Microsoft said it has released configuration changes to several of its operating system platforms to help protect against recent attacks on its widely used Internet Explorer browser. The company also said it will release security updates in the coming weeks that will provide additional protection.
The recent attacks caused a flurry of criticism from security experts, which included some calls for customers to consider using other browsers. But switching browsers isn't always a reasonable alternative, although it is one way to combat the most recent exploit that affects Internet Explorer. The Scob, or Download.ject, exploit is set in motion when a user visits an infected
This week, the U.S. Computer Emergency Readiness Team recommended that users consider browsers other than IE until Microsoft develops a patch for the flaw. Today, Microsoft released a configuration change to Windows XP, Windows Server 2003 and Windows 2000 Server that is designed to make systems more "resilient" to the attack, Microsoft said in a statement. Security updates in the coming weeks are expected to provide even more protection, the software maker said.
Many factors involved in whether to switch browsers
Ullrich said his advice to use another browser applies to this exploit only. Whether customers should completely abandon Internet Explorer in favor of another, less vulnerable browser depends on other factors.
In the majority of cases, users won't switch browsers because it requires an enormous shift in their behavior, said Alan Paller, director of research at SANS Institute, which is a center for security training and certification based in Bethesda, Md.
Paller said that a software customer's best strategy for dealing with security breaches is to get together with other users and put pressure on vendors. "Use your combined buying power to make vendors more responsible," he said.
There are alternatives to Internet Explorer for the Windows, Linux, Unix and Mac operating systems, but most people choose to use what is provided to them, said Dan Kusnetzky, vice president of system software research at International Data Corp., a Framingham, Mass., market research firm.
Different users, different needs
Kusnetzky divides users into four groups: consumers, developers, enterprise users and transaction-oriented users.
Developers are likely to use IE if they are developing software for deployment on Windows. "Increasingly, we are seeing people developing platform-neutral software," he said. "They are likely to be using one of the alternative browsers if they are using Linux for development. If they are using Windows, then for them, an alternative browser may be viable."
A knowledge worker might be willing to make the switch, but it would most likely be done over the objections of an IT department that wants to maintain a consistent and supportable computing environment, Kusnetzky said.
Transaction-oriented workers also use the systems they are given, and it's not likely they would have the knowledge to change the configuration of their desktops.
Possible compatibility issues with a switch
For most people who do switch, the learning curve of a new browser probably wouldn't be that great, Kusnetzky said. Most have similar features and functions. But it could cause a few problems with some application packages that deliver help and advice as HTML files, possibly with attached DLLs or calling specific functions that are part of IE, he said.
"It's not clear that another browser will do exactly the same things in all cases," Kusnetzky said. "If the organization uses IE as an interface to Web-based applications, it's feasible that some applications may not function as intended. They may even function better, but it's hard to say."
One thing this recent exploit clearly highlights is the argument for keeping the browser separated from the operating system, said John Pescatore, an analyst at Gartner Inc., in Stamford, Conn. "The browser is part of the OS, so you can't just patch the application," he said.