While they welcome the positive publicity, Opera and the Mozilla Foundation havent made any special effort to take advantage of IEs recent troubles. Opera said it doesnt expect Microsofts security problems alone to create a significant opportunity for grabbing market shareafter all, IE security holes are nothing new and havent prevented the browser from taking 95 percent of the market, noted Christen Krogh, vice president of engineering at Opera. Instead, Krogh said Opera believes that the diversification of platforms accessing the Web will force Web designers to adhere to W3C (World Wide Web Consortium) standards instead of to the quirks and proprietary technologies of Internet Explorer.Mozilla and Netscape account for 3.5 percent of all Web users, and Opera for 0.5 percent, according to market research firm WebSideStory. Opera says it has 1 percent of the marketthe discrepancy is partly due to the fact that Opera browsers can identify themselves as IE. Researchers note that not all of IEs troubles spring from features that are unique to the browser. The BHOs involved in last weeks attack, for example, have equivalents in other browsers, but these simply havent been exploited, security experts said. ActiveX, with its unrestricted access to the system, has long been considered a major weakness in IE, and the lack of ActiveX support in Mozilla and Opera is one reason they are safer. IE without scripting isnt worth it, Larry Seltzer writes. Click here to read more. But both browsers, along with Apples Safari, will soon begin using an extended version of the Netscape plug-in architecture with ActiveX-type scripting capabilities, raising the question of how they will head off any accompanying security issues. Some common assumptions across all browsers are now being reclassified as security holesthe use of BHOs is one example. Another is a feature allowing one Web page to load arbitrary content into a frame of another page; this could allow an attacker to, for example, substitute his own login window on a banks Web site, according to an advisory issued last week by security firm Secunia. The feature, found in IE, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror, has been around for six years. "We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such functionality against the possible consequences for their customers," said Thomas Kristensen, chief technology officer at Secunia. "In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not." Some browser vendors agreed: Mozilla and Firefox were updated two weeks ago to remove the feature, and Microsoft said it is considering blocking the feature with the release of Windows XP Service Pack 2 (SP2). However, "blocking these types of navigations is an application compatibility issue on many sites," a Microsoft representative said. Secunia released a demonstration, injecting arbitrary content into a Microsoft.com site, that can be used to test whether a browser is vulnerable. Kristensen compared the issue to a feature designed to allow login information to be embedded in a URL, but which scammers recently began abusing to make false URLs appear in IEs address and status bars. Microsoft was forced to remove the feature despite its legitimate uses. Using another browser doesnt necessarily make the problems of IE disappear, researchers said. CERT noted that switching doesnt remove IE from a Windows system, and other programs may still invoke IE, the WebBrowser ActiveX control or IEs HTML rendering engine. Aside from such concerns, other browsers clearly have far fewer security issues than IE, according to security experts. Secunia, which maintains a database collating advisories from various sources, collected 38 vulnerability advisories for IE 6.x during 2003 and 2004, 42 percent of which were "highly critical" or "extremely critical," and 32 percent of which granted system access. Opera 7.x had 23 bugs, 17 percent of which were highly or extremely critical, and Mozilla 1.3 and later had 11 advisories, none of which were more than moderately critical. "While other browsers also have problems, it seems evident that vulnerabilities are a bit more frequent and serious in IE," Secunias Kristensen said. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
"The Web is not limited to a single type of access device," Krogh said. "Besides Windows desktop computers, there are also smart phones, PDA phones and things like set top boxes. Microsoft is not in a dominant position on any of thosein fact, on smart phones, we are bigger than Microsoft."