Criticism of Internet Explorer
Internet Explorer is a web browser that is subject to many criticisms. Most of the criticism concerns its security architecture and its degree of support of open standards.
Contents |
Criticisms regarding security
Internet Explorer comes under heavy scrutiny from the computer security research community, in part due to its sheer ubiquity. Exploitation of Internet Explorer's security holes has earned IE the reputation as the least secure of the major web browsers.[citation needed]
As of June 23, 2006, security advisory site Secunia counted 20 unpatched security flaws for Internet Explorer 6, many more and older than for any other browser, even in each individual criticality-level, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications.[1]
See computer security for more details about the importance of unpatched known flaws.
On June 23, 2004, an attacker using compromised Internet Information Services 5.0 Web servers on major corporate sites used two previously undiscovered security holes in Internet Explorer to insert spam-sending software on an unknown number of end-user computers.[2] This malware became known as Download.ject and it caused users to infect their computers with a back door and key logger merely by viewing a web page. Infected sites included several financial sites.
Probably the biggest generic security failing of Internet Explorer (and other web browers too) is the fact that it runs with the same level of access as the logged in user, rather than adopting the principle of least user access. Consequently any malware executing in the Internet Explorer process via a security vulnerability (e.g. Download.ject in the example above) has the same level of access as the user, something that has particular relevance when that user is an Administrator. Tools such as DropMyRights are able to address this issue by restricting the security token of the Internet Explorer process to that of a limited user. However this added level of security is not installed or available by default, nor does it offer a simple way to elevate privileges ad-hoc when required (for example to access Microsoft Update)
Art Manion, a representative of the United States Computer Emergency Readiness Team (US-CERT) noted in a vulnerability report that the design of Internet Explorer 6 Service Pack 1 made it difficult to secure. He stated that:
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.[3]
Manion later clarified that most of these concerns were addressed in 2004 with the release of Windows XP Service Pack 2, and other browsers have now begun to suffer the same vulnerabilities he identified in the above CERT report.[4]
Microsoft has addressed this problem in two distinct ways with Windows Vista: User Account Control, which forces a user to confirm any action that could affect the stability or security of the system even when logged in as an administrator, and "Protected-mode IE", which runs the web browser process with much lower permissions than the user.[5]
Many security analysts attribute Internet Explorer's frequency of exploitation in part to its ubiquity, since its market dominance makes it the most obvious target. However, some critics argue that this is not the full story; the Apache HTTP Server, for example, had a much larger market share than Microsoft IIS, yet Apache has traditionally had fewer (and generally less serious) security vulnerabilities than IIS.[6] In an October 2002 interview, Microsoft's Craig Mundie admitted that Microsoft's products were "less secure than they could have been" because it was "designing with features in mind rather than security."[7] IIS 6 has changed this, however; Secunia has only two vulnerabilities listed for the first three years since its release,[8] compared with 15 for Apache 2.0 in the same time period.[9]
As a result of its many problems, some security experts, including Bruce Schneier, recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead.[10] Several notable technology columnists have suggested the same, including the Wall Street Journal's Walt Mossberg,[11] and eWeek's Steven Vaughan-Nichols.[12] On July 6, 2004, US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites.[13]
Component Object Model
A number of IE's security issues are related to components based on Component Object Model (COM).[citation needed]
More recently, other experts have noted that the dangers of ActiveX have been overstated and there are safeguards in place. In an April 2005 eWeek opinions column, Larry Seltzer stated:
While there has been a striking lack of actual evidence that ActiveX is unsafe, there has been no shortage of baseless assertions and cheap shots against it. My favorite was the "Internet Exploder" incident in which Sun actually paid someone to write a malicious ActiveX control. The test system brought up all the warning dialogs about the program that you usually get and the Sun employee actually had the nerve to keep whacking on the enter key quickly so they would close as quickly as possible and didn't mention that there were any such warnings. Meanwhile, they also didn't mention that a signed Java applet could also perform dangerous privileged operations and would provide similar warnings. Most ActiveX criticism is simply uninformed, but this example was hypocritical and dishonest.[14]
Other browsers that use NPAPI as their extensibility mechanism are suffering the same problems.
The forthcoming Windows Defender monitors Browser Helper Objects in Internet Explorer on Windows XP, Windows Server 2003, and Windows Vista and will warn the user before a new BHO is installed.
Patches
Another common criticism related to the security of Internet Explorer is the speed at which fixes are released after discovery of the problems, and that in some circumstances, the problems were not always completely fixed. For example, after Microsoft released patches to close holes in its Windows NT line of operating systems on February 2, 2004, 200 days after their initial report, Marc Maifrett, Chief Hacking Officer of eEye Digital Security, is quoted in a cNet article as saying:
If it really took them that long technically to make (and test) the fix, then they have other problems. That's not a way to run a software company.[15]
The same article quoted @stake's Chris Wysopal, vice president of research and development as saying:
Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter. It is definitely in the multimonth category because of how many versions of the operating system and the big applications that they had to test.
The Register criticized Maifrett for publicizing a security hole leading to the creation of the Code Red worm, arguing that:
had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems. … When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.[16]
Microsoft attributes the perceived delays to rigorous testing. The testing matrix for Internet Explorer demonstrates the complexity and thoroughness of corporate testing procedures. A posting to the Internet Explorer team blog on August 17, 2004 explained that there are, at minimum, 234 distinct releases of Internet Explorer that Microsoft supports (covering more than two dozen languages, and several different revisions of the operating system and browser level for each language), and that every combination is tested before a patch is released.[17]
Spyware, adware and Windows XP SP2
Spyware and adware, like other malware, generally target Windows / Internet Explorer based systems. Older spyware attacks based on ActiveX have largely been mitigated by the security improvements in Windows XP SP2, but newer attacks against Internet Explorer allow the installation of spyware on SP2.[citation needed] Some viruses on IE make IE turn into Firefox. Some argue this isn't a virus at all, but rather a really good patch
Criticisms regarding support of open standards
During the browser wars of the late 1990s, modifications of Internet Explorer and Netscape Navigator were focused on the addition of non-standard features.
Although each version of IE has improved standards support, including the introduction of a "standards-compliant mode" in version 6, the core standards that are used to build web pages (HTML and CSS) are sometimes implemented in an incomplete and incorrect fashion. For example, there is no support for the <abbr> element which is part of the HTML 4.01 standard, and there are bugs in the implementation of float-margins for the CSS1 standard.
Because of its market dominance, some web developers only test their websites with Internet Explorer. Some developers also use non-standard extensions offered by Internet Explorer. This can cause pages to be rendered incorrectly in other browsers. In the worst case, it could block the users of other browsers from accessing the non-compliant sites created for IE.
XHTML
Internet Explorer does not support native XHTML[18] (the successor to the standard document markup language HTML).
Existing workarounds include serving XHTML pages as text/html for non-compliant browsers, based on the User-Agent HTTP Request Header[19]. This requires to follow the W3C XHTML 1.0 Annex C when creating the page; note that it prevents you from using XML's advanced functionalities such as embedded namespaces in a reliable manner.[citation needed]
One way to identify XHTML-supporting user agents is to check that 'application/xhtml+xml' is specifically mentioned in the User-Agent HTTP Request Header, and not rely on the web server's detection – due to IE reporting its support for any ('*/*') MIME type, it is inferred it supports XHTML – which is not the case (see Chris Wilson's IEblog entry on the topic).
HTTP and MIME
Internet Explorer does not obey some MIME types specified in the MIME Content-Type header.[20][21]
Internet Explorer does not fully support HTTP/1.1 content negotiation, because the browser does not specify, in its requests, what character encodings it can accept.[citation needed] Content negotiation is a technique whereby an HTTP server uses the browser's—ultimately, the user's—preferences for media (MIME) type, languages, character encoding, and transfer encoding (for example, compression) in order to determine the best representation of a resource to send to a user agent, when multiple representations are available. An example would be the negotiation of image format (such as SVG, PNG, or GIF), and document format (WML, XHTML, or HTML, for instance).
CSS
While Internet Explorer – especially versions prior to 7.0 [citation needed]– recognizes most of the CSS Level 1 features[citation needed], as well as parts of CSS2, it misinterprets some of them[citation needed], resulting in inconsistent rendering behaviour.[citation needed] A number of "CSS hacks" were created to work around the various flaws[citation needed] in Internet Explorer's incorrect CSS parsing. While Internet Explorer 7 does fix some of the flaws with rendering, and adds support for CSS 2 features such as selectors, its support for the CSS 2 specification remains unfinished. Notable examples of improper support for CSS include:[22]
- failure to interpret the W3C "Box" model
- inconsistent rendering of floating <DIV> layers
- "min-width" and "max-width" issues (also "min-height" and "max-height")
- little support for pseudo-classes such as :hover and :active
- inconsistent interpretation of CSS hierarchy
- misinterpretation of block element attributes, including:
- position (fixed|absolute|relative|static)
- display (block|inline|table)
JavaScript and DOM
Microsoft has implemented Netscape's original JavaScript specification to create a scripting language called JScript, which is the default scripting language interpreted in Internet Explorer. Like Netscape's JavaScript implementation, JScript supports the full specification of ECMAScript.
What is different is the Document Object Model (DOM) bound with JScript. While all browsers have their own implementation of DOM Level 0 (vendor-specific), Internet Explorer implemented only some of the W3C recommended DOM Levels (1, 2 and 3).[citation needed] In addition, before DOM Level 2 was finalized, IE implemented some proprietary extensions to DOM which are similar, but not identical, to those in DOM Level 2. As the corresponding (finalized) DOM Level 2 objects and methods are not implemented in Internet Explorer, problems arise when trying to write scripts that work on any browser. Web developers often need to write extra code so that the scripts will work on both Internet Explorer and on browsers that correctly implement the W3C standards. This duplication increases development effort, results in code bloat, and makes code maintenance harder.
PNG graphics
The lack of support for PNG alpha channel in versions prior to IE 6 resulted in a reduced usage of the PNG image format on web pages[citation needed]. Alpha channel is a feature that, although being an optional part of the specification, distinguishes PNG from other formats like GIF or JPEG. In Internet Explorer, the transparent part of the image will be displayed as gray, white or other colors, depending on the image editor in which the PNG image was created. Microsoft documented a workaround on its support website, and the IE developers are aware of the missing functionality, as evidenced by a posting on IE developer Dave Massey's weblog.
This issue was fixed in Internet Explorer 7.
PNG graphics gamma bug
Embedded in every PNG file is a piece of metadata that specifies the gamma setting of the computer on which the image was created. The idea is that when the PNG is displayed on another computer, this gamma value can be extracted and used to compensate for color differences between the two systems, thereby displaying the PNG as the author intended. GIF and JPEG do not contain this metadata information. The result is that when a PNG is placed on a web page next to a GIF, JPEG, or HTML color of exactly the same RGB value, its colors appear to be different. This color glitch happens only in all versions of Internet Explorer; it does not exist in other modern web browsers such as Firefox 1+, Safari 2+, and Opera 7+. This bug can be fixed with TweakPNG for Windows users (1. open your PNG file, right-click on the gAMA row, and choose ‘delete’), and PNGCrush for users of other operating systems like Mac and Linux. Mac OSX installation instructions can be found here.
PNG graphics CSS bug
Applying CSS display block and padding values on PNGs creates a bug within Internet Explorer 6 in which the PNG's width and height includes the padded values.[citation needed]
SVG graphics
The lack of support for SVG in IE has resulted in a reduced usage of the SVG image format on web pages. [citation needed] Although supported natively in Opera, Mozilla and Safari, IE7 does not support SVG except via a 3rd party plugin.[citation needed]
Unicode
- See also: font substitution
Internet Explorer 6 supports the Unicode standard for multilingual text, and is therefore capable of displaying any character which is present in an installed font.[citation needed] However, Internet Explorer's font substitution method sometimes fails to choose an appropriate font, and some characters may end up being displayed as blank squares or question marks.[citation needed]
Web designers must guess which appropriate fonts may be present on users' computers, and manually specify them for every change of Unicode block.[citation needed] In contrast, most other browsers do this automatically.[citation needed]
Plugin API
Internet Explorer did, for a time, support Netscape's NPAPI version 4. Plugins that functioned in the Netscape browser also functioned in Internet Explorer, but the support was dropped in version 5.5 SP2 in favor of Microsoft's own ActiveX technology.
Workarounds
To get around these problems, web designers must build websites compliant to W3C standards[citation needed], and then implement workarounds as necessary to account for Internet Explorer's rendering inadequacies[citation needed], or hide advanced website features from IE altogether.[citation needed] These CSS 'hacks' are often very complicated, as they need to deal with different versions of IE on different platforms (Officially Windows and Mac[citation needed]) often contributing to code bloat. The workarounds utilize not just Internet Explorer-specific features[citation needed], but also some rendering-engine bugs that are well known.[citation needed] Some of the more common hacks:
- Exploiting the "Star HTML selector" bug
- Exploiting the underscore hack
- Using CSS2 selectors that IE doesn't recognize
- Using JScript/VBScript and the IE CSS behavior
- Using the IE CSS filters
- Using the IE conditional comments
- Modifying Internet Explorer directly
With the release of Internet Explorer 7, Microsoft addressed many shortcomings of previous versions, including a notable improvement of IE's support for the CSS2.1 standard. Some might find it ironic that the browser's new, improved CSS engine was so confounded by the hacks commonly utilized to mitigate deficiencies of its predecessors that Microsoft urged developers to remove CSS hacks in an article posted on its IEBlog. In order to support IE7 without compromising compatibility with previous versions, many web designers employ conditional comments, however this also contributes to code bloating.
Other criticisms
Lack of development 2001–2005
The release of Windows XP Service Pack 2 in August 2004 was the only time Microsoft released any significant changes to Internet Explorer between the release of Windows XP and the recent release of IE 7.0. Although Microsoft has released numerous updates to Internet Explorer during this time period, until Service Pack 2, those updates were primarily security updates.
Before Service Pack 2 was released, some users began to suspect that IE development (in terms of potential enhancements to the product) had been abandoned once Microsoft had 'won the browser wars'.[citation needed] IE Product Manager added to the fears of these users when he announced in an interview in 2003 that "IE6 SP1 is the final standalone installation," indicating that its far-off (in 2003) Codename Longhorn operating system would be the sole platform for which any further enhancements would be released.[citation needed]
Microsoft has since reversed that decision, and announced that version 7, like several other features originally intended for Windows Vista, would be available freely to all Windows XP users as well. Microsoft also re-committed itself to supporting and enhancing IE 6 for Windows XP users, by releasing Service Pack 2. It added several new features intended to enhance security, including a pop-up blocker.
Unclear error messages
Internet Explorer also obfuscates error messages. "Page could not be displayed" is produced in many situations, and may indicate an HTTP 404 error, a DNS lookup failure, TCP error, SSL problem and probably many more.[citation needed] Although the actual problem is described in small type at the bottom, the prominence of "Page could not be displayed" means that it is typically the only text that will be reported to webmasters, leaving unsure what the problem was and unclear whether or not they need to take corrective action.[citation needed] This problem is exacerbated by the fact that Microsoft's IIS Web server software uses very similar error pages for server-side errors as well, introducing yet another type of error which, to the user, looks identical to all the rest.[citation needed] Error messages in Internet Explorer 7 have, however, been improved to be more informative and to offer more support to help the user identify and fix any possible problems that may be causing the error to be displayed.[citation needed]
Stability
Any webpage with the following code will crash Internet Explorer 6: [4]
<script>for(x in document.write){document.write(x);}</script>
When run in Mozilla Firefox, however, it just prints the word 'prototype' to the screen.
Other simple codes could crash Internet Explorer 6 [5] but most of these have been fixed.
Footnotes
- ^ PNG Files Do Not Show Transparency in Internet Explorer, February 13, 2005.
- ^ Transparent PNG Support, May 12, 2005.
- ^ Cannot View Some PNG Images, May 12, 2005.
- ^ PHP: imageinterlace, May 12, 2005.
- ^ Forcing IE to Show Application/xhtml+xml pages, May 12, 2005.
- ^ Does Microsoft Internet Explorer accept the media type application/xhtml+xml?, July 21, 2004.
- ^ Sending XHTML as text/html Considered Harmful, February 13, 2005.
- ^ /IE7/, May 12, 2005.
- ^ Call to action: The demise of CSS hacks and broken pages, October 12, 2005.
- ^ How to Protect Yourself From Vandals, Viruses If You Use Windows, May 12, 2005.
- ^ Internet Explorer Is Too Dangerous to Keep Using, May 12, 2005.
See also
References
- ^ Vulnerability Report – Microsoft Internet Explorer 6.x. Secunia. Retrieved on 2006-06-23.
- ^ Researchers warn of infectious Web sites (June 25, 2004). Retrieved on 2006-04-07.
- ^ Vulnerability Note VU#713878. US-CERT (June 9, 2004). Retrieved on 2006-04-07.
- ^ Perspective: A safe browser? No longer in the lexicon. CNet (July 7, 2005). Retrieved on 2006-04-07.
- ^ Protected Mode in Vista IE7. Internet Explorer team blog. Microsoft (February 9, 2006). Retrieved on 2006-04-07.
- ^ Wheeler, David (November 14, 2005). Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers!.
- ^ Thomson, Iain (October 9, 2002). Microsoft outlines security strategy. vnunet.com. Retrieved on 2006-04-07.
- ^ Vulnerability Report – Microsoft Internet Information Services (IIS) 6. Secunia. Retrieved on 2006-04-07.
- ^ Vulnerability Report – Apache 2.0.x. Secunia. Retrieved on 2006-04-07.
- ^ Safe Personal Computing (December 12, 2004). Retrieved on 2006-04-07.
- ^ Mossberg, Walt (September 16, 2004). How to Protect Yourself From Vandals, Viruses If You Use Windows. Personal Technology. Wall Street Journal. Retrieved on 2006-04-07.
- ^ Vaughan-Nichols, Steven (June 28, 2004). Internet Explorer Is Too Dangerous to Keep Using. Linux & Open Source – Opinions. eWeek. Retrieved on 2006-04-07.
- ^ Vulnerability Note VU#713878. US-CERT (June 9, 2004). Retrieved on 2006-04-07.
- ^ Seltzer, Larry (April 14, 2005). The Lame Blame of ActiveX. Security — Opinions. eWeek. Retrieved on 2006-04-07.
- ^ Lemos, Robert (February 13, 2004). 200 days to fix a broken Windows. cNet. Retrieved on 2006-04-07.
- ^ Greene, Thomas (July 20, 2001). Internet survives Code Red. The Register. Retrieved on 2006-04-07.
- ^ The Basics of the IE Testing Matrix. Internet Explorer team blog. Microsoft (August 17, 2004). Retrieved on 2006-04-07.
- ^ W3C. XHTML media type test. Retrieved on May 1, 2005.
- ^ Tip: Configure Apache to send the right MIME type for XHTML. IBM. Retrieved on 2007-04-15.
- ^ Handling MIME Types in Internet Explorer
- ^ MIME Type Detection in Internet Explorer
- ^ Next Explorer to fail Acid Test
External links
- Just what has Microsoft Been Doing for IE 7.0? (Slashdot)
- A 30-day relevation of a sequence of IE vulnerabilities
- Secunia – Vulnerability Report – Microsoft Internet Explorer 6.x
- Explorer Exposed!
- The Door Is Ajar — An "anti-IE" article by a Sun Microsystems technology director Tim Bray.
- Why You Should Dump Internet Explorer — An "anti-IE" article by a MCSE Daniel Miessler.
- Browse Happy — An "anti-IE" campaign by the Web Standards Project
- Drip — A utility to detect and measure IE's memory leaks.
- IE Leak Patterns — Microsoft's analysis of IE's memory leak problem.
- Internet Explorer Exploits
- Rendering problems in Internet Explorer
- How the web was almost won — Just how close did we come to a Net ruled by Microsoft? The "server wars" show a grim counterpart to the browser wars
- What's wrong with IE?
- Crash Internet Explorer
- The Internet Explorer Hatelisting