Should we bin Internet Explorer?

Australia has joined the list of countries with official guidelines suggesting that you consider giving up on Internet Explorer, at least until Microsoft has fixed the now-widely-known vulnerability in its browser.

France and Germany have floated similar advice, presumably over concern that this vulnerability seems almost certain to be implicated in the Operation Aurora attacks against Google and other companies.

Sophos readers seem to agree with the public servants. A Sophos poll which opened last night showed by this morning that 72% of respondents supported switching from IE, with just 28% happy to stick with it.

Interestingly, 59% of those surveyed aren’t just saying Oui-Ja-Yes to an alternative browser, they are saying Non-Nein-No to Microsoft’s browser for ever, arguing for a permanent change away from Internet Explorer. This is something of a slap in the face for Microsoft’s much-vaunted promises of trustworthy computing.

Similarly, an article in this morning’s Sydney Morning Herald taking a centrist view in the “ditch IE” argument has already received a barrage of comments, most of them taking potshots at Microsoft and IE. (And, it seems, at me, for daring to imply that browsers other than IE might be fallible).

Is a temporary browser switch really a good idea?

Companies which are not already supporting a browser other than Internet Explorer might be biting off more than they can chew if they switch abruptly.

All browsers have vulnerabilities, and even though it’s true that IE is exploited more than any other browser, you don’t achieve security simply by switching. That’s security through obscurity, which is merely false security. Good security means defence in depth, and, in a well-defended network, a single unpatched vulnerability in your browser shouldn’t really be enough for the bad guys to get in.

Some of the possible problems with a temporary browser switch include:

  • Users who are unfamiliar with the replacement browser will clog up the helpdesk with support calls. A stressed helpdesk is a vulnerable helpdesk. Social engineers know how to take advantage of busy support staff, who are more likely to make mistakes when under pressure.
  • Business-critical web applications may not have been properly tested under the replacement browser. This may affect availability and productivity.
  • If you are not familiar with configuring and managing the replacement browser, you may end up with a less secure environment than a well-protected system with an unpatched IE.
  • If your replacement browser turns out to have a vulnerability, and you have endorsed switching as a security measure, your managers might reasonably expect you to switch again. You may end up spending more time switching browsers than doing any real work.

By all means, switch away from IE if you are comfortable with doing so. But even if you do, you still need to practise defence in depth and to shield your browser from the internet. In fact, if you haven’t already considered it, why not take a look at Sophos Web Security and Control?

And be sure to let us know what you think about binning IE: vote in the poll yourself!