Trusting Microsoft to do a good job after repeatedly failing is something I'm reluctant to do.
Al Fasoldt's reviews and commentaries, continuously available online since 1983


Why I can't recommend Internet Explorer 8

By Al Fasoldt
Copyright © 2009, Al Fasoldt
Copyright © 2009, The Post-Standard

   Recently, in a private message, a reader castigated me for ignoring security vulnerabilities in Web browsers that compete with Internet Explorer. The writer went on to say that the latest version of Internet Explorer was much safer than I give it credit for.
   His complaint was prompted by the latest Pwn2Own contest at this spring's CanSecWest security conference in Vancouver, British Columbia. "Pwn2Own" -- Internet slang for hacking into a device so that you can take it over -- is a three-day hacker contest held every year with very serious intentions: Finding out which operating systems and programs (Web browsers are favorite targets) can be broken into, with prizes awarded for hackers who do it the fastest. Winners get money and can keep the device they hacked into (thus the "own" part of the name).
   By "fastest" hacking times, we're not talking days here. Not even hours. The iPhone, which hackers have targeted every year, was hacked into in 20 seconds in this year's contest. Last year, a hacker competing in Pwn2Own broke the security of Apple's Safari browser in 10 seconds.
   Microsoft, Apple and other software companies attend Pwn2Own to watch what the hackers do so they can block similar attempts in the future. That makes Pwn2Own a good thing. It clearly helps software designers make safer programs, and has been a big factor in getting Apple to rethink the way security works (and doesn't work) on the iPhone.
   But common sense tells us no software is free from bugs that hackers can exploit. We've also known for years that Web browsers can be broken into. The results of each year's Pwn2Own competition are helpful and interesting, but they're not the whole story.
   Using only the Pwn2Own results to gauge Web browser security would be like picking the best team in the American League on the basis of a three-game series between the Yanks and the Red Sox. The whole season tells the story, not the results of one competition.
   And that story is still being written in the case of Internet Explorer 8. It's too new for anyone's seal of approval. Based on the poor security of its predecessors, Internet Explorer 6 and 7, I'm not about to trust Internet Explorer 8 at this time. Microsoft's track record is just plain dismal in this area.
   And that's what I said, in essence, in the column that raised my reader's ire. You can read it for yourself at www.technofileonline.com/texts/tec031410.html. In that column, I recommended Safari, Chrome (the free Google browser) and Opera, a browser from Europe that has many fans. I've also recommended Firefox for years.
   I stand by those recommendations. Trusting Microsoft to do a good job after repeatedly failing is something I'm reluctant to do. When it comes to safety, a good dose of skepticism can be a healthy thing.