Alternative browser makers say they are seeing a huge and sustained boost in downloads spurred by the most recent Internet Explorer security concerns, but industry observers caution that switching browsers isnt necessarily a panacea.
While the high-profile attacks of the past two weeks have affected only IE on Windows, other browsers already or could soon share some of the same vulnerabilities, researchers say.
But most agree with the assessment—voiced recently by CERT (the U.S. Computer Emergency Readiness Team), among others—that dumping IE is one way to get quick protection from the recent attacks.
IEs latest woes appear to be fueling more than just a temporary interest in the browsers competitors, according to the Mozilla Foundation and Opera Software, with Mozilla reporting overall downloads sticking at three to five times their previous rates. If users are finally beginning to ditch Internet Explorer, it could mean a shift in the underlying assumptions of the browser market—and may convince Web developers to pay more heed to Internet standards.
Last week, attackers took a page out of spyware purveyors book with a pop-up ad program that silently installed a Trojan and a BHO (Browser Help Object) designed to swipe login information from several dozen financial sites.
A week earlier, crackers compromised IIS servers on several high-profile sites and used them to spread malicious code through IEs ActiveX scripting technology, in an attack dubbed Download.Ject or JS.Scob.Trojan.
In its advisory on Download.Ject, CERT noted that “it is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites.”
Security organizations often suggest switching applications as one way of countering an attack, but because of the media interest surrounding Download.Ject, CERTs recommendation got more attention than usual. The furor appears to have helped boost the fortunes of Mozilla and Opera, the two main IE alternatives, the vendors said.
On the day that CERT updated its advisory to mention browser alternatives, downloads of Mozillas next-generation Firefox browser, now in its last preview release, doubled to more than 200,000, according to the Mozilla Foundation. Downloads of all of Mozillas applications have increased steadily since last fall, with Firefoxs user base doubling every few months.
But since Download.Ject, daily download volumes have risen by three to five times and have remained high, according to Chris Hofmann, engineering director at the Mozilla Foundation.
“As people continue to look more closely at the security on their system and evaluate Mozilla as an option for solving many problems, I think we will see continued high volume in our download numbers,” Hofmann said. “That is translating into growth in Mozillas market share over time.”
The new interest isnt a blip, Hofmann said. “It is more of a trend that I have seen growing over the past year with users becoming increasingly frustrated with IE,” he said. “People are evaluating their options for browsers in a way that we havent seen for quite some time.”
Opera Software doesnt disclose exact figures but said downloads of its browser have been on an upswing in the past two weeks, at a time of year when they are usually falling off with the beginning of the summer holidays. “We have seen downloads and sales increase. One of the reasons is the CERT advisory,” Opera CEO John von Tetzchner said.
While they welcome the positive publicity, Opera and the Mozilla Foundation havent made any special effort to take advantage of IEs recent troubles. Opera said it doesnt expect Microsofts security problems alone to create a significant opportunity for grabbing market share—after all, IE security holes are nothing new and havent prevented the browser from taking 95 percent of the market, noted Christen Krogh, vice president of engineering at Opera.
Instead, Krogh said Opera believes that the diversification of platforms accessing the Web will force Web designers to adhere to W3C (World Wide Web Consortium) standards instead of to the quirks and proprietary technologies of Internet Explorer.
“The Web is not limited to a single type of access device,” Krogh said. “Besides Windows desktop computers, there are also smart phones, PDA phones and things like set top boxes. Microsoft is not in a dominant position on any of those—in fact, on smart phones, we are bigger than Microsoft.”
Mozilla and Netscape account for 3.5 percent of all Web users, and Opera for 0.5 percent, according to market research firm WebSideStory. Opera says it has 1 percent of the market—the discrepancy is partly due to the fact that Opera browsers can identify themselves as IE.
Researchers note that not all of IEs troubles spring from features that are unique to the browser. The BHOs involved in last weeks attack, for example, have equivalents in other browsers, but these simply havent been exploited, security experts said.
ActiveX, with its unrestricted access to the system, has long been considered a major weakness in IE, and the lack of ActiveX support in Mozilla and Opera is one reason they are safer.
But both browsers, along with Apples Safari, will soon begin using an extended version of the Netscape plug-in architecture with ActiveX-type scripting capabilities, raising the question of how they will head off any accompanying security issues.
Some common assumptions across all browsers are now being reclassified as security holes—the use of BHOs is one example. Another is a feature allowing one Web page to load arbitrary content into a frame of another page; this could allow an attacker to, for example, substitute his own login window on a banks Web site, according to an advisory issued last week by security firm Secunia. The feature, found in IE, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror, has been around for six years.
“We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such functionality against the possible consequences for their customers,” said Thomas Kristensen, chief technology officer at Secunia. “In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not.”
Some browser vendors agreed: Mozilla and Firefox were updated two weeks ago to remove the feature, and Microsoft said it is considering blocking the feature with the release of Windows XP Service Pack 2 (SP2). However, “blocking these types of navigations is an application compatibility issue on many sites,” a Microsoft representative said.
Secunia released a demonstration, injecting arbitrary content into a Microsoft.com site, that can be used to test whether a browser is vulnerable.
Kristensen compared the issue to a feature designed to allow login information to be embedded in a URL, but which scammers recently began abusing to make false URLs appear in IEs address and status bars. Microsoft was forced to remove the feature despite its legitimate uses.
Using another browser doesnt necessarily make the problems of IE disappear, researchers said. CERT noted that switching doesnt remove IE from a Windows system, and other programs may still invoke IE, the WebBrowser ActiveX control or IEs HTML rendering engine.
Aside from such concerns, other browsers clearly have far fewer security issues than IE, according to security experts. Secunia, which maintains a database collating advisories from various sources, collected 38 vulnerability advisories for IE 6.x during 2003 and 2004, 42 percent of which were “highly critical” or “extremely critical,” and 32 percent of which granted system access. Opera 7.x had 23 bugs, 17 percent of which were highly or extremely critical, and Mozilla 1.3 and later had 11 advisories, none of which were more than moderately critical.
“While other browsers also have problems, it seems evident that vulnerabilities are a bit more frequent and serious in IE,” Secunias Kristensen said.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: