NEWS FLASH: INTERNET EXPLORER IS NOT THE INTERNET! (AND VICE VERSA)

by Chadd VanZanten (Iodynamics)

Fall 2004

Recently, the U.S. Computer Emergency Readiness Team (CERT) issued an advisory on major
vulnerabilities in Microsoft's Internet Explorer (IE). In addition to other known flaws,
CERT reported, IE has "significant vulnerabilities" to so-called "unstructured sites,"
sites that redirect a user from one webserver
to another.

In some ways, this is not noteworthy. Vulnerabilities pop up in IE
like, well, like the pop-ups you get when using IE. However, the advisory
is noteworthy because it suggests that we stop using IE altogether. The
effect of this announcement was less than dramatic; IE's market share fell
a mere 1 percent (from about 95 percent to about 94 percent).

Let's put this into perspective. CERT, a partnering agency with the U.S.
Department of Homeland Security, has advised us to stop using IE because it
is too vulnerable to hackers and malicious programs. Granted, Homeland
Security once advised us to stock up on duct tape and plastic wrap to
protect against terror attacks. However, if Homeland Security said that
Twinkies might be laced with anthrax, thousands of truckloads of Twinkies
would be immediately incinerated. Yet, when CERT says stop using IE, IE
users hardly blinked.

Surprised? A lot of people are. Many are asking, "Why does anyone use
IE?" Industry experts cite several reasons:

• Average computer users equate the Internet
  with IE; they think IE is the Internet.
• Average users lack the technical ability to
  replace IE with something else.
• Most people think nothing bad will happen to
  them.

Meanwhile, IE users are practically begging hackers to hijack their
computers or bomb them with porno pop-ups. Here's what they (and everyone
else) should know.

First, IE is not the Internet. There are three parts in an Internet
visit: 1) the Internet, 2) the user's computer, and 3) the browser,
software that displays websites. IE is but one of several browsers that can
explore the Internet. When you use IE, it's increasingly likely that there
will be 4) a malicious program or hacker ready to exploit IE and take
control of your computer.

Second, replacing IE with another browser isn't simple, but neither is
reclaiming a hijacked computer or stolen credit card. Yes, you'll have to
find and download an installation file and re-establish your bookmarks,
but this is no longer just a good idea, it's imperative.

Finally, yes, it can happen to you. The Federal Trade Commission
estimates that one in three Americans will fall victim to identity
theft in the next 10 years. Translation: you are not safely anonymous, and
IE makes you into a target. Whether you're a novice with just a foggy
notion of the Internet, or a system administrator with 50 users, this is
your chance. Unless a Russian mafia hacker is already using your computer
to send millions of child-porn spam messages, it is not too late to pay
attention to CERT.

The most viable replacement for IE is Mozilla
< http://www.mozilla.org/ >. Mozilla is a fully
functional browser with virtually all the features of IE, and some IE
doesn't have. Mozilla is free and installs easily. Will it take long to
re-establish your bookmarks? Maybe. But will your personal information and
your computer be more secure? Definitely.

A word of warning: Mozilla is not without critics.
Some say IE has more vulnerabilities only because more
people use IE, and so hackers work harder on it than
other browsers. Fair enough. Some day, when 95 percent
of Internet users use Mozilla, hackers might give up
on IE and CERT might issue an advisory to discontinue
use of Mozilla. Until then, even if Mozilla is safer
only because of its smaller market share, it's still
safer.

A second word of warning: Using Mozilla or some other
browser is not a panacea for the risks of browsing the
Internet. Hackers, viruses, and spyware have many ways
to get at your computer and data. All users, no matter
how savvy, unimportant, or anonymous, should take
these steps to protect against computer attack:

• Maintain and use current virus protection.
  
• Maintain and use current adware and spyware blocking
  software.
  
  
• Apply patches and security fixes when available.
  
• Do not follow unsolicited links in pop-up ads and
  browser windows.
  
• Read and send e-mail in plain text ­ this helps to
  protect you and the people you send e-mail to by
  limiting the possibility of running programs at
  tached to e-mail.
  

It should be noted that Microsoft Internet products,
including Outlook and Windows Media Player, have
similar failings that expose users to unnecessary
security risks. However, by following a few simple
steps (including not using IE) you'll increase your
own personal homeland security.