Addressing Web Browser Security Internet Explorer, Netscape Communicator, Mozilla Firefox & Opera by Carole Levitt J.D., M.L.S. & Mark Rosch

Over the course of the past two years,reports of the security vulnerabilities of Microsoftís Internet Explorer (IE) have made Internet users give more consideration to their Web browser. These vulnerabilities can allow hackers to obtain sensitive information from a userís computer. While all users of Web browsers are vulnerable to identity theft, attorneys need to give additional consideration to the security of the confidential client information on their computers.

Until recently, most Internet users did not give much thought to what Web browser they used. In fact, for the majority of Internet users, “Web browser” and “IE” were essentially interchangeable. Since its introduction in 1995, IE has surged ahead of the pack to become the most used browser. The IE browser is closely integrated with Microsoft’s Windows operating systems and as a result comes already installed on the vast majority of computers sold. The most used browser is not necessarily the most popular, however.

Explorer is not the only, nor the first, Web browser. The graphical Web browser was first developed by the National Center for Supercomputer Applications (NCSA) at the University of Illinois in 1993. The following year, a number of key members of the development team left to produce a commercial version, which they dubbed Netscape Navigator.

In response, Microsoft launched IE, and in December 2002, OneStat, a provider of Internet usage statistics, reported that IE had a total global usage share of 95 percent, while the global usage share of Netscape was 3 percent. That lopsided percentage held until news of IE’s vulnerabilities began to make headlines. By November 2004, Websidestory, another provider of Internet traffic statistics, reported that IE had suffered five straight months of declining use and that its market share had slipped from 95.5 percent in June 2004 to 92.9 percent in October 2004. By May 2005, Explorer's market share had shrunk to 88.9 percent. The primary recipients of Microsoft’s lost market share were the open source browser Firefox (older versions of which are known as Mozilla) and Netscape Navigator. By May 2005, 6.8 percent of Internet users were browsing with Firefox, and 2.2 percent were using Navigator, according to Websidestory. The other 2 percent of browser usage was split primarily between Opera and Safari, with other browsers not registering a measurable percentage.

Firefox is available as a free download from the Mozilla Foundation (www.mozilla.org). Versions of the browser are available for Windows, Apple, and Linux operating systems. Mozilla was the original code name for the browser that became Netscape Navigator. In January 1998, Netscape Corporation announced that it would make the source code for the Netscape browser open and freely available to software developers worldwide. Since then, volunteer software developers have refined that original code to create Mozilla (and now Firefox). The developers’ goal with Firefox was to create a browser that would not take up large amounts of hard disk space, would be compatible with the most number of Web pages, and would open pages quickly. Firefox also features pop-up and image blocking, further speeding the load time of pages that users want to see. A simple Google search box is integrated into the browser, and users can add other search engines. Firefox can also help users keep up with news via a Latest Headlines menu that is located beneath the browser’s control buttons. The menu contains headlines and links to current news stories provided by the BBC. There is also a companion e-mail reader called Thunderbird. Both applications can be downloaded as one integrated piece in the Mozilla suite. Initially touted for its superior security, recently, a number of security vulnerabilities have been detected in Firefox. The latest version (v1.5 beta), released in September 2005, addresses a number of those issues, and adds a number of useful, new features. New features include an easy, one-button method for clearing your cookies, history and cache.

In the first nine months of 2005, the U.S. Computer Emergency Readiness Team (US-CERT)—a partnership of the U.S. Department of Homeland Security, other public entities, and the private sector— documented 12 vulnerabilities in Explorer. However, they also documented nine vulnerabilities with Firefox. (For more information, visit www.kb.cert.org/vuls.) According to US-CERT, a remote user could exploit IE’s vulnerabilities to access files on a computer, including those with confidential or personal information. The hacker could exploit other vulnerabilities and hijack someone’s computer to send spam messages and attack Web sites. It is even possible for the hacker to wipe someone’s hard drive clean. The move away from IE is largely attributed to the identification of these kinds of vulnerabilities.

Others of these vulnerabilities allow malicious code to function in ways that many users may not expect. Most computer users know that viruses and trojans may gain access to a computer as attachments to e-mail messages. This form of attack remains a serious problem, but at least users are generally familiar with the protection offered by antivirus software and the simple act of deleting suspicious attachments. In November 2004, however, an IE vulnerability was identified that may be exploited when a user does nothing more than visit a Web page. Malicious code that downloads with the page can make the user’s computer execute whatever instructions the hacker wants.

Secunia.com, a Danish security firm, is another source for browser security alerts. Secunia also assigns each vulnerability a varying levels of alert. While Explorer is not the only browser that contains vulnerabilities, ironically its prominence makes it the obvious choice for hackers to exploit. An article on Microsoft’s own moneycentral Web site (http://a01.moneycentral.msn-ppe.com/content/Banking/FinancialPrivacy/P87303.asp) titled “Keep Thieves out of Your Bank Account” even suggests: “To thwart online thieves, consumers might want to install…browsers [other than Internet Explorer], such as Mozilla or Opera, for financial transactions.” Opera, a longtime favorite browser of many savvy Internet users, is also available as a free download (www.opera.com). Opera offers a suite of functions, including e-mail and chat applications, an address book, and the ability to store quick notes without leaving the browser. After many years of offering a free, advertising-supported version and a paid version with no advertising, in September of 2005, Opera moved to a no-ad free version. You can, however, purchase one year of "premium Support" customer service for $29.00, though it is not mandatory. One welcome feature of Opera is that it gives users the option of starting where they ended their last Internet surfing session, starting with a previously saved session, opening to a blank browser window, or starting with a familiar home page. Despite all of these features, the total installation size of version 7.5.4 is only 5.5 MB. Opera is available for Windows, Apple, Linux, and OS/2, select handheld computers, and Web-enabled cell phones. US-CERT reported only two known vulnerabilities in Opera in the first nine months of 2005.

In June 2003, Microsoft announced that it would no longer be developing new versions of Internet Explorer for Apple operating systems. Coincidentally, this was not long after Apple had announced its Safari Web browser. Some of the refinements Apple engineers added to the Web browser feature set include built-in Google searching and snap back, which allows users to return to the point in their surfing session where they last typed a URL or selected a bookmark—useful if one has followed numerous links from one page to another while online. Safari also offers pop-up blocking, tabbed browsing, and tabbed bookmarks. Safari works only on Apple’s OS X operating systems and is available as a free download at the Apple Web site.

While some alternative Web browsers also have some known vulnerabilities, they are usually less critical and easy to patch. Additionally, because the non-Microsoft browsers are not integrated into the Windows operating system— as IE is—a malicious coder has to work harder to use them to access the inner workings of a user’s computer. In fact, even as Microsoft works to make its browser more secure, there are rumors that search engine powerhouse Google will soon enter the fray with a Web browser of its own (despite protestations to the contrary by Google's CEO Eric Schmidt). In October 2004 news sites also reported that America Online was planning to release its own browser, which would be based on IE. At the same time, it was also reported that Netscape founder Marc Andreessen felt that this renewed interest in browser technology could reignite the browser wars of the 1990s and, in his opinion, reinvigorate browser development. If Andreessen is right, which he has been before, users may have even more Web browser options to choose from - we're still waiting for Google and AOL's browsers though.