Searching for a secure browser maybe in vain

Von Nicolas Callegari

The media is often littered with news of vulnerabilities found in Internet browsers, or software vulnerabilities that can be exploited by various distributions of spyware and malware.

According to the Cert Web site, the total number of vulnerabilities reported between 1995 and 2004 amounts to just under 17,000, with around 320,000 actual exploits between 1988 and 2003, each incident involving up to a few thousand Web sites at a time.

This raises the question as to whether there is such a thing as a totally secure browser at all, and whether a user can be totally protected against threats. Given the current market share that Microsoft Corp.?s Internet Explorer enjoys locally and internationally, it would only seem logical that the majority of exploits are written for MS products.

Similarly, it is also a popular belief that the various other options available on the Web (such as Mozilla, FireFox, Netscape, Opera) are more secure because of the high number of MS-only exploits written for the Web.

However, the alternate browsers are not the be-all and end-all of secure Internet browsing, as was recently discovered when various vulnerabilities were found in the open source FireFox browser and Thunderbird e-mail client.

Colin Erasmus, Microsoft SA?s technology security manager, says that, as long as there are Internet browsers and cyber criminals, there will always be security vulnerabilities.

He maintains that while the threats of security breaches through Internet browsers are very real, and may never go away totally, software developers need to be able to innovate on both a security level and a functionality level.

?Some browsers may leave certain features out because they are perceived as being a security threat. The trick is to find the middle ground, where functionality is not compromised by security, but leaves the system open enough to customize if the user chooses,? Erasmus says.

Until fairly recently, innovation was a word that did not feature in any browser?s vocabulary. The bygone feud between Netscape and Internet Explorer all those years ago came to a sudden end, and the Internet browser market became something that just went with the flow.

But innovation has slowly picked up again. As an example, tab browsing (a default feature in FireFox and Netscape) is the ?in thing? at the moment, and a feature that many critics say has led to Internet Explorer losing some market share to the alternate browsers.

However, Erasmus says that there are a number of third-party add-ons that have been written for IE and can be installed through IE add-ons, similar to FireFox?s ?extension? functionality. According to Erasmus, the real innovation started when Internet security became such a concern.

He cites Microsoft?s release of XP Service Pack 2 (SP2) as an example, which included a number of new security features, popup blockers and user-friendly warning messages.

A number of add-ons were also made available from the likes of Microsoft"s MSN, Google Inc. and Yahoo Inc., which all include spyware blockers, popup blockers and privacy controls.

This has been taken to the extent where browsers will, by default, have the functionality built in, for example Netscape and FireFox?s popup blockers.

?At the end of the day it is really about choice,? adds Erasmus. ?The browser market needs some competition and it can only be good.?

Michael Gartenberg, vice-president and research director at Jupiter Research in New York said recently to Computerworld that while businesses may be tempted by consumers and the media to switch to a browser such as FireFox, mission-critical applications have been built on IE technology, and most organizations do not have the resources or budget to recode them.

Gartenberg does, however, say that using FireFox as an everyday browser should be no problem but that, for business use, it may benefit organizations more to stick with IE and install security updates as and when they are released.

Anti-competitive comments and proprietary technology arguments aside, Microsoft?s APIs are available to ISVs wanting to make their applications and Web sites compatible with other browsers, Erasmus says.

The browser market should be an interesting one in the coming months. Gartenberg predicts that the real intensity will not be so much at the browser level, however, but more on the desktop search arena, ?where there is real money to be made,? he says.

?If Microsoft is spurred by FireFox?s success to put more into resources into IE, it would help create a better experience for both businesses and consumers. That might even happen before Longhorn (Microsoft?s new version of Windows) ships,? Gartenberg concludes.