Browser of Mass Destruction
Yahoo! News is reporting that the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) has recommended using browsers other than Microsoft’s Internet Explorer, due to security concerns. There are a number of recommendations listed in the US-CERT vulnerability note, but the relevant one is this:
“There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).”I haven’t (intentionally) used IE for several years now, but it’s still jarring to see this lack of security in what is probably still the most widely used web browser for Windows. As noted elsewhere on the web, this has prompted a number of Windows users to finally investigate their alternatives, such as the Mozilla project’s Mozilla and Firefox browsers.