee HIPS (Host Intrusion Prevention Software), you’ve had coverage since you installed the product if you’re using a couple of generic rules.
A zero-day exploit which you’ve been protected from, potentially for years.
I’m not saying that this virus is not serious, but, is it more serious than any of the 70,000 or so that we discover any particular day?
Every day we could announce “stop using this version of Oracle, or this version of Flash, or this version of Angry Birds” (examples of course) – zero days are discovered regularly, mostly in applications – what makes the world safe(er) is that most malware protection solutions don’t just rely on signatures, they rely on behavior, rules, and cloud based knowledge, so even though you’re using IE, no one can exploit the defect because your anti-malware product is shielding that defect from exploitation.
We’ve heard this news all before – back in January 2010, Steven Vaughan-Nichols of IT-World accused IE of being “an insecure mess”, and further condemns Microsoft with “Windows has been, is now, and always will be insecure” – despite all the evidence pointing to apps, rather than OS’s being the general weak point in todays computing platforms.
And, by October 2010 of course, one of the recommended alternates – Firefox, had also been compromised – what to do? Switch back to IE, or keep changing to something new…
What I say is, changing your browser would be great, but it’s not a permanent fix – cybercriminals will always focus on the most popular computing environments, because that’s where the biggest potential return is, and unless we want to regress to the mosaic days, the complexity that we users demand of modern technology is not going to make bugs disappear, despite our best intentions as programmers.
Changing software every time a threat is discovered, especially when vendors are so quick to react to fix issues, seems a little impractical.