Secunia has put out yet another "extremely critical" security alert against Microsoft's Internet Explorer browser. At the same time, dozens of media outlets leaping have leapt a report that states Explorer's market share has fallen for the first time since it first took on Netscape Navigator all those years ago.
The fall stems from a recent CERT advisory that suggested people not use Explorer until another hole was patched by Microsoft. There had been many "proof of concept" holes in the past, but this one was discovered actually working away undiscovered, handing over vital information to what appears to be Russian mafia. No one knows how long it was running for prior to its discovery.
With Secunia's alert warning of four vulnerabilities - some known, one apparently new - that can provide system access and security bypass even on a fully patched up-to-date machine, it is a miracle that anyone continues to use the Explorer browser at all.
But things are not that simple. Hewlett Packard advised earlier this month that people no longer use competitor Netscape because of the large number of "potential vulnerabilities". It advised moving over to Mozilla. But then, a week later and a hole is discovered in Mozilla. Opera, then? Nope.
What about new kid on the block Deepnet Explorer? It hasn't been around long enough to suffer a security issue, but since it also incorporates peer-to-peer sharing, the chances of its being exposed are doubled.
The much-trumpeted fall in Explorer's share is very far from conclusive. It has fallen from 95.73 percent of the market to 94.16 percent from June to July, claimed some previously anonymous web stats company. A statistical blip would easily cover such a small movement. This is very much a case of people finding the facts to fit the story - Web users flee insecure Explorer.
The horrible reality
But is Explorer a real problem or are its woes just used for some unsophisticated Microsoft bashing? If there are real reasons for people shifting browser, why aren't they?
First let's a quick reminder of Explorer's absolutely dreadful past year:
- In August 2003, three holes allowed system access through the browser. "People with little technical knowledge will be able to exploit this. The only solution is to install the patch as soon as possible," explained one security expert.
- That November, along came another extremely critical hole. This one bypassed security and let someone run code on your machine without you being aware of it.
- And then another, the next month. Just in time for Xmas, comes a dangerous spoofing flaw that displays one address in the browser's address bar while the person was actually looking connected to a different site. Microsoft eventually patched the hole in January, but only by removing an Internet standard from the browser, and causing many sites to have to redesign.
- In March this year, Web mail was put at risk by another Explorer hole. Code hidden in an email to a Yahoo or Hotmail account would provide the log in details for that account.
- Again in April, another flaw enabled a buffer overflow and for someone to run code on your machine by you simple clicking a link. Microsoft's claim to have immediately fixed it was then disputed by security experts that tested a patched browser.
- And then last month, in June. A massive hole thanks to two previously unknown vulnerabilities was allowing the installation of software on people's computers without their know-how. Worse still, it was already being used by a shady Russian outfit.
- And finally, just a fortnight later, another hole that was being used to get hold of people's bank details finally pushed CERT to recommend dropping Explorer altogether.
So why isn't Explorer dead already?
It's hard to imagine that anyone would continue to use Internet Explorer faced as it is with such massive security issues. If it were a car rather than a browser, it would have been scrapped. But despite very good reasons for moving browsers, people still aren't. Why?
There are a multitude of reasons but by far the simplest is that average Joe doesn't know what the hell browser security issues are, or even that the browser is just a piece of software used for accessing the Internet. Thanks to Microsoft's spectacular decision (causing it to fall foul of competition law) to bundle Explorer with Windows, people don't know anything of any other browser. To many people, Explorer is the Internet. They double-click the icon and then there's the Internet.
Then there is the significant hassle of actually moving to a different browser. You need to decide on a different one, download it and install it. Then you have to import your bookmarks. And retype in your usernames and passwords. Then get it to act as the default for links and HTML files etc. While this process is simplified as far as possible by Explorer's competitors, and is kid's play to anyone with a technical bent, it still remains daunting and confusing for the vast majority of Internet users.
The truth is that people don't really think anything bad will happen to them. Combine this with the fact that people get used to things and don't like to change. Then add the fact that thanks to its dominance, many websites are optimised for Explorer and for Microsoft's prioprietary added functions, and you have a lot of reasons why people won't switch. Explorer, let's not forget, also offers many features for website designers that other browsers do not.
You may decide to move to a different browser because of the fear of your bank account details being hoovered off your computer, but then find that your bank will only work with Explorer and Netscape - the two browsers giving the most concern. Under pressure, some banks have started making versions of their online banking available for other browsers, but many do not.
And at the end of all that, it may not make any difference anyway because Windows and Explorer code is so closely tied in that other programs may still invoke it, and a security hole be opened anyway.
There is the further argument that Explorer only suffers so many problems because it so completely dominant that all people's attention is on hacking it. Why hack a browser that so few people use? Plus of course the browser market exists in an especially odd position because all its wares are free.
And then there is the eternal SP2 update that Microsoft claims will be the end to all its security worries. That will finally be released in August. By which time, Microsoft will have lost almost none of its browser dominance and hope that the security increase will reduce the number of hugely embarassing vulnerabilities.
Is that it then?
The situation looks unlikely to change significantly until, ironically, Microsoft releases the next version of Windows - Longhorn. The US authorities are watching its development closely and may insist on Microsoft not tying its browser software in so closely with the OS.
Once that happens, the door opens a little to other browsers. And combined with the greater freedom now given to PC vendors because Microsoft will no longer be able to dictate what else appears on a machine with Windows, it means that consumer PCs may come pre-loaded with a different browser to Explorer, or at least a choice of browsers.
When - if - that happens then finally, finally we may have a normal competitive browser market where the software competes on quality and price (browsers won't be free for long in a competitive market). And then we can look forward to a slew of security alerts for browsers other than Explorer.
RIP Explorer? Nope, it's here to stay all right.