Trusting Microsoft to do a good job
after repeatedly failing is something I'm reluctant to do.
Al Fasoldt's reviews and commentaries, continuously available online since 1983
Why I can't recommend Internet Explorer 8
By Al Fasoldt
Copyright © 2009, Al Fasoldt
Copyright © 2009, The
Recently, in a private message, a reader castigated me for
ignoring security vulnerabilities in Web browsers that compete with Internet Explorer. The writer went on to say that the
latest version of Internet Explorer was much safer than I give it credit for.
His complaint was prompted by the latest Pwn2Own contest at this spring's CanSecWest security
conference in Vancouver, British Columbia. "Pwn2Own" -- Internet slang for hacking into a device so that you can take it
over -- is a three-day hacker contest held every year with very serious intentions: Finding out which operating systems and
programs (Web browsers are favorite targets) can be broken into, with prizes awarded for hackers who do it the fastest.
Winners get money and can keep the device they hacked into (thus the "own" part of the name).
By "fastest" hacking times, we're not talking days here. Not even hours. The iPhone, which hackers
have targeted every year, was hacked into in 20 seconds in this year's contest. Last year, a hacker competing in Pwn2Own
broke the security of Apple's Safari browser in 10 seconds.
Microsoft, Apple and other software companies attend Pwn2Own to watch what the hackers do so they can
block similar attempts in the future. That makes Pwn2Own a good thing. It clearly helps software designers make safer
programs, and has been a big factor in getting Apple to rethink the way security works (and doesn't work) on the iPhone.
But common sense tells us no software is free from bugs that hackers can exploit. We've also known
for years that Web browsers can be broken into. The results of each year's Pwn2Own competition are helpful and interesting,
but they're not the whole story.
Using only the Pwn2Own results to gauge Web browser security would be like picking the best team in
the American League on the basis of a three-game series between the Yanks and the Red Sox. The whole season tells the
story, not the results of one competition.
And that story is still being written in the case of Internet Explorer 8. It's too new for anyone's
seal of approval. Based on the poor security of its predecessors, Internet Explorer 6 and 7, I'm not about to trust
Internet Explorer 8 at this time. Microsoft's track record is just plain dismal in this area.
And that's what I said, in essence, in the column that raised my reader's ire. You can read it for
yourself at www.technofileonline.com/texts/tec031410.html. In that column, I recommended Safari, Chrome (the free
Google browser) and Opera, a browser from Europe that has many fans. I've also recommended Firefox for years.
I stand by those recommendations. Trusting Microsoft to do a good job after repeatedly failing is
something I'm reluctant to do. When it comes to safety, a good dose of skepticism can be a healthy thing.