Internet Explorer Sucks

This study is from August, but I missed it. The researchers tracked three browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were "known unsafe." Their definition of "known unsafe": a remotely exploitable security vulnerability had been publicly announced and no patch was yet available.

MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole.

Firefox was 15% unsafe. There were 56 days with an unpatched publicly disclosed security hole. 30 of those days were a Mac hole that only affected Mac users. Windows Firefox was 7% unsafe.

Opera was 17% unsafe: 65 days. That number is accidentally a little better than it should be, as two of the upatched periods happened to overlap.

This underestimates the risk, because it doesn't count vulnerabilities known to the bad guys but not publicly disclosed (and it's foolish to think that such things don't exist). So the "98% unsafe" figure for MSIE is generous, and the situation might be even worse.

Wow.

Posted on December 26, 2005 at 6:27 AM • 94 Comments

Comments

BrianDecember 26, 2005 9:01 AM

At work, I had just convinced the head Microsoft admin to switch to Firefox, when a pach for a security vulnerability in Firefox came out. He switched back to IE, saying, "see, Mozilla has bugs too." Then I came across this study -- it is the best counter-argument to the "yeah but Mozilla has bugs too" argument from IE loyalists.

He's a Firefox user these days.

Milan IlnyckyjDecember 26, 2005 9:02 AM

IE also sucks because it has its own particular, frustrating, and often incomprehensible ways of rendering code. Anyone who has tried to design a site for several browsers will know what I mean.

While that may not seem like a security issue straight off, I would submit that having to add a lot of complexity and workarounds reduces security. Also, lack of compatibility can constrain people's ability to use more secure browsers.

Alex HolstDecember 26, 2005 9:16 AM

Like Bruce said, it's foolish to think there aren't black hats in the world with working exploit code for most browsers.

I use a particular browser but I hate all of the current ones.

None are designed to fail, so a single bug is pretty much an instant vulnerability.

I wish the browser vendors would use whatever OS capabilities are available to jail a browser. I can't believe the arrogance of these developers.

TNTDecember 26, 2005 11:15 AM

"I wish the browser vendors would use whatever OS capabilities are available to jail a browser. I can't believe the arrogance of these developers."

Yep. It's also worth noticing that a jail-like environment is possible to implement for Windows, for use with the browser. There's a freeware software called SandboxIE (http://www.sandboxie.com) that does just that. Problem is, this should have been implemented in the browser itself.
It is unthinkable that every time a browser's vulnerability comes out it automatically means system compromise; a browser should NOT have the ability to go and touch OS files as it feels like.

RichDecember 26, 2005 11:28 AM

"I wish the browser vendors would use whatever OS capabilities are available to jail a browser. I can't believe the arrogance of these developers."

I know a couple of people who only browse unknown sites in vmware. Extreme, and not for everyone, but serves the sandbox environment.

Dont Believe the HypeDecember 26, 2005 11:54 AM

The same conclusion as Bruce's; using I believe the same data, but a little more explanation for the average Joe:

http://www.windowssecrets.com/comp/050512/

(Scroll a little bit)

Also check out:
http://secunia.com/product/11/#advisories

and:
http://www.eeye.com/html/research/upcoming/...

I'm sorry, but for all the naysayers saying "See, Mozilla/Firefox has bugs too", I'll take their track record over MS. Also note that how many of the IE holes are remote exploits allowing an attacker to take over your machine. Many of these idiots don't make a distinction between that and a denial-of-service to a particular site.

Tell all your non-techie friends and family to use *anything* but IE.

Oh, and Outbreak and Outbreak Express.

I read somewhere that more than 85% of all email now is spam and virii. I have to find that link, because while much of that is trojan software, it talks about IE/Outbreak as some causes for infection.

NuttycatDecember 26, 2005 12:26 PM

"browser should NOT have the ability to go and touch OS files as it feels like."

The problem in that lies in the way the browser is designed. IE for e.g is so much a part of the WinOS, that's its so difficult to seperate it from the OS files. the Win File explorer also uses a part of the IE files (or take it that IE uses the Win File Explorer), that IE by default has access to the OS files due to its nature.
On the other hand the stand alone browsers like Opera and Firefox are much better in that they do not need direct OS access, but not being a system programmer, i am not sure how much access it needs.

StiennonDecember 26, 2005 12:28 PM

I am intriqued by the idea of using a VM that launches with IE, similar to the recently annouced VMWare+Mozilla "Browser Appliance". It is not complete protection but at least your machines does not get dirty from continuous infection. Seems like a lot of work but if it can save having to download patches every week....

Jim HyslopDecember 26, 2005 12:28 PM

Unfortunately, it's not always as simple as switching away from IE.

Bell Canada, which in addition to telephone services is one of the country's largest ISPs, cell providers and DTH satellite providers, supports only IE on its online billing system. Some pages, like the ones where I can view the details of my bill, come up blank in Firefox. I tried contacting Bell, but their excuse was "We can't support all browsers that are out there." Um, no, but you could simply adhere to the W3C standards and not care about a specific browser.

So I switched back to paper bills.

Ryan RussellDecember 26, 2005 12:31 PM

"MSIE was 98% unsafe....Firefox was 15% unsafe...Windows Firefox was 7% unsafe...Opera was 17% unsafe.

This underestimates the risk, because it doesn't count vulnerabilities known to the bad guys but not publicly disclosed (and it's foolish to think that such things don't exist). So the "98% unsafe" figure for MSIE is generous, and the situation might be even worse."

Interesting conclusion you draw, there. I read that to mean that IE could only be 2% worse, and that it is much worse for the others. :)

John RidleyDecember 26, 2005 12:43 PM

If you have a site that absolutely must run under IE, then install the IETab extension in Firefox and set it up to open that domain with IETab. When you visit that domain, it'll come up in a Firefox tab with IE running as the renderer, all other sites will still run under Firefox.

And obviously, complain about their lack of standards compliance, loudly and frequently.

Jason MarshallDecember 26, 2005 12:51 PM

Ryan,

I guess it depends on how you count exploit days. I would think that having two exploits to chose from at any given moment would at least slightly raise the likelihood of an exploit, both by making an exploit more enticing and by lowering the barrier to entry of a would-be exploiter. Two simultaneous exploits may not double the risk of compromise, but I would think the risk multiplier would still be greater than 1.

FarooqDecember 26, 2005 2:25 PM

i think these are meaningless studies...i've been using IE for 6 years now and not once have I had ANY problems with it...site rendering or malware etc etc...not only that none of my buddies or the 4 places i have interned at have had any issues with IE in this while...

i believe open source advocacy has gone out of proportion...and perhaps that's why we see a lot of this IE hate...maybe it's time u shift some onus on the user...who says u gotta click 'OK' when a part on some strange website asks to confirm *your free unlimited porn subscription* :)

Bill BrightDecember 26, 2005 3:59 PM

This is the same old BS all over again - usually perpetrated by those with some obscure bone to pick with Microsoft and Bill Gates. Don't get me wrong, I have had my run-ins with MS before and certainly believe in "trust but verify". But let's not forget why these exploits exists. They are there because over the years penny-pinchers in business, and budget conscience home users, insisted all newer versions of Windows, Office, IE, Outlook, etc upgrades fully support old, outdated, antiquated, insecure, legacy hardware and proprietary applications. This forced MS to weigh legacy support over security - to keep their client base happy. Now those folks (and MS) see that was the wrong strategy in the long run. Now MS is scrambling, as they should.

Let's also put this little evaluation into perspective and address what is always overlooked in these bashings; that is, the computing practices of the user. A disciplined user practices safe computing, which involves, among other things, the following:

1. Timely installation of critical updates
2. SP2
3. Router with NAT - even with a network of one
4. PC based Firewall, such as ZoneAlarm - not Windows Firewall, which is only one way
5. In resident AV with current signature files
6. In resident anti-spyware with current signature files
7. In resident anti-Trojan with current signature files
8. Spam Blocker
9. Popup Blocker
10. Scan all downloads before opening
11. Scan all attachment before opening
12. Never click on "to stop these popups, click here" and all things similar
13. Scan all floppies and removable media

and last but not least...

14. Stay away from sites your momma would not approve of!

I will agree if you WANT to infect your machine, you can drop all other defenses and do it easier with IE. But I do not agree that a properly protected PC with a disciplined user at the keyboard will automatically become compromised, just because IE is the browser.

The existence of an exploitable vulnerability in IE in NO WAY automatically means a badguy will be able to penetrate all defenses and cause damage.

I admit that among my peers of fellow IT experts, I may be in the minority when it comes to using IE. But I feel I am doing a better service to the non-geek out there by setting the example and educating them about being responsible and confident PC and Internet users. Teaching them safe computing practices instead of using scare tactics that stretch the truth about the actual "real-world" threat against them. Nor by exaggerating about how much safer they will be just by moving away from IE, regardless of how security conscience the user is.

Don't whitewash the threat - but don't say someone will be infected if they use IE. Or worse yet, imply they are safe if they switch to FF! I'm not knocking FF - it's a good browser. And certainly, if you prefer its feature set, go for it.

I contend there is NO reason any user - especially those of us who are "security aware", NEEDS Firefox, or some other non-IE based browser, to remain safe. It takes a lot more than just changing browsers to ensure that. Furthermore, I contend these same "security aware" people, who, in their zeal to slam anything MS and insist everyone must switch away from IE or risk infection are merely fanning the fires of fear spread by the actions of lowlife hackers, identity thieves, and cyber-terrorist.

DougDecember 26, 2005 4:41 PM

Bill,

I see you list 14 practices that may make browsing with IE safe. Setting aside for the moment whether they actually work (e.g. only 40% of malware alerted to by AV on date-of-discovery), aren't 14 practices a bit much for the non-technical home user? I'll agree that most readers of this blog can reduce the risk from using IE, I disagree that most IE users can do the same.

The problem is an engineering problem; IE simply is not engineered for the non-technical user. Perhaps that's why the next version of IE is supposed to run with reduced rights -- a recognition by MS that the current IE doesn't fit the users.

jammitDecember 26, 2005 4:52 PM

Farooq is right about the free pr0n, but there's more to it than that. I personally ran win95b (the early version that didn't have Internet Explorer 3.0 installed by default, is was optional) for many years and without installing any antivirus software without having a single real problem, except for the bad HD, new driver went wonky, or funny things like that. I didn't want to "upgrade" to win98, but after I needed USB support and couldn't get the new USB stuff to work (some of the older USB devices I was able to get working under win95b), I finally used a removeable HD and installed win98 on that. After a few years of messing with win98, I finally got iexplore and its related files removed (with help from litepc.com). After trying to infect my "fixed" 98 drive and not getting anything, I decided to replace the win95 with win98. Until I was able to get high speed internet and downloaded linux, I ran 98 without antivirus for many years without catching anything. I'm not against Windows or Internet Explorer, I just don't like it when MS does something non-standard in an attempt to lock in users/ bury competition. This just allows an attacker to simply use MS built in non standardness (is that a word?) as a weak point.

Davi OttenheimerDecember 26, 2005 5:45 PM

"I contend there is NO reason any user - especially those of us who are "security aware", NEEDS Firefox, or some other non-IE based browser, to remain safe."

True. It's all just ways of reducing risk -- just like you don't NEED to avoid driving Fords to remain safe, statistically you will have a better chance of avoiding a safety issue or recall if you drive a better engineered car.

Walter UnderwoodDecember 26, 2005 5:52 PM

It is worse if you include IE for the Mac. I reported a portable vulnerability a few years ago. It was fixed for Windows, but not for IE on Macintosh, even though the report clearly stated that it existed on both platforms.

Ari HeikkinenDecember 26, 2005 7:42 PM

Referring to an older thread, didn't microsoft supposedly invent C# to fix their security problems?

I guess it's not helping them much..

SteveDecember 26, 2005 7:49 PM

"A disciplined user practices safe computing, which involves, among other things, the following....."

Well, perhaps on your planet, computer users are required to be 20-40 years old and computer-licensed. Unfortunately, on this planet we have unlicensed grandparents and grandkids (and all ages in between) using computers. We may wish for end-users to implement these security precautions, but for the most part it ain't gonna happen.

Bruce SchneierDecember 26, 2005 7:51 PM

"A disciplined user practices safe computing, which involves, among other things, the following..."

Agreed. But that has nothing to do with Internet security. We need systems that are secure without requiring a disciplined user. My mother is not going to do anything, let alone everything, on your list. It is unacceptable to say to her, and everyone like her, that she's screwed.

Ari HeikkinenDecember 26, 2005 8:08 PM

"A disciplined user practices safe computing, which involves, among other things, the following"

If you have to require all that from a typical computer user then your system design is all wrong. Systems need to be designed so that they're secure no matter who's using them.

Atypical UserDecember 26, 2005 8:16 PM

Ari:
Then you still have to to trust the "typical computer user" to make wise decisions.
For example, if we have a hypothetical OS that prompts every time it's not sure that a program that's running is OK, then the user has to decide. There's no way for the computer to always know exactly what's good/bad for the computer user.

TNTDecember 26, 2005 8:20 PM

"1. Timely installation of critical updates
2. SP2
3. Router with NAT - even with a network of one
4. PC based Firewall, such as ZoneAlarm - not Windows Firewall, which is only one way
5. In resident AV with current signature files
6. In resident anti-spyware with current signature files
7. In resident anti-Trojan with current signature files
8. Spam Blocker
9. Popup Blocker
10. Scan all downloads before opening
11. Scan all attachment before opening
12. Never click on "to stop these popups, click here" and all things similar
13. Scan all floppies and removable media

and last but not least...

14. Stay away from sites your momma would not approve of!"

All useless when there's a new trojan in the wild like this one http://groups.google.it/group/... (by the way, yes, Kaspersky finds it because I sent the samples to them). To consider an AV solution and "safe browsing" (as if such thing exists) a good prevention system is short-sighted at best, downright absurd at worst.

FarooqDecember 26, 2005 10:52 PM

ok dare i say it that Firefox usage is with the *influencer* crowd...generally speaking, the 10-15% of the market share it dictates is with the sort of early adopters of our industry...it's a given that these guys will be security aware...the majority of IE users right now, are *don't touch my configuration cause it works* kind of people...chances are that if a vulnerability exists and an exploit is available, you'll see the latter crowd getting problems...that could explain the perceived problems...again *could*

might I also add, that u have to look at a browser as a *tool*...a tool to surf the web...and when u get that distinction, a tool's only as good as its user...

i guess the above is the development ideology for IE7 cause if u notice, they're teaching (much to the chagrin of us techies), how to avoid making fatal mistakes when using a browser...that's the ideology behind all those orange etc etc alerts...and this design methodology should extend to all browser makers who will eventually command a higher market share cause the majority of ur users will always come from the non-tech. background...

J-MacDecember 26, 2005 11:39 PM

I primarily use Firefox and Opera for browsing. Opera when just bowsing for the sake of browsing, Firefox if I will likely need to be logging in to sites (I simply do not appreciate Opera's "Wand"), and IE for those sites that do not render well or at all in the other two.

Not so much for security, as I am about as secure on my PC as I can reasonably be, but because I have just grown too accustomed to the convenience features that IE lacks. Tabbed browsing, Nuke Anything, etc.

That and the fact that since SP2 IE is virtually intolerable with its security alerts. I guess they are meant mostly to show the world MS's recently newfound "Focus on security". For a user with any experience at all these alerts are unnecessary and intrusive. To warn me about an expired certificate is OK. To insist on warning me again and again is not. Once I acknowledge it, I don't need to see it again. As you all know, the checkbox to not show that alert again is non-functional. Placing a site in the Trusted Sites list in the IE security settings also is non-functional, as far as the appearance of alerts goes. Alerts about downloading certain file types - again, once I respond I do not want to see it again and again!

That's one of my main reasons for using IE only when absolutely necessary.

As for security, while it is obviously a concern with the extraordinary increase in malevolence on the web, it's something I have secured against with the best protection there is, so it's not an overriding concern for me.

When I've secured my house as well as possible, I don't feel the need to stay up all night, patrolling the house with a shotgun!

HenryDecember 27, 2005 12:11 AM

Throughout this disucssion people seem to conflate two issues: how secure Internet Explorer is and how secure the user is if he uses Internet Explorer. The two are different issues, and the report cited really only has bearing on the second issue.

No one knows how secure Internet Explorer is in comparison to Firefox or Opera because no one knows all the exploits that are inherent in all of each browsers' respective code. To infer from a greater number of known exploits that Internet Explorer is less secure is flawed - IE is a much higher value target for more reasons than just higher marketshare, and thus attracts more serious attack. It's comparing apples and oranges. I agree that the close-coupling between IE and Windows is bad security design, but that's a different kind of analysis. It may be fun to rag on MS, but it's silly to say that any report like this shows that IE sucks.

That being said, a user probably is safer using Firefox. The whole threat model changes with Firefox. Since there are fewer known exploits, one worries less about script kiddies. One probably doesn't feel any better thinking about what the NSA could do, however, most people don't need to (although stories in the last week have made me reconsider.) Firefox is safer to use for the moment, but their security track-records seem incomparable. It'll be interesting to see what happens if they become same-value targets.

withinreasonDecember 27, 2005 12:12 AM

Enough of the Jargin,sum it up=Firefox is a way better browser than IE,more features ,tab-browsing,built in features like,delete tracks on exit,maybe IE will come up with something new soon but until they do I'm a firefox user,,hey,leave the rest to symantec...

Christian KaiserDecember 27, 2005 2:32 AM

Interesting, that these "14 points" don't mention my favorite: "don't be logged in as an admin on your machine unless you REALLY NEED these rights!".

In addition with the c't script "machmichadmin" (xlated: "makemeadmin"), which you can use to give yourself temporarily admin rights for installation purposes, it's not even inconvenient any more.

Still the best is the mentioned VMWare guest which will revert after each session.

Christian

ArjanDecember 27, 2005 7:04 AM

All internet browsers (still) contain errors, so they are unsafe 100% of the time.

So...

ARLDecember 27, 2005 7:10 AM

Bad use of statistics. Also consider that there are a lot of white hats who know what they are doing looking for IE faults. Fewer looking at the other products. This will result in more problems being reported for IE.

I have been using Firefox along with IE for a while now. FF still has to many strange problems for me to be able to make blanket statments about switching.

AnonymousDecember 27, 2005 8:00 AM

ARL, you obviously haven't been to http://bugzilla.mozilla.org

Some would argue that Firefox is much more secure because it is not inherently built into the operating system and does not natively support ActiveX.

Second, the average internet user is clueless about the various kinds of Internet threats. They don't know to NOT "Click here for a free iPod Nano" or NOT splash their email address all over the place.

Education, education, education.

Bill BrightDecember 27, 2005 11:47 AM

For those of you so quick to bash my list up there, you miss the point - starting with the first reply - that list is not there to make IE safer - it is there to make the user's computer and their computing experience safe - no matter what browser they use.

If malware is able cause damage to any computer, a lot more than IE failed!

Quote - "To consider an AV solution and "safe browsing" (as if such thing exists) a good prevention system is short-sighted at best, downright absurd at worst."

Talk about narrow minded and absurd! You pick two items out of a whole arsenal, call it "a system", then label it absurd! ? You don't even know what you are talking about - this is about folks claiming their computers are so much safer just because they use FF over IE - it is just not true. I say again, if a computer becomes infected, it is because a lot more than IE failed.

If what you say were the case, there would 1/2 a billion Windows machines out there infected and we know that is not true.

One reply said the list of 14 has nothing to do with Internet Security! What? Talk about another planet! I guess that would be true is you don't ever - as in never ever - connect to the Internet! It is people that allow their systems to become compromised and hijacked that make the Internet a threat.

Grandmas with pirated copies of Windows! You blame Microsoft for that? Holy Crap! I suppose it is Microsoft's fault that so called safe SUVs cause more rollover deaths than any other vehicle segment too!


If all the idiots out there with pirated copies of Windows would become legal, updated to SP2, and fully patched, those machines would not be near the threat or this problem would not be near as big.

And for those of you too naive to realize that you must comply with that 14 point list, and refuse to do so, I suggest you go Linux or Mac - and stay off the Internet. Otherwise, you become part of the problem. If you want to do your part in making the world a better place, sit down and teach Mom and Grandma how to stay safe.

And to this - " statistically you will have a better chance of avoiding a safety issue or recall if you drive a better engineered car." I say more hogwash! You want to avoid an accident? Maintain your car properly and drive defensively!

Finally, remember, it is bad guys, not Microsoft that is the evil threat. If you don't understand that, wake up!

YodatDecember 27, 2005 4:02 PM

Agreed that the bad guys are the real threat but keep in mind that poor/careless engineering allows the bad guys the opportunity to do their thing. You can't blame poor driving habits for exploding gas tanks (Crown Vics) or entire wheel assemblies falling off (Dodge Ram).

MS Windows is probably the best example of "Don't Give A Shit" engineering I have ever seen and the arrogance of BG is beyond belief. Had Linux not come along and presented a threat to BG and his dominance, do you think MS's new found focus on security would even exist? I think not.

The majority of the problems with IE were either caused by the above mentioned DGAS engineering practices, insufficient expertise, insufficient testing or a combination of all three. Granted no one could find 100 % of the problems but with the number of problems already found and the rate at which new ones are being found, its obvious that someone at MS is not paying attention, doesn't know any better or just plain doesn't care.

AnonymousDecember 27, 2005 4:02 PM

"Talk about narrow minded and absurd! You pick two items out of a whole arsenal, call it "a system", then label it absurd!?"

A "whole arsenal"? Ok, let's be specific here. I pointed out a real trojan that was discovered recently and whose detection was missed by ALL the antiviruses on virusscan.jotti.org. But let's go with the nonsense you point out:

"1. Timely installation of critical updates"

That trojan works even if your Windows system has all the updates, as it doesn't use an exploit. And by the way "timely"... are you trying to be funny? How can you be timely when your OS distributor isn't and there is a known exploit that is not patched?

"2. SP2"

This is the same as point 1.

"3. Router with NAT - even with a network of one"

Huh? A router protects you from system compromise?

"4. PC based Firewall, such as ZoneAlarm - not Windows Firewall, which is only one way"

This trojan, like a lot of malware out there, attaches itself to Internet Explorer. Unless you block Internet Explorer with your personal firewall you're screwed (uh, and a "PC based" firewall can be terminated easily by a malware, by the way, and if you don't think so you're simply delusional). Take a look here http://www.morgud.com/interests/security/...
and here http://www.firewallleaktester.com

"5. In resident AV with current signature files"

That trojan was undetected by all AV applications; the fact that Kaspersky (only) detects it is because I personally sent them the files.

"6. In resident anti-spyware with current signature files"

Same as above. Undetected.

"7. In resident anti-Trojan with current signature files"

Anti-trojan detection should be integrated in the antivirus detection, but anyway, this item was not detected by Ewido or Trojan Hunter (just to name the two most popular ones).

"8. Spam Blocker"

This gas nothing whatsoever to do with protection from system compromise.

"9. Popup Blocker"

Same as point 8.

"10. Scan all downloads before opening"

This is the same as point 5, only a little dumber (you scan text files?)

"11. Scan all attachment before opening"

Again, there is no point whatsoever in separating this from "Antivirus/anti-trojan/anti-spyware protection". This is not an "arsenal" you're talking about, it's a reiteration of the same concept.

"12. Never click on "to stop these popups, click here" and all things similar"

Oh yeah? So you mean people should be SCARED of clicking on a web page. What if I accidentally click on a banner, or if the page has an invisible layer over something I wanted to click, I should be blamed if my OS gets owned? Are you a comedian?

"13. Scan all floppies and removable media"

I see, you must really like this "antivirus rules" concept.

"14. Stay away from sites your momma would not approve of!"

Well, if you knew a little bit about how spyware distributors work, you would KNOW they don't put their crap only on "pr0n" sites and the like. Coolwebsearch affiliates have spread their crap by putting hidden IFRAMEs in perfectly normal looking sites, or by injecting HTML in guestbooks.

LMAO! :)December 27, 2005 4:07 PM

Looks like you guys struck a nerve with B.B.

I agree that education is the key, but from personal experience I would rather make a more secure program then take the time to teach grandma how to use the computer safely.

Reminds me of old help desk jokes....

"ok now, open windows........sir are you there?, sir?, sir?"

"ok i am back, but it is really cold in my house with all of the windows open"

Love the stuff Mr. Schneier, wish I could be 1/4 as intelligent!

Pat CahalanDecember 27, 2005 10:15 PM

> We need systems that are secure without requiring a disciplined user.

I agree wholeheartedly with this statement as a design goal. However, I do agree that you cannot make a system secure without having disciplined users, *unless the users have very limited access*. It's been hashed over a million times here on this blog, in Bruce's books, in Mitnick's testimony, etc., etc., that the users are always going to be the weakest link.

This is why Microsoft is a bad security vendor. It is not their goal to make a system that is secure with undisciplined users, because they market to undisciplined users and they empower undisciplined users. This is why they have market share -> because people don't want to have to learn how to do things securely, they want them to "just work".

Which is why ActiveX exists in the first place. It's an enabler, in a long line of enablers, for a target junkie audience that has always been able to get the software vendor to be a willing participant in their desire *not* to learn anything about how to make things work.

Don't get me wrong, I'm a Windows admin and I don't like IE, and I'm probably one of those few that runs IE inside VMware for those times when I have to run IE. I realize that this is not a scaleable solution, however.

I'm not going to harp totally on MS for producing an ugly product, because they're just catering to what the market wants.

As a side note, this thread is why I agree with the whole "move the liability onto the vendor" argument, because once the vendors get nailed with the liabilities, they're not going to give the market what it wants quite so readily anymore, which will be better for everybody.

> It is unacceptable to say to her, and everyone like her, that she's screwed.

The flip side to that is that you're going to have to *not* produce products that make things so easier for her, both for her to do things that she wants to do, and for someone to take advantage of her as a human vector in the security of her computer.

@Bill Bright

That's a pretty good list, and I agree that most people in the current environment should follow practices resembling those if they want to be even somewhat reasonably secure on an MS platform, but let's face it - the current environment is highly undesirable. That's also a huge load of additional software to run just to enable yourself to browse web pages.

You shouldn't *have* to take *any* of those steps to protect yourself from reading a remote document, for crying out loud...

solinymDecember 28, 2005 3:10 AM

I thought the mark of security savvy was not needing A/V. I have it, and it prevented me from running a program once. Once! (I didn't know .scr was an executable extension)

Bill BrightDecember 28, 2005 9:12 AM

I agree that we should not HAVE to take these steps - but is that Microsoft's fault? Do Crown Vics gas tanks explode by themselves - or only have someone not paying attention slams into the car? Are Palm and cell phone viruses IE's fault too?

What does teaching grandma have to do with the topic? The topic was about FF being safer than IE - and you guys are pulling out extreme cases and calling it mainstream.

I am really amazed at some of the totally misinformed comments above.

Anonymous up there who counters every point - boy are you delusional. If we follow your advice - NAT firewalls (which do indeed HELP protect from system compromises) software based firewalls, AS, AV, and AT etc. are all useless because there are a couple pieces of malware out there known to bypass some of those defenses.

Guess what Bud? The first viruses came out BEFORE IE was born - is that IE's fault too?

The most amazing comment is his one about the Porn sites - he seems to argue that since badguys also use sites other than Porn, why worry about Porn sites? That's real clever thinking.

Oh, this same guy says there's no threat from spam. Hello? Spam has not been known to carry malware?

Get real - you need all those tools to provide overlapping coverage. Is it fair? NO! But it is the badguys fault.

Is FF immune to all exploitation - NO! Is it less prone to exploitation? For now - but be certain as more and more users use alternative browsers, they will become target too.

Badguys go for the easy pickings. That's why they target unpatched, unprotected systems.

Will I be safe if I change to FF? NO!

The comment about txt files is just down right stupid. Okay so a plain old text file is not likely to contain bad code - does it make sense to teach Grandma to scan these files and not those? Or should we tell Grandma to scan all to be safe? What if it is wrapped in a zip file - or do you think there's no need to scan them either?

Since looking at the big picture is not something you naysayers are willing to do, you can't argue the merits of the facts. You are intent in slamming Microsoft products because they are Microsoft products. Ok - I accept that. It totally ignorant, but I accept that are people like that.

There are some great comments up there - but many fully demonstrate total ignorance of the problem.

There is NO ONE SOLUTION to protecting your system from badguys. ALL solutions have pitfalls necessitating the need for overlapping defenses.

I will say this once more then I am out of here.

If a computer becomes infected, it is because a lot more than IE failed.

Pat CahalanDecember 28, 2005 10:34 AM

> I agree that we should not HAVE to take these steps - but is that Microsoft's fault?

"fault"? No, but they certainly bear some responsibility. Again, like I said in my last post, they're following the pressure of the market, which is to make things super-easy on inexperienced users. This has led to a lot of products that are woefully insecure out of the box. Sure, the demand side of the market bears some of the fault here, but that doesn't change the fact that IE sucks (or, to be precise, IE sucked in 2004), which was the original topic of the thread :)

> Do Crown Vics gas tanks explode by themselves - or only have
> someone not paying attention slams into the car?

If I buy a Crown Vic and someone else not paying attention slams into me and a manufacturing defect engulfs me in a ball of flame, I'd say that the manufacturer has a serious liability there. It is reasonable for me to expect that my car won't explode if another driver runs into it, since third party accidents are not uncommon on U.S. highways. I take it you disagree, and manufacturers shouldn't be held liable in these incidents? If that's the case, then the whole rest of the argument on this thread is irrelevent -> we disagree on an axiom, and the resulting quibbling isn't going to get us anywhere.

> Get real - you need all those tools to provide overlapping coverage.

No, you don't really. You only need all those tools if you're engaging in activities that result in you having open attack vectors that those tools help protect against. If you never download attachments, you don't need a virus scanner :)

> Is it fair? NO! But it is the badguys fault.

That's part of my point, it *is* the bad guy's fault, but it's also the vendor's responsibility to help fix the problem. Again, you seem to disagree.

> Is FF immune to all exploitation - NO!

That wasn't ever put forward as a statement. Firefox certainly isn't immune to exploitation (in fact, the study specifically says they aren't), but as a security trade-off it's certainly less vulnerable to exploitation than IE.

> Is it less prone to exploitation? For now - but be certain as more and more users use
> alternative browsers, they will become target too.

True, but Firefox isn't as bundled with the OS as IE is, and therefore will have fewer exploits capable of affecting the OS. This isn't rocket science, this is just the nature of the software design.

Pity Da FooDecember 28, 2005 11:17 AM

Statistics are great. Really, they are. They serve the purpose of creating heated debates in the comment sections of sites like this. Let me give my credentials and then my two cents.

Credentials: I work as a sysadmin full time and I spend about three hours a week working for a certain large retail chain who advertises 'geekly' computer services. That means that I get to see IE in both a well secured network and in the hands of the average ID10T. Before dropping down to a few hours a week there, I spent 99% of my time in the store removing virii and spyware.

My two cents: When a computer comes into an establishment such as mentioned above, it is because of one of two things:

1) Hardware problem
2) Spyware/Virus problem

Of the systems with hardware problems, only about 1 of 10 didn't have at least some small trace of spyware to be found. This includes the ones who's owners thought they were 'safe' with antivirus/antispyware/updates/firewall/all the other BS you need to run windows.

The rest were running completely naked systems and seemed to have every single peice of malware known to man infecting them.

There were several things that I observed.

1) In three years, I have seen a browser other than IE fewer than 10 times on the average user's PC.

2) Most of the spyware came from ActiveX installs, P2P apps known to install it, or through MS Outlook/Outlook Express.

I'm offering this as an unbiased user. On my network, which is secured by a websense filter, enterprize firewall and AV and Group Policy settings that include a list of allowed to run applications, I use IE because I can easilly control it.

For my personal use, I install Linux and pick a browser(It doesn't really matter which one). I think that because it lacks ActiveX with it's intall on demand crap, FF is the better choice for the average joe who will click on everything he sees on the screen, but only because it does not talk directly to the OS (Not much anyway). IE is ok, but only when it is in the hands of a person savy enough to keep it under control.

PS... Before I get flamed for mentioning the "L" word, let me say that I'm not one of those crackpots who runs it because it is "superior to M$ in every way." I run it because there are only three steps to securing it. 1) Install, 2) Make yourself a strong password, 3) Download updates every now and then. It falls short of Windows in that (even though it is getting better very fast) the ease of use that you see in Windows is not there.

IE suxDecember 28, 2005 1:42 PM

Antiviruses/Firwalls are NO help against spyware, which you WILL get if you use IE - even if you system is fully patched and everything, even if you don't blindly open all attachments and such. IE is insecure, that's just the way it is. Then you see users nowadays becoming experts at using tons of antispyware apps, which would be totally unecessary if they weren't using IE in the first place (it's like fixing a flat tire on your car everyday without looking at the real problem). That long 14 point list will hardly help. Most of it is good general practice (and is a good way to protect yourself against viruses and such), but you *WILL* get spyware if you use IE regardless!

Every other browser out there is better basically. IE is the single most insecure POS software I've EVER used, and perhaps the only Microsoft app ever made I wouldn't ever want to run. Use anything else than IE (not neccessarily FF), and spyware won't ever be an issue anymore.

AnonymousDecember 28, 2005 2:33 PM

I think you are all missing the root cause of the problem, which is the Windows operating system itself. Modern operating systems like Linux and Unix are almost invulnerable to exploits of user-mode programs like browsers, mail clients, IM programs, and the like. It would be possible for mal-ware to destroy the user files, but vastly more difficult for mal-ware to infect the operating system itself.

Pat CahalanDecember 28, 2005 3:25 PM

> Modern operating systems like Linux and Unix are
> almost invulnerable to exploits of user-mode programs
> like browsers, mail clients, IM programs, and the like.

That's a pretty strong claim, I'd like to see some sort of evidence to support it.

It's true that you can set things up (e.g., in a jail) to limit exposure to end-user clients, but most linux distributions don't come set up that way out of the box.

And really, out-of-the-box is what we're talking about here. You can make IE lots more secure by turning stuff *off*.

PatriotBDecember 28, 2005 5:14 PM

"I think you are all missing the root cause of the problem, which is the Windows operating system itself."

No, the root cause of the problem is that everyone is running as Administrator. As Christain said above, "don't be logged in as an admin on your machine unless you REALLY NEED these rights!"

Windows contains more-than-adequate user security, dating all the way back to NT 3.1. But people don't use it.

There two primary reasons people don't use it:
1. XP makes users Administrator by default. Shame on Microsoft for this one.
2. Some apps don't work right in limited accounts. Shame on the app vendors for this one -- user security has been around since NT 3.1, and has been a logo requirement since 2000, so there's no excuse for apps not behaving in limited environments.

Yes, Microsoft deserves some blame for this; when transitioning the user base from 9x (which has zero security) to NT/XP, they should have made sure that NT's security was being used to the fullest.

Personally, I run XP as a limited user. I have no anti-virus. No anti-spyware. I use Outlook 2002 and IE for my email and web browsing. I have never had a virus or spyware on my computer.

Also, IE's integration with Windows isn't a factor. Firefox has just as much access to your "system files" as IE does, when you're running as Administrator. Run as a limited user and your system files are safe.

Pat CahalanDecember 28, 2005 5:41 PM

@ PatriotB

> Windows contains more-than-adequate user security

If it's not enforced, it's not adequate (IMO). You're right, the end-user security settings aren't used enough, but all the role-based security isn't going to do you any good if a reasonable default isn't assigned.

> I have no anti-virus. No anti-spyware. I use Outlook 2002
> and IE for my email and web browsing. I have
> never had a virus or spyware on my computer.

(chuckle) How can you say you've never had a virus or spyware if you have no method of detecting them?

> IE's integration with Windows isn't a factor

Yes it is. ActiveX is a set of functionalities that has its own possible security vulnerabilities. Non-IE browsers don't have ActiveX, ergo, they're not vulnerable to ActiveX exploits ;)

Ari HeikkinenDecember 28, 2005 9:08 PM

Heh, antivirus. It doesn't solve any security problem. It'll only help with all the know viruses circulating out there, but when someone decides to write his own it'll get thru.

Davi OttenheimerDecember 28, 2005 10:40 PM

@ PatriotB

Not a bad line to take in theory (role based access controls, or RBAC, make sense), but even Microsoft admits that they are having a hard time breaking developers away from running everything in an Admin context and they also admit they need a new IE in order to "fix" six. Besides, even if it was a solution to move everyone to a limited user role, do you realize how unbelievably hard it would be to do in an enterprise? It would take months if not years if you asked the users to figure it out...and at the end you will probably discover you probably could have just as easily migrated them to a new OS. So good theory, but if it was that easy we'd all be using RBAC already.

On that note, what would you make of today's lovely 0-day WMF-hole alert? So far it looks like a Windows user would be vulnerable no matter what level they are running:

http://www.f-secure.com/weblog/archives/...

I don't know about you but I've been scanning and blocking traffic all day, waiting for the AV companies to get a handle on this one, and so far f-secure is the only company reporting any progress. Yup, a true 0-day.

And I agree with Pat 100%. If you don't run AV on Windows, how do you know you are virus free? No detective control means no detection.

Davi OttenheimerDecember 28, 2005 10:54 PM

I guess I should also mention that the US-CERT has an opinion on this:

http://www.us-cert.gov/cas/techalerts/...

"Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear.

US-CERT is tracking this issue as VU#181038. This reference number corresponds to CVE entry CVE-2005-4560."

They make the following recommendations, none of which seem to even hint at changing the role or authority level of the user:

- Do not access Windows Metafiles from untrusted sources
- Block access to Windows Metafiles at network perimeters
- Reset the program association for Windows Metafiles

Jim HyslopDecember 29, 2005 8:26 AM

WRT admin rights:

In July, I got a new laptop. As an experiment, I decided to set up my user account on the laptop as a Limited User (gee, wait 'til the Political Correctness Brigade gets hold of that one...). I've been running as a Limited User pretty much the whole time I've used the laptop, with very few problems.

Mind you, I can't say the same for my desktop, which is shared by the family. The worst culprits I've found for requiring admin rights are games, particularly software from EA Games.

IEisSafeDecember 29, 2005 1:05 PM

Most of the problems people have with IE are really problems of running with admin privilege, and not really problems with IE.

As with the previous posters, all my users run under "limited user" accounts or when admin privilege accounts are required, IE and Outlook run under SAFER policies (SAFER policies run those apps with "limited user" rights - See the Microsoft website for info on setting up SAFER policies).

With "limited user" accounts or SAFER policies, users can't do "bad" things like install ActiveX controls or install downloaded programs (which is where most of the viruses, trojans, etc. come from).

I agree that Microsoft should have shipped Win2k and WinXP with "Limited User" login as the default. However, to Microsoft's credit, they had to deal with a lot of "broken" applications written by lazy developers/ISVs that would not run under "limited user" accounts.

Microsoft has finally "put their foot down" and the Vista OS will ship with what is essentially a "limited user" default user account, along with other restrictions on elevation of privilege, etc.

Kel-nageDecember 29, 2005 6:08 PM

It's all good and fine saying "Oh, it's actually the developers faults for not allowing software to be used in 'limited user' mode".

But hang on, lets think about this. Linux has a similar system, with limited and "root" users, however, most/all applications are happy to use this. Why? Because Linux has a quick and easy way of calling up the "root" user when needed. When Windows implements that, then, maybe, they can blame the software manufacturers and users.

PMC-CONDecember 29, 2005 10:36 PM

How many angels can dance on the head of a pin?

Off-topic? Nah. Here we find a bunch of smart people all ignoring the fact that ALL the tools are available to make IE and Windows as secure as one would like. The posters might as well be discussing the angel proposition for all the sense they're making.

If you limit user rights then there's only a few scary OS holes to work with, like the JavaScript hole, the EMF rendering hole and now the WMF rendering hole, to contend with. It's these types of problems are the most frustrating, for they make you wonder if Microsoft's engineers really are taking security seriously. ActiveX is not inherently a problem, malware apps that install themselves without taking account users' permission are.

Limited user rights are what makes Linux secure, nothing more and nothing less. If Linux machines were run with superuser rights all the time (with GUI access, etc.) they would be compromised every minute just like those machines that use Windows XP Home with default settings, given the same set of users.

Microsoft has empowered folks for good or ill. If they don't run a Limited Users these days they're at fault. I dare say that if they did most of the other rules and exceptions here would be irrelevant.

Davi OttenheimerDecember 30, 2005 1:33 AM

"Limited user rights are what makes Linux secure, nothing more and nothing less."

Is that supposed to be funny? There are so many flaws in that statement I don't even know where to begin. I've worked with security on both systems for many years and assure you that Windows has always been harder to secure from the start not only due to its single-user origins, but also its habit of forcing you to deal with bundles of random buggy software you can't easily avoid/unbundle, and all RPC, not to mention the habit of default-enable. Gee, do weak LM hashes, flawed system libraries or ports 135-139 and 445 mean anything to you?

I'm not saying Linux is perfect, of course, but it has provided many many advantages over the years from a security perspective far beyond RBAC.

The "I use limited user in my controlled test tube so it's fine" doesn't get you anywhere, really. Just consider that Microsoft does beta tests with millions of users and they still have issues getting the roles right. I suggest you try to convert 1,000s or even 100s of random Windows systems from local admin to local user and see what happens in the following 24 hours. Speaking of which, can anyone point to a Microsoft Security Bulletin that says "you can fix this issue by removing the user from the admin account"? If that were such a silver bullet, don't you think it would be prominently displayed on every page in here (aside from the "Local Elevation of Privilege" holes, obviously):

http://www.microsoft.com/technet/security/...

To be fair, 2003 is so much superior to prior versions of the OS, but it still ends up more like a patchwork of plugs holding the dam together instead of a new start (note the WMF exploit on the 28th). Mac did the right thing by sunsetting OS9 completely, so we can only hope that Vista will take a similar fresh-start approach. Rumor has been that it will be the most *nix-like version of Windows yet...

Sometimes it seems like the core of the *nix/Windows security debate is just a drawn-out version of the old TCP/IP versus NBT controversy. Microsoft made the right choice to dump NBT entirely, so I think it only reasonable that they will sunset the current lineage of Windows.

David BrennerDecember 30, 2005 7:30 AM

I have been lucky. I have a system I've been running for over 7 years and rarely use anything but IE and Outlook for the functions those programs provide. I didn't have AV/AS/Personal Firewall on that system until my ISP started providing these for free earlier this year. My wife spends more time on the Internet than I do and she runs the same configuration.

We do have the benefit of being skeptical. I received an email from my Dad once that just wasn't his style and I contacted him before opening it. My wife routinely deletes emails with attachments. Lastly, we have apparently "just been lucky" not to visit a site that exploits any IE vulnerabilities.

I got a new system, finally - it's been 7 yrs =), for Christmas and it came with a plethora of Symantec Security preinstalled. I tell you, it was a pain in the rear setting that system up so I could access it by name from other systems and share files. Anyway... I will still use IE. I will still develop primarily for IE as most of my company's customers use IE as their corporate standard browser. I will also deal with the nuances of making my code work on Netscape 7+ and FireFox for the few customers that have adopted them. (It is interesting to note, at least one person complained of IE's lack of W3C standards compliance... but by definition, given IE's far superior market share, it defines the "standard" IMHO.)

Davi OttenheimerDecember 30, 2005 1:03 PM

"it was a pain in the rear setting that system up so I could access it by name from other systems and share files"

Exactly! Because security and ease-of-use are often opposites in the Microsoft world. Bad development habits make security a bolt-on afterthought and therefore everything is far more difficult. Had they designed their architecture with security from the start, you wouldn't have such a problem...NFS is also guilty, don't get me wrong, but you probably would have found connecting to your Windows systems from a new Linux system over SMB far easier AND more secure than Windows XP with Symantec.

"given IE's far superior market share, it defines the 'standard'"

Funny. You're right in one sense, but you are confusing definitions of the word. From what you said it seems like you would probably agree with Calvin, who once said to Hobbes, "the quickest route to success is to lower your standards". But we're not talking about the "most commonly deployed" browser (see that monopoly issue creeping in here), but rather an "ideal" based upon a set of criteria and values that necessarily supercedes one particular group/corporation's preferences.

Thomas SprinkmeierJanuary 1, 2006 6:31 AM

@PMC-CON,
"""ActiveX is not inherently a problem, malware apps that install themselves without taking account users' permission are."""

Yeah, and "guns don't kill people, the red stuff leaking out of the holes left by the bullets kills people".

(sorry Bruce, I hope I don't flare up a gun debate :-)

ActiveX is just the final piece in a security nightmare: default everything on, default admin account, default hiding of information.

ActiveX may be a fantastic technology for a benign environment, but clearly the internet is not such an environment. The VW beetle may be a great car, but I wouldn't take it on a quick trip acrosss a battlefield, I'd want something designed for a hostile environment (i.e. "designed for security from the ground up" rather than "designed for functionality with security bolted on piece-wise later").

Thomas SprinkmeierJanuary 1, 2006 6:41 AM

@Kel-nage,

I disagree.
shift-right-click RunAs
will allow you run anything (like an installer) as anyone (like local admin).

Now, if only the applications were designed for a multi-user system rather than requiring admin priveleges so that it can write anything anywhere anytime...

Christian KaiserJanuary 1, 2006 2:36 PM

Quote: "Besides, even if it was a solution to move everyone to a limited user role, do you realize how unbelievably hard it would be to do in an enterprise?"

On the contrary: if users in our enterprise were admins, it would be unbelievable hard (for the "real" admins).

Christian

Christian KaiserJanuary 1, 2006 2:41 PM

@Thomas,

"RunAs" is not good enough - it will install the application for the user named "Administrator", not as your user name with additional admin rights, thus setup will set wrong paths, add registry entries to the wrong user, etc.

Look at heise how to use "machmichadmin", which is by far superior. It will temporarily add admin rights to your user name for a certain session.

Problem is, it still needs some computer knowledge to use such a script (drop the setup onto the machmichadmin icon, ...), so DAUs are left out - but should they have the rights to install something? ;-)

Christian

Thomas SprinkmeierJanuary 2, 2006 3:06 PM

@Christian,

If the application was aware that it was going to be installed as admin but used as a normal user, the "wrong paths, registry entries etc" problem wouldn't exist.

Thomas

Glenn LarssonJanuary 19, 2006 4:31 AM

(This may be a bit OT but)

Regarding that thing about the MS EAL-4 certification for Win2K and XP and why it is a weak certification.

If you add a security feature (or claim one) in Solitaire.exe and you write a good enough Security Target (A stated claim that a program has a certain function) and can relate that to a Protection Profile (Which defines a functionality/threat model), you can end up with an EAL-4 certification for solitaire.exe (!)

And btw, the highest EAL level for a product is 7.

More info:
http://www.commoncriteriaportal.org/

SumomanFebruary 9, 2006 9:29 AM

I have run Exp since "96 and have only received one virus which I deliberately installed for information. Spam and popups are practically non existent on my computer. How do I do it? Use updating, virus, spam and popup protections. Quit whining and get your equipment up-to-date and you won't have to constantly whine about something that you really have control over,,,,if you use it!!!!

MaxAugust 17, 2006 3:59 PM

I don't have any of these problems, and I have never had them. I've been using Linux for several years and you wouldn't get me to use IE, not even at gunpoint!

KirkOctober 16, 2006 6:57 PM

I build personal websites, My web host has an easy to use in browser ftp applet.
If I use IE to download files the browser times-out and never load, if I make changes in the visual editor, they never save, again the browser just times-out and I get the IE can not find server default screen.
I can leave it saving all night and it still never works.

I have installed Fire Fox and in seconds it is saved or the file downloads.
I also make Logo's using an online generator, once again with IE it almost never creates the file without showing me the can not find server window.
But in FF it creates the file in seconds.
I used to blame my cable supplier but found out it was IE that was the problem.
Thank you Fire Fox for solving my problems.

KirkOctober 16, 2006 6:59 PM

I should have added, in almost every aspect IE is slow and laggy wehre Fire Fox always loads websites 10 times faster.
WHY ?????

snappyDecember 10, 2006 10:12 PM

I installed IE7 and didn't like it at all - it was too restrictive, so, I UNINSTALLED it. OMG I have a nightmare. IE is all messed up now. I am basically unable to insert an email addy in the address bar without 65 ie blank pages loading and locking up my machine - took me 5 tries and rebooting in order to get to THIS site. I am terribly frustrated..cant even run my Norton without it jumping into a loop. Any suggestions? Am I forced into RE- installing IE 7? help!

KinnisonJanuary 6, 2007 12:26 AM

I'm disgusted with IE7, wish I had never accepted the upgrade.

Is there any way to return to IE6?

waddleMarch 24, 2007 9:22 AM

"IE7 is horrible!!!"

haha yea i agree with you, the tabs are so ugly, compared to those of firefox and opera, although the quick tabs function is pretty useful for me ...

DanMarch 28, 2007 12:35 PM

IE is horrible at best. It has cost me countless hours in figuring out what the heck was going wrong again with this piece of crap. I wish I could beat the crap out of this thing physically... Developing for IE is is so frustrating.

ScottMay 1, 2007 4:53 PM

Is there any way to return to IE6?

Reinstall Windows. Once you go IE7, there's no going back.

Tom JoyJuly 23, 2007 2:53 AM

I use Ubuntu Linux, which came with Firefox installed. I dumped Windows shortly after IE7 came out; what a train wreck that is! I also use OS X a lot too. You can exist and be productive without Micro$oft if you are just a home user. I got tired of re-installing Windows because it seemed after a year or so, it would just crumple into a heap and need to be re-installed. I really like Firefox and Safari as well. Happy surfing all!

JuanAugust 30, 2007 9:12 AM

Have you thought about this: Microsoft doesnt want people to have a good browser installed by default b/c that makes it easier for "web 2.0" apps to compete with desktop apps. Desktop apps are the only reason to buy windows, visual studio 2005, etc, etc, etc. Microsoft's bread and butter is the whole desktop concept.

lcaruSeptember 1, 2007 8:13 PM

So I designed a site and posted it and it works fine with Firefox and safari but it's all messed up with IE. Does anyone know what I can do to fix this?

RajeshJanuary 23, 2008 12:49 AM

When i was open 3 or more tab windows in an Internet Explorer window, It is struck or hang and simply close the Internet Explorer window.

I am using Internet Explorer 7.0 version.
My Operating System is XP Service Pack 2.
What is the problam?

CodaMarch 18, 2008 6:23 PM

IE is frustrating. The rendering engine is terrible. I have the worst time trying to make a site that Firefox and Konqueror can render properly, but when I look in IE, it looks like it was thrown out onto the road, ran over and killed.

JesMay 23, 2008 7:08 AM

when I download using the IE, It often has no download manager built-in and is really frustrating that you can't even recover your downloaded files. You must download a separate download manager unlike firefox.

GubinskyJune 26, 2008 11:50 AM

I block IE at the firewall because I traced 3 viral infections directly to it (fully patched Norton AntiVirus let them through AVG in use now)

Th3_uN1Qu3July 26, 2008 1:21 PM

I don't even bother blocking IE with a firewall, i strip it out of windoze entirely. Much better.

I run Opera as my browser but Firefox 3 has gotten much better than the old versions. Just - anything but IE.

Browser-Makers Seek Clickjacking FixOctober 1, 2008 2:21 PM

>..]Redmond, Apple and Google have yet to comment on the threat. However, Mozilla on Monday released updates to its Thunderbird v2.0.0.17 e-mail application and Firefox v3.0.3 Web browser in an effort to "address multiple vulnerabilities." The updates are designed to prevent hackers from executing "arbitrary code," stealing personal information, undertaking cross-site scripting and denial of service attacks as well as clickjacking.>..]

SneakyWho_am_iNovember 13, 2008 10:58 PM

LOL @ BIll... Popup blocker... Popup blocker?? I never get popups. And I don't use a popup blocker.

See how much of rubbish the IE users have to put up with day in and day out? Not just security problems but basic usability as well! I say who cares how insecure their computer is at home [insert devil emoticon]... As long as they keep it out of the workplace (NB Virus Explorer is a very popular intranet browser) and can view my site properly (which IE7 is the best IE for if you use javascript and presentational markup, and IE8 is the best IE for if you use no javascript but only semantic markup)...

Let them stay away from my sites unless they can find a browser that can render them properly (not Internet Explorer) .. It's so much extra work for a webmaster to keep their site looking good in that bad browser. It's not just their lack of standards compliance, it's also that they can't even maintain their own consistent standard!

So I'm never going to have a "This page looks best in browser x" sticker. My pages look great in all browsers... But I will gladly put up "Best Viewed in _ANY browser that's not Internet Explorer" - any browser except that stupid odd one out.


Microsoft should not be allowed to release another version of Windows until they decouple Virus Explorer, or at least decouple its interface from the rest of the Operating System. Make the user choose. Sure it's two extra clicks but it's better for the health of the internet... Fosters innovation and competition etc etc etc

PGDecember 28, 2010 2:56 AM

I'm glad there is no IE on Linux, Unix and MacOS ... and I'm glad I do not have to use any Microsoft products at home and at work! :)

BollocksJune 27, 2011 8:27 AM

IE is terrible we are forced to use it at our office because are internal pages are "designed to IE format". Consequently we continously have to deal with spam, malware/spyware issues, and incessant freezing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..