August 31, 2004

A Rebuttal to Malware & IE

Forever, it seems, I've been reading the many posts and articles complaining about spyware, malware, and IE security issues. I acknowledge they exist, and I've done my fair share of removing adware, spyware and the like. The funny thing is, I've been using a powerful IE-based browser (MyIE2, n/k/a Maxthon) as my main browser for over a year, and pure IE before that, and can't recall having a browser-related spyware nor a drive-by downloading incident. I generally keep up on IE patches, and I've scanned my PCs many times with Norton Antivirus, Ad-Aware, Spybot, etc. I've also used my share of Netscape, Mozilla, and Firefox too, so I'm definitely not a Microsoft groupie. In my personal user experience, I've only encountered malware when I've installed a supposedly free program that had others bundled in as a means to defray their costs. We've all seen plenty of those -- some will tell or prompt you during installation while others just creep in unannounced. There's no excuse for the silent parasites -- we should at least be presented with the choice. But for the others, we've made a conscious decision to download and install them.

What prompted this post was Jerry Lawson's post about Ernie's Svenson's post about a Slashdot post (welcome to the link-crazy blogosphere), all of which recommend dumping IE ASAP due to the security and drive-by downloading problems.

Mind you, I'm not disagreeing with that, as I've said it myself from time to time. But since my IE settings and overall experience seem to differ greatly from the general public, I've concluded this wasn't simply a mere coincidence. I believe this greatly reduces the chance for malware getting into my system, coupled with savvy user-level decisions. I should also mention I use pure IE from time to time, when I want to ensure the maximum compatibility browsing to or downloading from active content-rich sites. Otherwise, I pretty much use MyIE2 with occasional use of Firefox when faster rendering speed is desired. I also like Firefox's fast way to disable Java and Javascripting from two simple checkboxes within the same settings dialog.

While MyIE2 features advanced content blocking (i.e., blocking inline ads, flash animations, popups, etc.) that only gets me so far in my malware defense. By far and large, I firmly believe most people have problems with spyware and malware just because they don't know any better (i.e., lack of savvy user education and not optimally configuring IE). By default, IE is left quite open for drive-by downloads, but that doesn't mean it can't be made to deflect them. Even when I use plain IE without any ad-blocking, I still have it set to block or prompt for most active content. As mentioned, I also use antivirus and anti-spyware programs, which also help.

I've found that changing the settings in IE's Security / Internet Zone / Custom Level to be quite effective against unwanted malware. I've disabled some features (especially on those "not marked safe"), set some to "high safety" and set most of the remainder to prompt me, particularly regarding ActiveX and scripting content. This allows me to decide if/when active content should run to access desired content (e.g., Microsoft's various support/update sites, launching the PDF reader when clicking on a PDF file, loading a desired flash animation etc.), versus blocking the potentially harmful active web content. This solution presents me with many pop-up dialog prompts, but after a little while they didn't bother me because I get to choose what happens next: I'm not a victim of an unfortunate browsing accident.

Knock on wood, as I know this doesn't close all of IE's holes, but I've yet to encounter a drive-by malware downloading. Why? I believe it's because my IE and IE-based browsers either ignore or prompt me for what to do when it encounters most active content. I've run a number of updated anti-spyware scans on my PCs and they come up clean each time. Of course, the distinguishing variable is knowing how to answer those browser prompts. If I'm downloading a PDF or Flash animation I want to see, then I allow it to run. If I don't know what's prompting me, I click on "No", and then see if the web page will load properly. If it does, great. If it doesn't, then I need to decide if the desired content is worth the risk of allowing the active content to load. So far, so good.

Obviously, there's a trust and/or judgment factor involved as well. Most large corporate sites are not going to want to risk alienating their market by inflicting malware. For those that have, they've usually learned a painful lesson in customer relations and the power of the Web to replicate such information very quickly and LOUDLY. If I'm visiting a new or strange site, then I err on the side of caution. I don't need more smileys for my e-mail or IM program, and I know I'm not going to win anything by clicking on a moving ad (regardless of how satisfying it may be to virtually smack that annoying purple monkey!) or answering that "Friends" trivia question for which anyone over three knows the answer.

We all know IE has a lot of security holes, no argument there. But my individual experience leads me to conclude that specifically regarding browser-delivered malware (adware, spyware, viruses, trojans, etc.), the choices made at the computer operator level (hey, that's us!) are by far the largest contributor to allowing harmful content into our systems in the first place. This stuff generally doesn't get there by itself. Someone had to make the decision to visit a particular site (whether via Google, directly, or from some other link), using a web browser configured in a specific way. Even alternative web browsers have security issues. It all comes down to where you surf on the web, what you're using to get there, and what choices you're making in how you access the online data once you've arrived. Even choosing which free programs to download and install requires judgment. For help, check out sites like SpywareInfo and before you download a new program. They provide helpful information and maintain lists of spyware- and malware-ridden programs.

This isn't begging the entire Microsoft security issue, and Microsoft clearly needs to address it. But unless or until that happens, it's up to us to either educate ourselves to address it, or hire someone else who's savvy enough to take care of it and educate us on an informed way to do it. In other words, good ol' personal accountability. As Smokey said: "Only you can prevent forest fires." This doesn't excuse the malware developers in the least, nor Microsoft, but a good many incidents are avoidable with an appropriate approach.

So instead of throwing the IE baby out with the bath water to clean house, I'd rather come up with a better way to keep the baby clean. I've written here previously about how I've all but dumped IE as my main browser, and that's true. My main motivation was to find a better browser for power user features while maintaining a common set of bookmarks. As my main replacement browser is based upon the underlying IE engine and its flaws, I tasked myself to find a way to get all the benefits I was looking for while securing it as much as possible. So far, I like the result. It's not perfect (what is?), but it works for me.

I was quite tempted to conclude this with the typical, "Your mileage may vary" -- but then shouldn't we ask the critical question: Why?

Topic(s):   Web Wizardry
Posted by Jeff Beard

A lot, I bet, depends on where you travel while using Maxthon or IE. There are high-risk and low-risk web sites.

Posted by: M. Sean Fosmire at September 2, 2004 04:30 PM