ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Internet Explorer's shrinking numbers

Robert Vamosi CNET

Published: 16 Oct 2006

• 
• 
• 
• 
• 

There's a new version of Internet Explorer coming this week, complete with tabbed browsing and built-in anti-phishing technology, but will the new features be enough to shore up the browser's flagging support? According to information from NetApplications.com, Internet Explorer's market share has dropped to 82 percent, with Firefox's rising to 12.5 percent, Safari's rising to 3.5 percent, and all other Internet browsers holding steady at 2 percent of the browser market. These new numbers for Internet Explorer are down from 86 percent in September of 2005 and 92 percent in October of 2004 (the first month that NetApplications' statistics were available). Given that Mozilla Firefox 2 will also be available before the end of the month, I don't see IE 7 increasing its market share because of new features (Firefox has many of the same, if not more, new features). In fact, I see Internet Explorer continuing to lose ground to the competition, mostly because of the Byzantine way Microsoft handles vulnerabilities within its browser.

First, the numbers
I spoke with Gary Schare, director of Windows product management at Microsoft, who cautioned me against getting all wrapped up in these numbers. He said most of market erosion has been among Mac users who have, over the years, stopped using Internet Explorer in favour of Safari or Firefox. Microsoft has not and is not developing new versions of Internet Explorer for the Mac; Internet Explorer 7 will be Windows only.

I find it hard to believe that Mac users are to blame for the recent decrease. Stats available from NetApplications show the total Mac audience to be only 3.88 percent of the operating system market. If, for example, every Mac user stopped using IE, that still wouldn't account for the drop from 86 percent to 82 percent within the last year. There's something else going on.

Safety in numbers
Back in November 2004, I stopped using Internet Explorer because, among other reasons, it is insecure. I haven't looked back. According to security vendor Secunia, Internet Explorer 6.x still has 19 unpatched vulnerabilities out of total of 106 advisories on Microsoft's site. Firefox, on the other hand, has only 3 outstanding vulnerabilities out of a total of 36 on its site. A quick disclaimer: IE 6 has been out longer and has already been the focus of more criminal activity than Firefox, so of course the numbers for IE are much higher. In looking at the percentages, however, IE 6 has 18 percent outstanding, while Firefox has only 8 percent outstanding vulnerabilities. Of those outstanding vulnerabilities, those within IE are rated by Secunia as 'extremely critical', while those within Firefox are deemed 'less critical'. Which browser would you rather be using?

In talking with Mike Schroepfer, vice president of engineering at Mozilla, and Christopher Beard, vice president of marketing and product management at Mozilla, it's clear that Mozilla can be (and is) more efficient than Microsoft in patching known vulnerabilities. First, Firefox is open source and relies upon a passionate worldwide community of users. When a new vulnerability is reported, users all over the planet start chiming in on whether they can reproduce it, while others start working on a fix. This 24/7 coverage allows Mozilla to be much more responsive. I like the fact that I always know when there's a new patch for Firefox -- it's automatically downloaded whenever I launch the browser. It's reassuring to see the update process.

How IE gets patched
Microsoft, on the other hand, takes a different approach with patches. First, Microsoft has a policy of issuing patches only on the second Tuesday of every month, 'Patch Tuesday'. In advance of the October 10 2006 patch release we were told to expect 11 new patches; in reality, there were only 10. According to Microsoft, one critical Windows patch did not meet the company's quality bar and will be released next month instead.

Hang on. A critical patch for Microsoft Windows can wait until next month? Sure enough. Schare told me that for every patch cycle, the Microsoft team sits down and looks at the current vulnerabilities affecting its various products, then picks between 5 and 10 to patch in the next cycle. Beyond 10, said Schare, becomes more of a service pack, and that's generally too much for the average consumer to handle. This means that there are always potential patches, some threats that may even be deemed critical, that Microsoft may not be able to fit into its current patch cycle.

That VML vulnerability
Then there are the very rare out-of-cycle Microsoft patches, such as the one that fixed the Internet Explorer VML vulnerability last month. According to Microsoft's Schare, the VML vulnerability was discovered in and patched within Internet Explorer 7 by Microsoft several months ago; that's why Microsoft was able to rush out MS06-055 for Internet Explorer 6 in such a short amount of time. But the VML vulnerability was not deemed by Microsoft to be a high priority for Internet Explorer 6 in part because it was so hard to find (if you didn't know where to look). That is, until the vulnerability was recklessly made public on the Internet, complete with enough detail to assist malicious spyware vendors in developing their own exploits. But since Microsoft had already fixed the flaw within IE 7, here was a case where it was relatively easy for the software giant to roll out a patch for IE 6.

It's good to know that Microsoft is testing IE 7 against unknown, potential zero-day attacks. Microsoft is using fuzzying techniques, a process I first wrote about this past July. By hitting IE 7 with a variety of buffer-overflow errors, long URL strings and so on, and by turning off ActiveX components by default, Schare insists that IE 7 will be the most secure Internet browser Microsoft has produced to date.

Roll out IE 7
Microsoft's so sure that IE 7 is good, it's making sure everyone has a copy within the next 90 days or so. Starting next month, look for automatic Windows Update notices on your Windows XP SP2 desktop asking you to upgrade to IE 7; if you're running an earlier version of Windows, you won't be able to upgrade. And if you're a business, you have until November 1 2006 to put a block on your desktops to prevent the automatic update from installing IE 7 across your enterprise.

Even if you have already abandoned IE in favour of Firefox, you should at least update from IE 6 to IE 7 (although you may never use it). Why? Microsoft has woven IE so thoroughly into the fabric of Windows XP that vulnerabilities within IE 7 could manifest themselves in the way you view HTML docs within Microsoft Office Word, for example. Better to lock down the operating system than be vulnerable to new attacks written specifically for IE 7.

But should you use IE 7?
Microsoft's problems with Internet Explorer lie not in the new features, but in the near-constant barrage of vulnerabilities reported within its browser and its own poor track record at fixing them. I know the bad guys are spending all their resources on cracking the latest IE version -- so, to me, Firefox is much more secure, even if it's just security by obscurity. I simply don't feel safe when I'm near IE, and it's going to take more than one good release of the browser to change that perception.

Related articles

• 
• 
• 
•