In-Depth

Test Drive a Better Browser

These alternatives to Microsoft's Internet Explorer can add Web-browsing muscle, but they're not without potential problems.

Let's face it—Internet Explorer 6.0 is getting pretty long in the tooth. It has been out since August 2002 and IE's security holes, some of which have taken Microsoft considerable time and effort to patch, make news with distressing regularity.

Originally, Microsoft hadn't planned to release a new browser until it shipped Longhorn (now called Vista) sometime in 2006. It claimed that—among other things—IE was a core component of the operating system, which made it impractical to release a standalone version.

With competition from third-party browsers heating up, though, Microsoft couldn't help but take notice. Redmond did give IE a minor update with Windows XP Service Pack 2. While that added significant features like an integrated pop-up blocker and content protection from certain types of spyware, it's only available to Windows XP users. All Windows 2000 users running IE 6.0 are left out in the cold.

Recently, Microsoft announced it will indeed deliver a new, standalone version dubbed Internet Explorer 7.0 sometime in late 2005 or early 2006. Unfortunately, IE 7.0 won't improve the security situation for Win2000 users, because it's only being developed for WinXP. (See sidebar, "What's Coming in IE 7.0?")

What's Coming in IE 7.0?

The next version of Internet Explorer—version 7.0—is coming later this year or early next. So what's it going to include?

We know that we'll get tabbed browsing a la Mozilla. Of course, third parties have long built shells around IE that offer tabs, and MSN's new toolbar offers tabbed browsing. That's one of the most-cited reasons for using an alternative browser.

It will also support per-pixel gradual transparency in PNG graphics (something in the original PNG spec but not widely implemented). A decent set of additional features is also planned.

What's unclear at this point, however, is how Microsoft will address some of IE's past weaknesses. You can't just rip out the Browser Helper Object (BHO) model, for example, which has been a major entry point for spyware. Major incompatibilities would result. How Microsoft will update this architecture to make it less susceptible to attack remains to be seen (but rest assured that Beta Man will keep you posted).

IE's checkered past with ActiveX controls is also worth addressing in version 7.0. Again, Microsoft can't simply remove the functionality without creating compatibility issues. Hopefully, IE 7.0 will offer broader, more detailed and easier-to-use central configuration through Group Policy. This feature has been sorely under-utilized and under-implemented in previous versions. It doesn't appear as if any of the third-party browser manufacturers are taking advantage of Group Policy, so this is an area where Microsoft could really be competitive.

Unfortunately, the new version of IE will only be available for WinXP (Win2000 is now officially in its "extended support" phase, which essentially means MS doesn't produce new features). By the time you read this, IE 7.0's first public beta should be out or coming very soon. Be sure to check it out.

— D.J.

While IE's existing security shortcomings are indeed serious, there are some fundamental elements of its architecture that leave it open to spyware, adware and other types of malware. The Browser Helper Object (BHO) model in IE, for example, has made it easy for BHO-based spyware to infiltrate millions of home computers. IE's support for embedded ActiveX controls has also been a sore point with IT administrators who justifiably fear the extensive functionality these controls allow—functionality that could just as easily be used for evil as good.

It's no surprise that many organizations are examining their options for browsers other than IE. The numerous Carnegie Mellon University's Computer Emergency Response Team (CERT) advisories regarding IE security issues should be enough to make browser shopping a priority. But what else is available?

Remember Netscape?
Back in the day, Web browsing was pretty much defined by a company called Netscape and its Navigator Web browser. Once IE came out, though, it trashed Netscape in the marketplace.

Then America Online and Sun teamed up to buy Netscape. (Oddly enough, AOL still has IE as the embedded browser in its client software.) That acquisition led to two critical developments: AOL spun off the core source code for Netscape Navigator to an independent, community-based organization called the Mozilla Foundation. AOL also continued to develop the Netscape browser using the Mozilla source code as a base and adding a great deal of functionality and features.

While there are numerous alternative browsers available today, for all practical purposes, you have three major options (all based on the Mozilla platform):

  • Mozilla: A suite that includes a browser, e-mail client and so on
  • Netscape: A similar suite built on the Mozilla base
  • Firefox: The standalone browser built on the Mozilla core Other browsers like Opera exist more or less on the sidelines. They have all lost significant market share to the troika of Mozilla-based offerings, especially Firefox, Mozilla's current darling.

Fire It Up
These days, Firefox is probably the most popular replacement for IE. For the most part, it does everything IE can do in terms of Web technologies (supporting XML, CSS, advanced HTML and so on). It also features tabbed browsing, a fairly secure plug-in model and JavaScript support. It obviously lacks IE's support for ActiveX, but many would regard that as an improvement, not a shortcoming.

Firefox can replace IE for most—perhaps 98 percent—of the Web sites out there, although many of those Web sites won't even realize it. In fact, many may display errors or display a downgraded version of the site because they don't properly recognize the Firefox feature set. A Firefox add-in called Prefbar (http://prefbar.mozdev.org) helps Firefox "lie" about its identity, appearing to Web sites as a version of IE. That lets you get through to a larger number of Web sites and render their full experience.

Internal Web sites based heavily on Microsoft-specific technologies present the biggest challenge. Outlook Web Access (OWA) 2003 is a notable exception to Firefox's ability to go head-to-head with IE, because OWA uses XML capabilities that are unique to IE.

For that reason alone, completely eliminating IE in favor of Firefox isn't a practical choice for many organizations. At best, they can suggest using Firefox whenever possible and switching to IE when necessary.

Also, while it's tighter than IE, Firefox isn't completely free of security problems. A recent CERT advisory (which was Firefox's first) proves that any software can have security bugs. Still, Firefox's lack of support for IE BHOs, ActiveX and other potentially problematic technologies makes it an attractive option.

A Blast from the Past
The folks at AOL and Netscape haven't been sitting back and lazily watching IE and Firefox duke it out. While Netscape's previous version is a cross-platform browser and e-mail suite, the new version (Netscape 8) is a Windows-only effort with a unique twist that may offer a solution to the alternative browser problem. Built on version one of the Mozilla Firefox core, Netscape 8 offers everything Firefox does like tabbed browsing and a high degree of Web site compatibility.

If you encounter a Web site that the Firefox engine can't handle, click a button and Netscape will initiate the MSHTML engine and reload the site automatically.

Best of all, it remembers your browser preferences, so future visits to those sites will use the preferred engine to display the site. This lets you have a single browser that uses the somewhat safer Firefox engine whenever possible, but gives you the option of using the quick "switch to IE" function for sites that need it. Netscape 8 is the best offering I've seen yet to resolve the alternative browser problem.

The Leading Contenders

Both the forthcoming Netscape 8 and the current version of Firefox are viable alternatives to IE. Here's a quick look at the primary features:

Netscape 8
  • Built on Mozilla/Firefox core
  • Provides tabbed browsing
  • Can use MSHTML engine to re-load sites automatically and function like IE
  • Remembers browser preferences to load sites with Firefox or IE engine
Firefox
  • Provides tabbed browsing and a fairly secure plug-in model
  • Supports JavaScript, XML, CSS advanced HTML
  • Does not support ActiveX
  • Can trick Web sites into thinking it's IE with Prefbar add-in

Shutting Off IE
If you decide to completely replace IE, you'll have to come to terms with how difficult it is to actually do so. First, you have to realize that IE consists of two basic parts—an under-the-hood browser and an HTML rendering engine, often referred to as MSHTML. This is the core part of the Windows operating system, and it's exceedingly difficult to get rid of this.

The other major part is the graphical user interface (GUI), which actually instantiates the MSHTML. You can hide that GUI to a certain extent by using Windows' "Set Program Access Defaults" utility. That's part of Microsoft's agreement with the US.. Department of Justice in its antitrust settlement. However, that won't remove IE in its entirety.

Removing IE completely is complex and can cause problems, because many built-in Windows components (including numerous management console snap-ins) rely on it. The best you can do in most situations is to disable IE and use an alternative browser. If you don't use IE to surf Web pages, then most of its security problems won't come into play (for more information on securing IE, read Greg Shields' feature, "Get Serious About Securing IE").

So where does that leave you? It's practical to use a non-IE browser like Firefox for most of your Web browsing. Netscape 8 offers a great combination of Firefox and IE. It can cover any Web site using one of the two rendering engines it supports. From a security perspective, the Firefox and Netscape engines benefit from an architecture that's less extensible. This makes them less open to attack through things like plug-ins and ActiveX controls.

However, both of these alternatives lack any kind of centralized management, which makes them more difficult for enterprises to deploy, maintain and support. With IE 7.0 on the horizon, Microsoft has the opportunity to make drastic changes in the product's architecture and functionality, like making the current difficult-to-manage "security zones" comprehensible and manageable for mere mortals.

That is one significant area where every third-party browser falls down—manageability. Neither Mozilla nor Netscape has yet seen fit to offer their browsers in an IntelliMirror-friendly MSI file (although you could obviously use tools to repackage their EXE-based distributions into an MSI). Doing this would let you distribute the browser with Group Policy. Furthermore, there's no third-party browser I'm aware of that stores user preferences and other settings in the all-important Policies section of the Registry, which would let you centrally configure the browser via Group Policy.

While I can almost understand this shortcoming in a cross-platform browser like Firefox (as other platforms don't have a Registry), it makes no sense in a Windows-specific browser like Netscape 8. To date, the alternative browser developers seem to be focused on individual users more than companies and organizations—a crying shame.

It's unlikely that IE 7 will include any major changes that lead to compatibility issues. That means we may still be working with a highly extensible—and therefore exploitable—architecture. Were the major browser alternatives like Firefox and Netscape to incorporate some centralized management capabilities, they'd be much better alternatives for the enterprise. But despite that, they are still strong alternatives, especially in environments that don't require continued IE support for certain Web sites.

More Information

Read Don Jones' earlier story, "Time to Dump IE?"

Learn about Carnegie Mellon University's Computer Emergency Response Team (CERT)

Get Don Jones' free eBook, Definitive Guide to Securing Windows in the Enterprise

Find out what to expect in Microsoft's IE version 7.0

For tools and strategies to eradicate IE, check out: www.litepc.com

Featured

comments powered by Disqus

Subscribe on YouTube