I’ve been watching as a number of security expert’s call for the companies to replace Internet Explorer (IE) and the follow-up pieces that state, with the implication that the companies must be stupid, that they aren’t following that advice. I think this reflects more on how far removed many of these experts are from IT management than it does anything else, but, given the coverage, I figured it was time to write a security primer.
There are massive dependencies on this operating system component.
For most companies, there is no compelling reason to standardize the use of IE to access external (non company) websites - this is not the same as removing IE from the machine, as (as is pointed out) it is the default rendering agent for many MS applications. However, as another poster points out, you can equally easily set the default browser to another (say, Firefox), remove the desktop shortcut to IE (which can be done trivially as a server-level policy) and 90% of the security headaches from IE (visiting websites with IE and becoming infected) vanish. With its use as a primary web browser gone, there are few reasons to permit direct (or proxied) access to the internet for the component - the exception being that many packages now expect to piggyback their own internet settings on the IE registry keys, pulling such things as default dialer, web proxy and even security settings from there. However, it is also equally possible to use the security settings to lock down the browser to the point it can hardly render text without needing to ask permission.
Agreed - however, quite a few companies have standardized on IE as their "company standard" browser, and getting upper management to change their mind on that one is often a losing battle. The downside to a new browser is that often some things just won't work. An example from my recent past would be 3270 emulation. We had a range of choices - we could have bought the most excellent Attachmate product, at approximately $120/licence, for our 100+ casual users - or we could buy a site licence for TM3270/Java from mochasoft.net for $250 flat payment. Problem was - it *only* worked in MS Java - the Sun virtual machine has some weird bug that special-cases the tab key, and the authors had not yet worked around this for the java version. the alternative was to buy the ActiveX (definitely IE only) version of the same software (normally $350, but Mochasoft very kindly gave us a copy as a free upgrade from the java edition after we discovered that the latest XP machines we bought came with the sun, not MS, java machine in their IE, and basically those machines were cut off from the spare parts ordering system) So what is this company to do? we can't "standardize" on Firefox as that would lock us out of a business-critical application. we also can't standardize on a non-outlook email client (which uses IE for its rendering agent, in case you are wondering about the link) as we not only need to interoperate with other branches of the same company (which are also on exchange) but have so many functions (like team calendering) dependent on Outlook it would cripple our normal business methods to abandon it.
What? Migrate for the sake of changing your browser? Where did that come from? Changing the browser in windows is trivial at best. You don't need to get rid of IE, you can simply install something (such as mozilla, firefox, opera, avant...just google for the word browser) and delete the desktop shortcuts. Simple. So where did you get the idea that in order not to use IE you must remove it or migrate? I haven't used IE for a large amount of time and I've seen no ill effects. Sure, because it's the default (my mother refuses to attempt to learn how to use firefox) it pops up from time to time, but seriously, if an admin can't figure out how to install a peice of software (that comes with an installer) he/she shouldn't be in their current career. I've even heard of people using NO microsoft applications on windows, and none of these people have reported and difficulties. This article seems more intent on misleading the readership here than it does on educating them about security.
Loading ...
Internet Explorer, Monoculture and Tunnel Vision
Posted by: Rob Enderle July 19, 2004 06:00 AMI’ve been watching as a number of security expert’s call for the companies to replace Internet Explorer (IE) and the follow-up pieces that state, with the implication that the companies must be stupid, that they aren’t following that advice. I think this reflects more on how far removed many of these experts are from IT management than it does anything else, but, given the coverage, I figured it was time to write a security primer.
There are massive dependencies on this operating system component.
However, as another poster points out, you can equally easily set the default browser to another (say, Firefox), remove the desktop shortcut to IE (which can be done trivially as a server-level policy) and 90% of the security headaches from IE (visiting websites with IE and becoming infected) vanish.
With its use as a primary web browser gone, there are few reasons to permit direct (or proxied) access to the internet for the component - the exception being that many packages now expect to piggyback their own internet settings on the IE registry keys, pulling such things as default dialer, web proxy and even security settings from there. However, it is also equally possible to use the security settings to lock down the browser to the point it can hardly render text without needing to ask permission.
The downside to a new browser is that often some things just won't work.
An example from my recent past would be 3270 emulation. We had a range of choices - we could have bought the most excellent Attachmate product, at approximately $120/licence, for our 100+ casual users - or we could buy a site licence for TM3270/Java from mochasoft.net for $250 flat payment.
Problem was - it *only* worked in MS Java - the Sun virtual machine has some weird bug that special-cases the tab key, and the authors had not yet worked around this for the java version. the alternative was to buy the ActiveX (definitely IE only) version of the same software (normally $350, but Mochasoft very kindly gave us a copy as a free upgrade from the java edition after we discovered that the latest XP machines we bought came with the sun, not MS, java machine in their IE, and basically those machines were cut off from the spare parts ordering system)
So what is this company to do? we can't "standardize" on Firefox as that would lock us out of a business-critical application. we also can't standardize on a non-outlook email client (which uses IE for its rendering agent, in case you are wondering about the link) as we not only need to interoperate with other branches of the same company (which are also on exchange) but have so many functions (like team calendering) dependent on Outlook it would cripple our normal business methods to abandon it.
Changing the browser in windows is trivial at best. You don't need to get rid of IE, you can simply install something (such as mozilla, firefox, opera, avant...just google for the word browser) and delete the desktop shortcuts. Simple. So where did you get the idea that in order not to use IE you must remove it or migrate?
I haven't used IE for a large amount of time and I've seen no ill effects. Sure, because it's the default (my mother refuses to attempt to learn how to use firefox) it pops up from time to time, but seriously, if an admin can't figure out how to install a peice of software (that comes with an installer) he/she shouldn't be in their current career.
I've even heard of people using NO microsoft applications on windows, and none of these people have reported and difficulties.
This article seems more intent on misleading the readership here than it does on educating them about security.