How can I argue against IE?

A friend of mine often asks me questions about Information Security that make great blog entries, so thanks again, Mike.

The question was, in essence: I have someone above me in the management chain that wants to switch to IE. How can I convince him this is a bad decision?

My response:
As far as the Microsoft schtick is concerned, there are a number of ways to approach this.

First, the because-experts-said-so approach:
SANS, a group of widely-respected security analysts, recommend using an "alternate" web browser. This can be found in many places on their site, http://www.sans.org (alternately http://isc.sans.org). Securityfocus (http://www.securityfocus.com/), also a respected InfoSec site, probably has a lot of resources / "experts" supporting this notion as well. I'd consider myself an expert in the field, and I emphatically endorse this recommendation.

Second, the hard data approach:
Internet Explorer was vulnerable for 284 of the 365 days in 2006. This study is cited everywhere, but by the sound of it, mainstream news is the way to go with this guy, so here's a pseudo-omnibus article in the Washington Post (which is the original source, I believe):
Firefox's number in this study was 9. I can't say I've seen the data, or that it's been peer reviewed, and it *is* mainstream media we're talking about, but data is data.

Third, the anecdotal approach:
You can find many citations for evidence that attackers are now focusing on applications, rather than operating systems. There is also plenty of data to show that the preponderance of these attacks are against Microsoft products, because of their market penetration and therefore large target space. From a security perspective, by choosing to go with Microsoft applications, you are intentionally putting your computers into the most frequently targeted space of computing assets on the Internet. There's a cost-benefit that needs to be considered here, but the expected benefit had better be pretty high, because the cost in terms of security will be severe.

Fourth, the control approach:
Firefox is extensible, and offers many extensions that improve security. Like the "noscript" plugin, that lets users select which sites can and can't execute javascript. Or the ASN lookup plugin, that looks up the ASN of the site you're visiting to make sure it's actually the company the user thinks he/she is visiting. The list goes on...

Microsoft pundits will refute the data approach with their own FUD, but I can assure you there are no security experts endorsing IE, there is no counter-argument for the anecdotal approach, and IE simply is not extensible like Firefox. The four together should make a compelling argument.

This horse has been long-dead as far as most InfoSec professionals are concerned, but making an argument for the "right decision" isn't always straightforward.

1 comment:

Dean Jackson said...

Find out, if you can, what's pushing their decision to use IE. Address their specific points. Perhaps point out that US-CERT wholeheartedly recommends Firefox over IE, and has for three years.