Stealing a rant from someone else who explains it well: The controls that form Internet Explorer are a core system service in Windows. They are fundamental to the operation of all modern Windows versions. The Add/Remove Programs dialog in Windows 2000 and Windows XP? That's generated using the same controls that form Internet Explorer. I say "controls that form Internet Explorer" because IE isn't really a single application (like, say, Firefox or Opera), it's really a collection of libraries that can be called by top-level processes like the Explorer shell, Internet Explorer, the Add/Remove Programs dialog, or other applications. Probably the most important library is MSHTML.DLL, which more than anything else probably is Internet Explorer. These controls must be able to have full system access, or else they won't be able to do their job. They have to be able to spawn admin-level processes and write to local files and do other things that are "bad" from a security standpoint, because when these controls are used as part of the basic Windows UI, they have to be able to do these things as part of day-to-day operation. And so we have Security Zones. The Local Zone is where (by default) all of the "full access pass" stuff runs, the stuff that you see in the Explorer shell and other regular Windows UI bits (as well as HTML files and things that are sitting on your hard drive). Nothing from the Internet is supposed to run in the Local Zone. Everything that you view in Internet Explorer goes in the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone, or the Restricted Sites Zone. You can set the security parameters on those four zones in the Security tab of the Internet Options in IE. Most of these security exploits you see in Internet Explorer are called "cross-zone scripting exploits". What they do (usually) is find a way to use scripting to open a Local Zone resource (such as a help file), and then somehow alter it so that it contains malicious code instead. This is how the Ilookup trojan works. Other exploits escalate the security level of an iframe to Local Zone, or some other tactic. But the general idea is getting malicious code into the Local Zone without your permission, where it can be executed with full system access. This is why locking down the Local Zone is a workaround against these sorts of exploits, but locking down the Local Zone has serious side effects in Windows itself. The difference between Internet Explorer and other browsers is that the other browsers simply do not have this sort of problem. Mozilla and Opera do not have the requirement to manage operating-system level tasks using the same controls they use to render web pages, and so do not even have a "Local Zone" to take advantage of. They are not designed to let scripts do bad things at all. There are still exploits that can be performed on browsers like Opera and Mozilla. Directory traversals, buffer overflows, taking advantage of design defects... Hell, have a look at the stuff Opera's had to fix in version 7 so far. (I think the "really big favicon" exploit is my favorite.) And you can find cross-site scripting vulnerabilities in Mozilla, but they don't let you install software; they just cause data security problems because one site might be able to read another site's JavaScript variables or cookies or something. But IE's fundamental security model makes it incredibly vulnerable to exploits that allow the arbitrary installation of software, or worse. And that's why IE is more fundamentally insecure than the alternatives, and until something is fundamentally changed about it (which may or may not happen with XP SP2), it's going to remain more fundamentally insecure regardless of popularity levels.
bfl (bump for later)
Thanks for the information.
Though I have personally had no problems at all with IE, because of the rap on IE out there, I’ve tried FireFox regularly over the years. But I have always found bugs and problems with it in certain situations such that it just would not allow me to accomplish the work I needed to do on the specific website, so that I had to remember to go back to IE when I was doing said specific things on said specific websites. That got tiresome and inconvenient, so I just went back to using IE6, but I never upgrade to IE7 (or Media Player 10, Vista, etc etc) because I have found either the newer M-soft stuff doesn’t work as well as older versions, or I just don’t like the features as well. I do however, pick and choose, and do download M-soft security updates.
I use Thunderbird Mozilla for email for a specific feature I like about it, but there are some features about it that really suck, so I may move on to some other email client. My wife still uses Outlook Express (for years now) and has never experienced any problems. I used it also for years before I switched to Mozilla Thunderbird about a year ago.
If FireFox would fix their bugs or someone else comes up with a browser that is completely free of bugs so I don’t have to be switching back and forth to IE to accompish things, then I am more than happy to switch over.
In short:
Microsoft: Insecure By Design
Thanks for the post but I try firefox, chrome, and recently IE8 beta (all sometimes for many weeks at a time), and I always go back to IE.
My computer ownership has always consisted of cleaning up other people’s discards because they have let them get infected so badly, and I never seem to have a problem with IE after I clean them up and I use my freeware security programs.