Cert suggests firms exit IE

Internet Explorer is a hazard in itself, according to the US security advisory body

Companies may have to make big changes to their desktop and web site strategies after US government security body Cert last week advised users to consider abandoning Microsoft's Internet Explorer (IE) browser.

The advice followed the discovery of a new attack that exploits an IE flaw in combination with a separate vulnerability in Microsoft's IIS web server software. Microsoft released an updated advisory on the IIS Download.Ject flaw after attackers used it to infect e-commerce sites. IE users were unknowingly redirected to a separate site and infected with a trojan.

Cert outlined a number of workarounds, but suggested that users should consider dropping the browser altogether. Referring to several significant flaws in IE, Cert advised: "It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites."

Stuart Okin, chief security officer at Microsoft UK, said, "Customers can be assured that patching IE is our number one focus." He added that rival browsers appear more secure only because they have fewer users and are less often targeted by hackers.

Andrew Braunberg of research company Current Analysis said firms should prepare their sites in case people do begin to abandon Microsoft's browser.

"E-commerce sites have a lot to lose if people lose faith in IE and switch to another browser. They should prepare for such an event, even if it is unlikely," Braunberg added.

Many sites only work properly with IE, which has a 94 percent share of the market according to analyst OneStat. Cert admitted that a move away from IE could cause problems for sites that use features such as VBScript and ActiveX. As a result, businesses might need to revise their web site strategies to ensure alternative browsers such as Mozilla, Safari and Opera are fully supported.

In its advisory note Cert suggested that future attacks might exploit the flaw in IE even if users run a different browser - if IE software is still installed as part of Windows on users' systems. Experts said the close integration of IE with Windows was part of the reason for the browser's security problems, making it easier for exploits to result in full access to systems.

Microsoft advised firms with IIS or IE to apply security updates to patch them. It added that Windows XP Service Pack 2 - currently in beta and due for full availability this month - will not be vulnerable.

Firms have been warned against running IIS in the past due to its security problems. Analyst firm Gartner released an advisory in 2001, following the launch of the Code Red and Nimda worms, when it urged companies to replace IIS with a more secure alternative.