Internet Explorer attacked in Europe – by Firefox!

Move over, Internet Explorer – here comes Firefox!

According to web site statistics-gathering outfit StatCounter, Firefox sneaked into first place over Internet Explorer for the first time ever at the end of 2010 – just over half a percentage point ahead with 38.1% to IE’s 37.5%.

Global celebrations will have to wait a bit, though: Firefox has yet to triumph over IE worldwide. IE still rules in North America – even though IE has dropped to less than half of the browser marketplace, coming in at 49% to Firefox’s 27% – and the rest of the world follows a similar pattern to bring IE home with a global score of 47%.

Firefox is in a convincing second place worldwide with 31%, whilst don’t-be-evil poster-boy Google surged to just under 15% to nab third place with the company’s much younger Chrome product.

What does this mean to security professionals? What does it mean to you?

Firstly, companies with change control committees which have selected IE, and only IE, on the grounds that it is the only browser suitable for day-to-day use, need to take action. In particular, they need to put through a change control committee change to the change control committee.

Don’t misunderstand me: there is nothing wrong, organisationally, with standardising on a single browser. It makes all sorts of things easier – configuration management, security patching, and support. (Indeed, Sophos has a handy solution which allows you to decide exactly which browsers to allow – and you might be be surprised just how many distinct browser flavours there are out there.)

Just don’t try to carry the argument to your staff that your anointed browser is an “obvious choice”, or that it’s “clearly better” – the sort of dismissive remark which is still regularly heard around the traps. Be honest to your constituents about the reasons for your browser choice.

Secondly, companies with software products which have web interfaces need to do their best to avoid coding in a way which locks their products, and their users, into a specific browser. Avoiding the programmatic pecadillos of any individual browser gives your customers more choice, and it also ensures that you don’t fall into an even deeper hole: getting stuck requiring, rather than merely supporting, a single specific version of a single browser. (IE6, anyone?)

Thirdly, today’s mainstream browsers aren’t wildly different in their attention to security. All of them are huge, complex software projects – probably too complex ever to be called properly secure, but possibly secure enough for day-to-day use – made yet more complex by plugins, add-ons and other customisation tweaks.

So your choice of browser isn’t your most important security step. After all, even if your preferred browser could be considered theoretically secure, it would nevertheless suffer from the rather insultingly-named issue known as PEBKAC. (I shan’t explain the acronym here. You’ll have to watch the video to see it spelled out in detail – complete with an illustrative example!)

Whichever browser you choose, make sure you invest time and effort in your best security asset: YOU.