In-Depth
Defection to More-Secure Browsers? Don't Bet On It
With more-secure browser alternatives now available, will IE go by the boards?
Internet Explorer, which hasn't had an update in some time, keeps making the spotlight for its security vulnerabilities and the resulting drive-by-download phishing vulnerabilities. With every IE security announcement, some security experts reiterate their recommendation that businesses switch to a different, more-secure browser, such as Mozilla’s Firefox.
People are switching. The Mozilla Foundation, which maintains the open-source Firefox Web browser, says 19 million copies of Firefox 1.0 have been downloaded since its release less than three months ago.
Could this portend a toppling of Microsoft’s browser dominance and an end to the mass security incidents that affect old versions of IE?
Don’t bet on it. When it comes to switching browsers, “my understanding is, a lot of this is not resonating yet with consumers,” says Neil Macehiter, research director at London-based research firm Ovum. While businesses may patch their systems against vulnerabilities, users—including business users working on their home PCs—often don’t, meaning IE vulnerabilities will still translate into fertile territory for widespread exploits.
Statistics back up his assertion. Despite the competition, IE still commands 89 percent of the browser market (versus 5 percent for Firefox), according to a November study from Amsterdam-based Web analytics firm OneStat.com. More recent statistics from WebSideStory say IE has lost five percent of overall market share since mid-2004, but that it still commands 90.3 percent of the market.
So while the press might have been pitching Microsoft versus Mozilla—risen from the ashes of Netscape—as the biggest showdown since, well, Microsoft versus Netscape, this isn’t Browser Wars II. “It’s more of a skirmish, and one that’s still in the technical community,” notes Macehiter.
What’s That Rotting Smell?
Competition never hurts, perhaps especially against the current version of IE, which is more than three years old. If IE is stagnating (to put it mildly, some suggest), why isn’t Microsoft updating its browser?
To be fair, Microsoft’s recent Windows XP SP2 release did introduce a number of IE security fixes, including better ActiveX wrangling—it’s a frequent cause of security problems—plus automatic pop-up ad blocking. Yet the latter feature graced other browsers’ feature lists two years ago. Likewise, such IE functionality as cookie handling, and adding or removing sites in its “security zones,” remains clunky compared with implementations in alternative browsers.
In recent interviews with the press, Microsoft representatives say they’re reevaluating the decision to not offer a new version of IE except as part of Longhorn, Microsoft’s next-generation operating system. Currently Longhorn is scheduled to ship by the end of 2006.
Unlike Microsoft’s late-1990s trouncing of Netscape, don’t expect browser choices to diminish anytime soon. Microsoft’s competitors are itching to show up IE, and this competition continues to redefine what Web browsers can do. “We think it’s a category that has just tons and tons of innovation left,” says Ken Bereskin, on Apple’s senior software product marketing team, based in Cupertino, Calif.
Indeed, thanks to all of the new choices, “the market share for IE is diminishing,” notes Ovum’s Macehiter. He attributes the switching to businesses' awareness of browser-related security concerns, as well as the increasing use of browsers in non-PC devices. For example, his T-Mobile Sony Ericsson P900 mobile phone’s built-in browser is Opera. “But if I wasn’t a techie, I wouldn’t know it was on there.”
The Barrier to Switching
A vocal group of PC users—not content to wait for Microsoft’s next IE release or endure IE’s numerous security vulnerabilities—is also switching. They’re embracing Firefox, Opera, Deepnet Explorer, and other alternative browsers.
For other operating systems, of course, there are different rules. Apple users, who comprise about five percent of the computing market, already have their own browser, called Safari, built into OS X. Microsoft no longer supports IE for Mac.
Yet in terms of stealing Microsoft’s market share, “the case with Safari is less of an issue, because it’s Apple-only, and Apple customers tend to quite loyal to Apple technology,” says Macehiter, an Apple and Safari user himself. “It’s the default browser when you boot up Mac OS X, so if you’re a technically illiterate consumer, and decide to go down the iMac or iBook route, and you want to access the Internet, and it happens to be Safari, that’s what you’ll use,” he says.
Regardless of browser, Macehiter says users who switch for security concerns are in the minority, and predicts it will remain that way. When it comes to gauging whether consumers en masse will defect from IE, “the first question is, are they sufficiently aware of the need to move away from IE? I question whether they are.”
While consumers are at least aware of IE’s security concerns, “the fact that a number of machines aren’t auto-updated with every patch” via Microsoft Windows Update, he says, means many consumers just ignore PC security issues.
Furthermore, of the users who’ve switched, “it would be interesting to understand how many of those people [who] have downloaded the product are using it as their only browser.” Indeed, Microsoft warns that switching browsers may leave PC users unable to access such things as Windows Update or other essential Windows functionality.
In terms of businesses switching, “the information used to gather the market-share data is from publicly accessible Web sites,” he says. That doesn’t “provide any indication of how much Firefox is being used for access to internally-hosted Intranets, or browser-based applications where issues such as testing and plug-in availability may act as a barrier to switching from IE.”
So for the time being, Macehiter discounts any impending fall of IE, saying alternatives are still the provenance of “technocrats” able to download, install, and tweak the software. On the other hand, if Firefox was the default browser on the desktop,” he says, “you’d probably stick with it.”
Related Articles
In Brief: Highly Critical IE Vulnerability Lacks Patch
http://www.esj.com/Security/article.aspx?EditorialsID=1191
Bevy of Browser Vulnerabilities, Including IE
http://www.esj.com/Security/article.aspx?EditorialsID=1174
Protecting Customer Data at the Browser Level
http://esj.com/security/article.aspx?EditorialsID=992
About the Author
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.