IE Flaws Boost Browser Switching

Alternative browsers such as Mozilla and Opera are seeing a huge swell in downloads, but they say security holes in Internet Explorer are nothing new and haven't stopped it from taking 95 percent of the market share.

Alternative browser makers say they are seeing a huge and sustained boost in downloads spurred by the most recent Internet Explorer security concerns, but industry observers caution that switching browsers isnt necessarily a panacea.

While the high-profile attacks of the past two weeks have affected only IE on Windows, other browsers already or could soon share some of the same vulnerabilities, researchers say.

But most agree with the assessment—voiced recently by CERT (the U.S. Computer Emergency Readiness Team), among others—that dumping IE is one way to get quick protection from the recent attacks.

IEs latest woes appear to be fueling more than just a temporary interest in the browsers competitors, according to the Mozilla Foundation and Opera Software, with Mozilla reporting overall downloads sticking at three to five times their previous rates. If users are finally beginning to ditch Internet Explorer, it could mean a shift in the underlying assumptions of the browser market—and may convince Web developers to pay more heed to Internet standards.

Last week, attackers took a page out of spyware purveyors book with a pop-up ad program that silently installed a Trojan and a BHO (Browser Help Object) designed to swipe login information from several dozen financial sites.

/zimages/4/28571.gifClick here for more on the pop-up program.

A week earlier, crackers compromised IIS servers on several high-profile sites and used them to spread malicious code through IEs ActiveX scripting technology, in an attack dubbed Download.Ject or JS.Scob.Trojan.

In its advisory on Download.Ject, CERT noted that "it is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

/zimages/4/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Security organizations often suggest switching applications as one way of countering an attack, but because of the media interest surrounding Download.Ject, CERTs recommendation got more attention than usual. The furor appears to have helped boost the fortunes of Mozilla and Opera, the two main IE alternatives, the vendors said.

On the day that CERT updated its advisory to mention browser alternatives, downloads of Mozillas next-generation Firefox browser, now in its last preview release, doubled to more than 200,000, according to the Mozilla Foundation. Downloads of all of Mozillas applications have increased steadily since last fall, with Firefoxs user base doubling every few months.

But since Download.Ject, daily download volumes have risen by three to five times and have remained high, according to Chris Hofmann, engineering director at the Mozilla Foundation.

"As people continue to look more closely at the security on their system and evaluate Mozilla as an option for solving many problems, I think we will see continued high volume in our download numbers," Hofmann said. "That is translating into growth in Mozillas market share over time."

The new interest isnt a blip, Hofmann said. "It is more of a trend that I have seen growing over the past year with users becoming increasingly frustrated with IE," he said. "People are evaluating their options for browsers in a way that we havent seen for quite some time."

/zimages/4/28571.gifBut many enterprises are reluctant to dump IE because they run so many IE-specific intranet applications. Click here to read more.

Opera Software doesnt disclose exact figures but said downloads of its browser have been on an upswing in the past two weeks, at a time of year when they are usually falling off with the beginning of the summer holidays. "We have seen downloads and sales increase. One of the reasons is the CERT advisory," Opera CEO John von Tetzchner said.

Next Page: Adhering to W3C standards instead of proprietary technology.