Should IE stay or should IE go?

Should IE stay or should IE go?Microsoft's dominant browser is being challenged by open source upstart Mozilla Firefox, but in our testing neither browser scores a knockout punch.

Don't go ripping out Microsoft's Internet Explorer just yet.

It certainly has proven vulnerable to attack in the past, and the constant patching to add the latest security updates can be a nuisance. CERT last year even warned people to stop using Internet Explorer. And Mozilla Foundations Firefox has been getting a lot of buzz lately - to the tune of 25 million downloads in less than 100 days on the market.

But our testing of both browsers shows that it's not an easy decision - particularly in an enterprise environment. Internet Explorer's vulnerability to attack might in part be because it's rich in features and thereby presents a larger "attack surface." On the other hand, Firefox's perceived edge in security comes with a price - fewer features and possible inability to access some Windows-based Web applications.

So before you make a decision, weigh the trade-offs. One compromise to consider is using Internet Explorer internally and Firefox for pure Web browsing.

Our hands-on test focused on security rather than ease of use. Our Internet Explorer 6.0 implementation ran on a Windows XP client (a WinBook Pentium 4 with 512M bytes of RAM) with Service Pack 2,and the latest Microsoft updates.With the help of VMware Workstation, we installed Mozilla Firefox 1.0.1 on the same system inside its own virtual machine. This test machine was connected to the Internet through a 384K bit/sec DSL line.

We used the browsers side by side for a variety of tasks such as reading public Web sites, checking e-mail with Microsoft Outlook Web Access, and accessing our Apache-based Web server to reach internal resources and management tools. Additionally, we tried surfing to known hacker Web sites to see how the browsers would behave when under attack.

Accessing conventional Web sites, such as CNN or Yahoo, gave similar results.They both block pop-ups and offer a variety of plug-ins to support additional forms of data such as Macromedia Flash or Adobe PDF files.

However, the key difference is that because Internet Explorer contains Windows-related features that are not available in Firefox - Active X, .Net, Active Server Pages - it is difficult, if not impossible, to use some Web-based applications with Firefox.

Both Internet Explorer and Firefox have facilities to digitally sign plug-ins. However, the signature feature is not ubiquitously used, and users are quite likely to accept and execute unsigned and potentially dangerous code.

This is why you should back up your browser with an intrusion-prevention system or adequate anti-virus (ours was running F-Secure's Anti-Virus Client security), that can detect, notify and/or block malicious code that arrives through the browser.

Rendering architectural conclusions

So does Firefox's architecture make it fundamentally more secure? What we found is that Firefox is not necessarily a more secure implementation of a simply has fewer features to attack.

It supports fewer and less complex scripting mechanisms so it is not as easy to write powerful, dangerous code inside a Web page that can attack it.

It is not as tightly integrated with any particular operating system. This means there are fewer ways the browser uses operating system-specific features. That means there is less of a chance for an exploit to use the browser as an interface into the underlying operating system.

Also, the open source nature of the code sometimes, but not in a guaranteed manner, provides more peer review of the code and faster turnaround for fixes to vulnerabilities.

The enterprise game plan

It's not realistic to think that you can totally stop using internet Explorer, especially if your users must access servers that use the rich features it supports over an internal network or through the public Internet.

Can you start selectively using Firefox? If you have a purely browser-based environment, with standardsbased scripting and plug-ins, then you can consider this.

Will it make your environment perfectly secure against browser-based attacks? No. Firefox - like other browser alternatives - is not perfect, but the attack surface can be reduced significantly if you use fewer complex features, such as sites that deliver ActiveX through Web pages.

If your network comprises thousands of users, then this can be a difficult change to execute. On the other hand, it makes sense to compare the cost of securing Internet Explorer with add-on client security products or intrusion-prevention devices to the cost of simplifying/standardizing your browser-based infrastructure.

What to do?

The risk of a browser-based attack against an enterprise network is significant. From a risk management point of view, it is definitely a good idea to look at browser alternatives to Internet Explorer purely based on the sheer number of clients running it. But the environment might not let you remove it because your shop might have built up access to necessary internal resources using Microsoft's technology based on Internet Explorer.

One possible solution would be to mandate the use of Firefox for external access and reserve Internet Explorer for inside-the-enterprise use. Policy-enforcement tools can help implement this sort of a mandate.

Security measures external to the browser, such as application firewalls, intrusion-detection and prevention systems, and the use of policy enforcement systems to ensure clients only access trusted Web sites, can also be considered to address the browser risk.