Scriptless IE Not Worth It

Opinion: Whenever there's another security hole in Internet Explorer, they tell you to disable Active Scripting and ActiveX as an interim measure. I gave it a try.

The U.S. Computer Emergency Readiness Team gained a lot of attention with its advisory on the most recent Internet Explorer attack.

In the "solutions" section, it suggested—as the last of six things you might do—that you could use a different browser. Absolutely, and I wonder why the team doesnt make the same recommendation for numerous other products for which it lists vulnerabilities.

But I was more interested in the first listing in the solutions section: Disable Active scripting and ActiveX.

Disabling Active scripting and ActiveX controls in the Internet Zone—or any zone used by an attacker—appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning.

Instructions for disabling Active scripting in the Internet Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See this Microsoft Knowledge Base article for information on securing the Local Machine Zone.

Also, Service Pack 2 for Windows XP, currently in beta release, includes these and other security enhancements for IE.

Ive seen this sort of recommendation very often in past security advisories, principally in those from Microsoft. Ive always thought of it as pro-forma stuff, kind of like the potential side effects listed on a medicine package, which is basically a list of anything thats ever been observed. They have to list it, but they dont really believe in it.

Nobody would ever actually disable ActiveX controls and Active scripting, would they? I figured now was the time to try and see just how bad things were. I left related settings aside and did this only in the Internet zone.

My Internet Explorer was a lot more functional than I expected in this condition, but I still had enough problems that if I felt this was the only way to run IE, I would switch browsers myself, probably to Firefox. I dont think this is the only way to run IE, though, especially when Windows XP SP2 comes out.


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

A lot of Web sites just end up looking funny, with the fonts all wrong. ESPN is one of these. I assume they are using scripting to modify the DOM. Other parts of ESPN are dysfunctional to the point of there being many empty content boxes around the screen.

Fleet Homelink, my banks site, is completely busted. I looked at the page source, and the home page has a script-based browser type and version check, so this ones a definite no-go. In cases like this, I either used a different computer (I have a lot of them), or I used Firefox.

Next Page: Seeing how other sites handle the switch.