[ISN] School's out to shun IE

[InfoSec News]

http://news.zdnet.com/2100-1009_22-5485834.html

By Jim Hu 
CNET News.com 
December 9, 2004

Citing security risks, a state university is urging students to drop
Internet Explorer in favor of alternative Web browsers such as Firefox
and Safari.

In a notice sent to students on Wednesday, Pennsylvania State
University's Information Technology Services department recommended
that students download other browsers to reduce attacks through
vulnerabilities in the Microsoft software.

The university said "media reports" and a string of warnings by
Carnegie Mellon University's Computer Emergency and Response Team led
to its recommendation.

"We're not telling people to wipe off IE, because you need IE to do
operating-system updates," Robin Anderson, a spokeswoman for Penn
State's ITS department, said in an interview. "We're telling
(students) there are alternatives--and for them to strongly look at
those."

Microsoft said Internet users have a choice in Web browsers, adding
that the company has invested heavily in online security.

"While Internet Explorer is the choice of hundreds of millions because
of the unique value it provides, we respect that some customers will
choose an alternative," a Microsoft representative wrote in an e-mail
statement.

Penn State's new policy highlights the many security vulnerabilities
that have dogged IE over the past few months. Nearly two dozen holes
in the Web browser have been discovered during the fall, ranging in
degrees of seriousness.

Malicious code writers have targeted security holes in the browser to
launch attacks or install spyware. These attacks are often launched
when a victim clicks on a specific Web link, opening the door for
criminals to take over the person's computer. Once the PC is
compromised, the attacker could access account information, load other
software and delete files.

Other attackers have targeted IE vulnerabilities to launch viruses. In
November, security researchers discovered two viruses, Bofra.A and
Bofra.B, loosely based on the MyDoom source code.

Security concerns have prompted a growing number of Internet users to
embrace different browsers, such as The Mozilla Organization's
Firefox, Apple Computer's Safari and Opera Software's Opera. While IE
remains the undisputed leader for browsers, with nearly 90 percent
market share, Firefox continues to gain in popularity.

Firefox has surpassed the 5 million download mark while gaining 5
percentage points in May to 7.4 percent, according to research firm
OneStat.com. Microsoft has disputed these numbers, claiming that they
do not represent corporate users.

Even though attackers target IE because of its near ubiquity,
malicious code writers are widening their reach. Yesterday, a security
company discovered an exploit in a feature common to most browsers,
including IE, Firefox, Opera and Safari, that could be used to launch
an attack.

Penn State's Anderson said the university has just completed a
two-month information campaign for PC security, urging students to
download firewalls and antivirus software, and to regularly install
operating-system updates. She added that changing browsers is one of
many ways to defend against attackers.

"What we're saying is, we're taking a hard stance on securing our
computers," Anderson said.

CNET News.com's Robert Lemos contributed to this report.