I've privately and publicly lamented Microsoft's bizarre business decision in the mid-1990s to integrate Microsoft Internet Explorer (IE) deeply into Windows. Starting with various OEM versions of Windows 95, IE went from a simple bundled application that could be cleanly removed from the OS to an integral system component. In Win98--and the associated Shell Update Release (SUR) for Windows NT 4.0 and IE 4.0 with Shell Integration for Win95--IE was elevated to become the Windows shell, the GUI responsible for interacting with the user. Before IE's integration, Windows Explorer was simply a more powerful version of the Program Manager shell from Windows 3.x, with extensible COM-based interfaces that made the environment more powerful and attractive to third-party developers. However, with the IE shell integration, Microsoft was seeking to meld the UI for the Web--a single-click, hyperlink-based paradigm--with the UI for PCs--a double-click, icons-and-windows system that typically dealt with only local and networked files and locations. Microsoft is still working on this integration: In Longhorn, supposedly, IE won't even be a separate application from the end user's perspective; instead, the differences between local and remote resources will be blurred even further. You can make the argument that melding the UI for local (hard disk-based) and remote (Web-based) resources is reasonable. After all, why should users need to learn two separate sets of UI paradigms? If the Web interface is so easy to use and universal, why shouldn't the company apply it to local file browsing as well? Indeed, these were the questions Microsoft asked as it developed Win98 and IE 4.0. And though the company tried to make the one-click, Web-style UI the default in those products, users recoiled and demanded that the old style be returned as the default. So by the time Win98 shipped with IE firmly ensconced as its UI, Windows Explorer still acted like the old Windows Explorer, despite the technology that drove it. But as a side benefit, the shell was now buggier and less secure. My problems with Microsoft integrating IE into Windows at the time could be summed up by one word: immaturity. Here was a product, barely a few years old and developed largely by fresh-faced recent college graduates, that was being thrust into one of the most mission-critical situations in IT: It would replace the core Windows UI. And IE's immaturity showed, as the previously rock-solid NT began succumbing to a mind-numbing number of shell-based reliability problems. Microsoft worked furiously to fix these problems over the years, and in NT-based products such as Windows 2000 Server and Windows XP, the IE shell is indeed a lot more resilient and reliable. But NT's previously impressive reliability record was forever tarnished. Alarmingly, it also seems that Microsoft integrated IE with Windows solely to stave off competition from Netscape, which threatened Microsoft's Windows monopoly by providing a browser-based platform that could potentially render Windows obsolete. Because Microsoft made browsing part of Windows, Netscape had to compete with a dominant OS, rather than an immature browser product, and Microsoft could bring its massive industry strength against the smaller company more effectively. Yes, Netscape, like the Soviet Union, would have fallen apart on its own, eventually. But Microsoft helped it along, and today, we're stuck with the results of that decision. IE is also the source of numerous security exploits. An integrated IE means that your Web browser--most people's portal to the outside world--can be the conduit through which viruses, worms, and other Trojan attacks could be launched against your PCs. And IE has definitely been that conduit, with Microsoft releasing dozens of IE-based security patches over just the past few years alone. One of the major "features" of XP Service Pack 2 (SP2), now due in early August, is a set of IE security fixes, including pop-up ad blocking, plug-in management, and low-level security zone changes that minimize the effects of dangerous ActiveX controls. What's astonishing about this situation is that Microsoft could reverse all the bad effects of IE simply by removing it from Windows, a tactic it has refused to follow. Instead, under court order, Microsoft provided a way to hide IE so that users could choose to use a different Web browser without being bothered by the presence of IE on their systems. Like the overall US antitrust settlement that brought about this requirement, however, hiding IE is a nonanswer to a serious question. Because IE is still installed on your system when hidden, users are still in danger of attacks exploiting IE bugs. And because IE still pops up, unannounced and unwanted, for various tasks (e.g., system updates through Windows Update), it's still an attack vector, even for those people who explicitly chose to get rid of it. Now, I've received a bit of feedback from people suggesting that my anti-IE stance is a "Chicken Little" response to a more general problem--that removing IE isn't going to solve anything. I've also seen some interesting discussions about the IE "monoculture" that suggest that IE is attacked only because, with about 95 percent of the market, it's an obvious target for hackers. A more balanced market, some believe, with two to three major players, each with nearly identical market share, would be safer for users. Perhaps. I agree that IE is attacked, in large part, because that's where the victims are. But IE is also a stereotypical Microsoft product that the company cobbled together quickly, then spent the next several years patching repeatedly until the result was a patchwork of poorly designed code that might never be truly secure. In other words, like the Netscape example, IE would have folded under its own weight eventually, but clearly its market dominance attracted hackers to it much more quickly. What bothers me about all this is that no clear advice emerges. Personally, I feel that you should avoid IE at all costs and design Web sites, intranets, and extranets to be platform agnostic and work equally well with all browsers. Switching to a new browser won't be a cure-all--in the past week, new vulnerabilities in both Mozilla Firefox and Opera Software's Opera highlighted this fact. But it's unlikely that a little-used browser such as Mozilla Firefox will incur the number of vulnerabilities that IE faces each year. For so many reasons, I think it's time for enterprises and businesses of all sizes to start seriously considering switching to a new browser. IE is just too unreliable and too dangerous to ignore anymore.
End of Article
I agree with you. But I would also like to know more about the technicalities that make IE such a risk. Is it ActiveX, scripting, or some other feature? Which of the risks are not present in other browsers? Are the security holes just silly programming errors, or should we abandon the whole idea of exchanging program components across all borders?
stalar July 20, 2004 (Article Rating: )
My answer, "Horribly Broken Windows Component." I've made the switch to firefox.
Anonymous User November 08, 2004 (Article Rating: )
ActiveX, scripting, or some other feature . . .
Anonymous User April 04, 2005 (Article Rating: )
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
When Microsoft announced its Windows Live OneCare security and PC health product over five years (as MSN OneCare), Symantec, McAfee, and the other consumer-oriented security vendors reacted with stunning vigor. ...
Get Mark Minasi’s Windows Server 2008 Audio CDs "Windows expert, consultant and best-selling author Mark Minasi shows you if 2008 is right for you and, if so, how to get the most out of it!
Take Control of Your Email Optimize your email storage – Download this white paper to learn key how-to’s in email storage management.
Get Windows IT Pro To Go! The Windows IT Pro Magazine Master CD is a powerful combination of content and convenience. Order now, and save up to 25%--plus you’ll get online access to new articles each and every month! Subscribe today!
)
)
Register
stalar July 20, 2004 (Article Rating: