Internet Explorer

Internet Explorer is derived from Spyglass, Inc.'s version of Mosaic. Microsoft licensed Spyglass's software in 1995, in an arrangement under which Spyglass would receive a quarterly fee plus a percentage of Microsoft's revenues for the software. Microsoft subsequently gave Internet Explorer away for free, and thus (making no direct revenues on IE) paid only the minimum quarterly fee. In 1997, Spyglass threatened Microsoft with a contractual audit, in response to which Microsoft settled for US $8 million. [3]

Later, IE was modified to integrate more closely with Microsoft Windows. Version 4.0 included an option to enable "Active Desktop" which displays Web content on the desktop itself and was updated automatically as the content changed. This could include presets such as an investment channel or a weather map channel. The user could select other pages for use as Active Desktops as well.

Main article: Microsoft antitrust case

In a legal case brought by the US Department of Justice and twenty U.S. states, Microsoft was accused of breaking an earlier consent decree, by bundling Internet Explorer with their operating system software. The department took issue with Microsoft's contract with OEM computer manufacturers that bound the manufacturers to include Internet Explorer with the copies of Microsoft Windows they installed on systems they shipped. Allegedly, it would not allow the manufacturer to put an icon for any other web browser on the default desktop in place of Internet Explorer. Microsoft maintained that integration of its web browser into its operating system was in the interests of consumers.

Microsoft asserted in court that IE was integrated with Windows 98, and that Windows 98 could not be made to operate without it. Australian computer scientist Shane Brooks later demonstrated that Windows 98 could in fact run with IE files removed. [4] Brooks went on to develop software designed to customize Windows by removing "undesired components". [5] Microsoft has claimed that the software did not remove all components of Internet Explorer, leaving many dynamic link library files behind.

On April 3 2000, Judge Jackson issued his findings of fact that Microsoft had abused its monopoly position by attempting to "dissuade Netscape from developing Navigator as a platform", that it "withheld crucial technical information", and attempted to reduce Navigator's usage share by "giving Internet Explorer away and rewarding firms that helped build its usage share" and "excluding Navigator from important distribution channels". [6]

Jackson also released a remedy that suggested Microsoft should be broken up into two companies. This remedy was overturned on appeal, amidst charges that Jackson had revealed a bias against Microsoft in communication with reporters. The findings of fact that Microsoft had broken the law, however, were upheld. Seven months later, the Department of Justice agreed on a settlement agreement with Microsoft. However as of 2004, although nineteen states have agreed to the settlement, Massachusetts is still holding out.

Internet Explorer comes under heavy scrutiny from the computer security research community, in part due to its sheer popularity. Exploitation of Internet Explorer's security holes has earned IE the reputation as the least secure of the major browsers (which include Safari, Mozilla Firefox, Mozilla and Netscape, Opera, and Konqueror).

Microsoft periodically issues security patches which can be automatically or manually downloaded and installed to update the browser. Microsoft's recent Windows XP Service Pack 2 adds several important security features to Internet Explorer, including a popup blocker and additional security for ActiveX controls. ActiveX support remains in Internet Explorer although access to the 'Local Machine Zone' is denied by default since Service Pack 2. However, once an ActiveX control runs and is authorized by the user, it can gain all the privileges of the user, instead of being granted limited privileges as Java or JavaScript do.

As of 03:33, December 13 2004 (UTC), security advisory site Secunia.com counts 20 security flaws unpatched (not yet fixed) for Internet Explorer 6, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications. [7] In comparison, Secunia reports three security flaws unpatched in the competing Mozilla Firefox 1.0, and two security flaws unpatched in the competing Opera 7.54. [8] [9] See computer security for more details about the importance of unpatched known flaws.

Critics have claimed that security fixes take too long to be released after discovery of the problems, and that the problems are not always completely fixed. After Microsoft released patches to close 20 holes in their general operating system in February 2003, Marc Maifrett, Chief Hacking Officer of eEye Digital Security, stated that "If it really took them that long technically to make (and test) the fix, then they have other problems. That's not a way to run a software company." [10] Maifrett was criticised by The Register, however, for disclosing a security hole that lead to the creation of the Code Red worm and stated that "had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems" [11]. Microsoft attribute the perceived delays to rigorous testing. The testing matrix for Internet Explorer demonstrates the complexity and thoroughness of corporate testing procedures. The browser is released in 26 different languages on many different Windows platforms. Therefore, it is estimated that each patch is tested on at least 237 installations. [12]

The United States Computer Emergency Readiness Team (US-CERT) does note that IE's design makes it very difficult to secure. They note that "There are a number of significant vulnerabilities in technologies relating to the IE ___domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX... IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system." [13]

In addition, some security exploits associated with Internet Explorer are made possible through normal usage patterns of users of Microsoft Windows. For example, in Windows XP, it is the default system behavior to allow normal users to log into accounts with administrator privileges for everyday computer use. In this situation, an exploit which allows a cracker to run arbitrary code, effectively gives away control of the entire computer. This would be the case for any browser which ran with unrestricted privileges. Because the everyday use of root accounts for normal users is rare on other operating systems, attacks which rely upon inappropriately restricted browser processes are most often targeted at Windows-based browsers. However, many programs on Windows do not work or work poorly without administrator privileges, so what are considered normal security practices on other operating systems are sometimes impractical to perform on Windows.

On June 24, 2004, an attacker using compromised Microsoft IIS Web servers on major corporate sites used two previously-undiscovered security holes in IE to insert spam-sending software on an unknown number of end-user computers. [14] [15] [16]

On July 6, 2004, US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites. [17]

Many security analysts attribute IE's frequency of exploitation in part to its popularity, since its market dominance makes it the most obvious target. However, many others argue that this is not the full story; the Apache web server has a much larger market share than Microsoft IIS, yet Apache has had fewer (and generally less serious) security vulnerabilities than IIS. [18] Microsoft's Craig Mundie has admitted that Microsoft's products were "less secure than they could have been" because they were "designing with features in mind rather than security" -- even though most people didn't use those new features. [19]

As a result of its many problems, some security experts, including Bruce Schneier and David A. Wheeler, recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead. [20] [21] Several technology columnists have suggested the same [22] [23] [24], and in December 2004 Pennsylvania State University issued an alert to students and staff telling them to drop IE and use an alternative. [25] There have also been discussions about removing IE, but as the next section shows, what this means (and doing it) is more complicated.

The idea of removing Internet Explorer from a Windows system was first proposed during the Microsoft anti-trust case. Later, some security advocates took up the idea as a way to protect Windows systems from attack via IE vulnerabilities. Whether the net benefit of removing IE exceeds the cost, and indeed what it means to "remove IE", are disputed.

Simply installing and using another browser does not prevent third party programs and core operating system components from using IE libraries. Thus, a user who does not use IE to browse the Web can still be targeted by attacks against vulnerabilities in these libraries -- for instance, via Outlook Express or the Windows Help subsystem. However, removing the IE libraries will cause these programs, and other software which depends upon them, to cease functioning or even to crash the system.

It is unclear what it means to "remove IE" because such a removal depends on being able to determine which files or functions on an installed Windows system are part of IE — that is, to draw a line between IE and the rest of Windows. Microsoft has held that this is not meaningful; that "IE" is no longer (as it was prior to Windows 98) a separate piece of software, but simply a brand name for the Web-browsing and HTML-displaying capacities of the Windows operating system. In this view, the result of removing IE is simply a damaged Windows system; to have a working system without IE one must replace Windows entirely.

In contrast, some programmers and security writers have held that it is possible to have a useful and working Windows system with IE excised. Consultant Fred Vorck, who advocates that consumers should have the choice to remove "integrated" features of Microsoft Windows [26]; Dino Nuhagic, who is the creator of nLite — a product that allows users to remove Windows components like Internet Explorer and Windows Media Player, amongst others [27]; and Shane Brooks, who created LitePC to remove and manage Windows components [28], have all suggested removing Internet Explorer from computers in order to decrease exposure to security risks on the Internet [29].

It is possible to remove Internet Explorer from Windows 95, 98 and ME (see instructions on the Netscape website [30] and on Microsoft's website [31]), as well as from Windows 2000 and Windows XP at installation time. Microsoft claims that attempting to remove Internet Explorer from Windows may result in system instability.

Microsoft's position is in contrast with other operating systems and browsers. Other operating systems typically include at least one browser -- for instance Safari and Internet Explorer for Mac in Mac OS X; Mozilla in Red Hat Enterprise Linux. However, in these systems the web browser can be removed or replaced like any other application.

Internet Explorer's rendering engine fails to completely implement the web standards as defined by the World Wide Web Consortium (W3C). Although with each version Microsoft has improved standards support, including the introduction of a "standards-compliant mode" in version 6, the core standards that are used to build web pages (HTML and CSS) are still implemented in an incomplete fashion. For example, there is no support for the <abbr> tag which is part of the HTML 4.01 standard, and there are bugs in the implementation of float-margins for the CSS1 standard. [32] [33] The buggy implementation of W3C box model is also one of the best-known bugs in Internet Explorer's implementation of CSS.

Thanks to these bugs, many developers have been using workarounds and hacks that utilize other bugs in the rendering engine, so as to hide and override CSS property settings from Internet Explorer. The CSS hacks are often very complicated, as they need to due with different versions IE under different platforms (mostly Windows and Mac). Some of the more common CSS hacks:

• Exploiting HTML selector bug
• Exploiting CSS parsing bug
• Using CSS2 selectors that IE doesn't recognize

Pages that are designed to be compliant with W3C standards may not render correctly in Internet Explorer, and can crash the browser in the worst case [34]. However Internet Explorer's dominance of the web-browser market for the last 5 years has lead many web developers to treat it as a de facto standard and design their websites for IE's characteristic rendering, rather than coding them to conform to the W3C standards. This leads to problems for users who use other web browsers.

Conversely, many other web designers build websites compliant to W3C standards, and then implement workarounds or hacks to account for Internet Explorer's rendering inadequacies, or to hide advanced website features from IE.

In order to render as many web pages as possible, Microsoft has designed Internet Explorer's rendering engine with strong fault-tolerance in mind. It will compensate for errors made by web designers while building web pages, by filling in missing HTML tags and ignoring structural problems. The impact of this decision is mixed. This tolerance of invalid pages does help typical end-users who have asked to view that specific page, since even terribly nonstandard pages still provide information. However, since some developers test only by seeing if IE renders a page, nonstandard pages have proliferated, making it more difficult to create tools (such as specialized search tools) that automatically process and analyze web pages.

As of 2004, the current version number of IE for Windows XP is 6.00.2900.2180, while Windows Server 2003 includes Internet Explorer version 6.00.3790.0000.

The current version of IE 6, mainly focusing on improving security, was included as part of Windows XP Service Pack 2 in August 2004. This update also includes the much requested pop-up blocker.

In a May 7, 2003 Microsoft online chat, Brian Countryman, Internet Explorer Program Manager, declared that on Microsoft Windows, Internet Explorer will cease to be distributed separately from the operating system (IE 6 being the last standalone version) [35]; it will, however, be continued as a part of the evolution of the operating system, with IE updates coming bundled in OS upgrades. Thus, IE and Windows will be kept more in sync: it will be less likely that people will use a relatively old version of IE on a newer version of Windows, and newer versions of IE will not be usable without an OS upgrade.

• Version 1.0 (Final) – August 1995
• Version 2.0 (Final) – November 1995
• Version 3.0 (Final) – August 1996
• Version 4.0 (Final) – October 1997
• Version 5.0 (Final) – March 1999
• Version 5.5 (Final) – July 2000
• Version 6.0 (Final) – October 2001

Freely downloadable copies of all versions of Internet Explorer, including Spyglass' original Mosaic browser, can be obtained from the Browser Archive maintained by Adrian Roselli. [36]

The rendering engine and other common user interface components for the Windows version of MSIE are used in alternative interfaces, including the following Internet Explorer "shell" applications:

• Avant Browser
• Crazy Browser
• iRider
• Maxthon (formerly MyIE2)
• NetCaptor
• NeoPlanet
• SlimBrowser

These applications supplement some of MSIE's usual user interface components for browsing, adding features such as popup blocking and tabbed browsing. Other applications, such as Intuit's Quicken and QuickBooks, AOL, Winamp, and RealPlayer, use the MSIE rendering engine to provide a limited-functionality "mini" browser within their own user interfaces.

On Windows, components of MSIE are also used in Explorer, the operating system component that provides the default filesystem browsing and desktop services.

IE components are also used to render HTML portions of email messages in Microsoft's popular Outlook and Outlook Express mail management software. This integration, while convenient, is one of the most often exploited "back doors", since the IE components make available more functionality to the HTML code than some feel should be permitted in the context of email messages, and Outlook and Outlook Express have, historically, not done enough to prevent malicious code from taking advantage of that functionality. The latest updates for Outlook Express, which require Windows XP and are distributed with Service Pack 2, are intended to improve this situation. Outlook 2003 already includes many of the updates.

While all of these programs can customize Internet Explorer's user interface and extend the feature set, they cannot modify Trident and are therefore subject to all of the benefits and all of the vulnerabilities of IE (including security holes and incorrect renders based on W3C standards).

In addition to programs using Internet Explorer’s rendering engine, there are also programs that add extra features to Internet Explorer:

• Coeus
• IEWatch

While in many ways similar to competing browsers, Internet Explorer also has features which differentiate it.

These are features found in Internet Explorer alone, which are not found in other common browsers.

• Sold as a component of Windows, and as such available built-in on most PCs.
• Extensible using COM
• Remote administration across a corporate network
• Partial support for Ruby characters
• Out-of-the-box support for vertical text and Photoshop-style image filters
• .NET integration - As part of the WebService behavior, makes integration of server and client side code easier, and enables applications to call functions on the server asynchronously
• Native Windows interface and controls
• Componentized implementation on Windows allows a high level of integration with other applications; allows integration with user interfaces in the operating system such as Explorer, which handles filesystem navigation and the desktop; and allows applications to build on IE by creating alternative browsing shells that supply popular features such as popup blocking, tabbed browsing and mouse gestures
• Fault-tolerant addon-manager
• Complex tailoring of security settings, but also a simplified choice of security zones
• Content Advisor for screening out objectionable content by using industry-standard ratings

These are features found in Internet Explorer and some other browsers.

• Auto-update facility for addons
• Includes a wide array of popular plugins and features such as JavaScript, Shockwave and Flash
• Search facility with step-by-step refinement and page preview (Search Companion), since version 6; Mozilla Firefox's search system is different but also provides a built-in search facility with refinement
• Customisable pop-up blocker
• Range of options for accepting and restricting cookies
• New set of events related to the use of the mouse wheel
• Fault collection offers users the option to extract information about an Internet Explorer fault and upload the data to Microsoft for analysis

These are features found in other common browsers, which Internet Explorer lacks.

• Full support for the W3C's CSS2 standard. (See, e.g., this page in IE and CSS2-compliant browsers.)
• Full support for XHTML MIME types.
• Full support for PNG images. IE renders PNG images without alpha transparency.
• Full support for W3C's DOM methods in JavaScript.
• Support for XML entities like &apos; in XHTML [37].
• Native support of tabbed browsing.
• Netscape Plugin Application Program Interface (NPAPI) that was originally supported by IE.

These are concerns and problems facing Internet Explorer users which do not, today, affect users of other browsers.

• Spyware and adware generally targets Windows / Internet Explorer based systems. Older spyware attacks have largely been mitigated by security improvements in Windows XP SP2, but newer attacks against Internet Explorer allow the installation of spyware on SP2. Microsoft advises against installing SP2 on a system which is already infested with spyware, as it can cause the system to become unbootable.

Failure to clean up spyware and adware on your computer before installing SP2 can cause issues and in some cases make your computer difficult to restart. You may not even know that spyware or adware programs are installed on your system. And some spyware or adware programs may not cause serious issues with SP2, but it's a good idea to run spyware and adware removal programs before installing SP2 [38]

Depending on the type of spyware installed, removing it in preparation for an SP2 upgrade can be as simple as running an anti-spyware tool, or in serious cases require manual editing of the Windows Registry. Nevertheless, security experts generally recommend installing Service Pack 2.

• Although security patches continue to be released for a range of platforms, most recent feature additions and security improvements were released for Windows XP only.
• ActiveX controls, once run, have all the users' privileges instead of the limited privileges granted by competing approaches (like Java and JavaScript); ActiveX controls are also non-standard and are not portable to non-Windows platforms. As pointed out by Professor Edward Felten of Princeton University:

ActiveX security relies entirely on human judgement. ActiveX programs come with digital signatures from the author of the program and anybody else who chooses to endorse the program. ... The main danger in ActiveX is that you will make the wrong decision about whether to accept a program. ... The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what this program does, but if you reject it you won't be able to see anything. ... The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well. [39]

The security problems of ActiveX were first demonstrated in February 1997 by the Chaos Computer Club (CCC), who demonstrated an ActiveX control that could communicate with an installation of Intuit's Quicken financial software on a user's hard drive to automatically transfer money from a user's account to CCC's bank account. [40]

The U.S. Department of Defense (DoD) defines ActiveX as a category 1 (maximum risk) mobile code technology, and strictly limits how ActiveX can be used in DoD systems. [41]

• A general history of repeated vulnerabilities, far in excess of other browsers, leading many experts to conclude that IE is a far less secure browser
• Last major version release was version 6 in August 2001, although two service packs have been released since then.

• History of the Internet
• List of web browsers
• Comparison of web browsers
• Browser wars
• Encarta

• Internet Explorer Home
• IEBlog - the Microsoft Internet Explorer Weblog
• Internet Explorer Community - The official Microsoft Internet Explorer Community
• Changes in Internet Explorer for Windows Server 2003 - chat transcript with Brian Countryman (Internet Explorer Program Manager) and Rob Franco (Internet Explorer Program Manager) for Microsoft TechNet
• How to Uninstall Internet Explorer 6 - Microsoft support article for pre-XP versions of Windows
• Chris Beach: "Why I Support Internet Explorer in the New Browser Wars" - opinion piece
• StopIE - opinion piece
• Browse Happy - 'Anti-IE' campaign by the Web Standards Project
• Better Browsing with Service Pack 2 - Benefits of SP2 with Internet Explorer