Internet Explorer is dangerous

(Rest your mouse cursor over the green text to see its description.)

4 out of 5 people use Microsoft Internet Explorer as their web browser. Internet Explorer frequently presents critical security risks to systems that use it, allowing malicious websites to hijack their computers, infect them with viruses, and conduct identity theft, and its lack of technology support has driven up the cost of web development and stifled innovation.

It is in the best interest of all Internet users to stop using Internet Explorer as soon as possible!

There are free alternatives that offer quality as good or better than Internet Explorer. The following article will explain in greater depth the problems with Internet Explorer and what the alternatives are.

Too much to read? An abridged version is available.

This page was last updated March 23, 2009.

Why switch from Internet Explorer?

Unsafe

Internet Explorer is the single most actively exploited piece of software on most computers. A majority of computer spyware and adware makes its way onto your computer through Internet Explorer's security holes. In an October 2004 study, 80% of home computers were found to be infected with spyware or adware, even though 85% had antivirus software installed. Studies have shown that these percentages are much higher among people who use Internet Explorer than with any other major web browser. This is largely because Internet Explorer was designed to grant websites control over the user's computer, and malicious websites can easily abuse this power, automatically installing programs and viruses onto your computer without your knowledge and performing dangerous system operations behind your back. Once your computer is hit with a spyware or adware attack, Microsoft says the only solution may be to dump your system and start from scratch.

These security holes are due to fundamental flaws in the design of Internet Explorer, as well as Microsoft's slow and ineffective security response process. Microsoft's chief technical officer Craig Mundie stated, “Many of the products we designed in the past have been less secure than they could have been because we were designing with features in mind rather than security. [...] In the past we sold new applications on the strength of new features, most of which people didn't use.” Although Microsoft issues monthly security updates, vulnerabilities have continued to be found at a much faster rate than they have been fixed. According to a Security Fix study, a fully-updated Internet Explorer was found to be “unsafe” (unprotected against serious known vulnerability exploits) for 78% of the year 2006, while its main competitor, Firefox, was “unsafe” for only 2% of the year. Through Internet Explorer, you could have your identity stolen and your bank account wiped clean, or your system could be destroyed and all of your important files deleted. The situation has gotten to where even the U.S. Department of Homeland Security is suggesting that consumers switch away from Internet Explorer. In May 2006, PC World named Internet Explorer the 8th worst tech product of all time, stating that it “might be the least secure software on the planet”.

The following is a brief summary of the vulnerability levels in the three most popular web browsers. The information was collected from Secunia, a leading computer software security monitoring company. These statistics cover all reported vulnerabilities in Windows versions of Internet Explorer, Firefox, and Opera. Historical cumulative values are provided in three forms: for all vulnerabilities in the entire of life of these products, for all vulnerabilities that were present during an equal length of time since the first reported vulnerability in the product, and for all vulnerabilities that were present during the same length of time before and including the present. That length of time is equal to half the number of days since the first reported vulnerability in the newest browser covered (Firefox, 2004-02-09). Note that some vulnerabilities may have been present during both time periods, so the sum of both values may be greater than the total number. “High severity” values include vulnerability reports that were marked as “highly critical” and above. Relative danger levels are calculated by adding up the square of the criticality levels for each vulnerability report (not critical=1, extremely critical=5). The vulnerability information was last updated February 10, 2009. For more details, see the Web browser security summary resource.

Security vulnerabilities
Aspect Internet Explorer Firefox Safari Opera
Historical cumulative values (Product life)
Vulnerability reports 140 77 7 70
High severity vulnerability reports 66 31 5 21
Vulnerability issues 274 271 22 98
Relative danger 1564 739 88 614
Historical cumulative values (from first 365 days)
Vulnerability reports 31 20 7 18
High severity vulnerability reports 13 2 5 4
Vulnerability issues 69 39 22 23
Relative danger 331 156 88 138
Historical cumulative values (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1
Highest values at one time
Vulnerability reports 39 9 2 4
High severity vulnerability reports 5 2 1 1
Vulnerability issues 41 13 3 8
Relative danger 204 44 20 27
Mean average per day (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1
Median average per day (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1
Present values
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1

Internet Explorer has had 140 vulnerability reports. 25 were marked as moderately critical, 50 were marked as highly critical, and 16 were marked as extremely critical. There are still 38 remaining, including 9 that were marked as moderately critical and 1 that was marked as highly critical.

Firefox has had 77 vulnerability reports. 19 were marked as moderately critical, 31 were marked as highly critical, and 0 were marked as extremely critical. There are still 5 remaining, including 1 that was marked as moderately critical.

Safari has had 7 vulnerability reports. 0 were marked as moderately critical, 5 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Opera has had 70 vulnerability reports. 20 were marked as moderately critical, 20 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.

It is also important to consider how quickly each web browser fixes its vulnerabilities. The following table lists the average time taken between Secunia's vulnerability reports and the release dates of their respective patches, if all aging unfixed vulnerabilities (vulnerabilities at least as old as the mean of all fixed vulnerabilities for that browser) were to be fixed today. Data does not include unfixed vulnerabilities less than that age, vulnerabilities with unknown fix dates, or vulnerabilities that were only publicly known after the patch release. Values listed are in days.

Patch delay (in days)
Average Internet Explorer Firefox Safari Opera
Per vulnerability report
Overall mean 2172 571 1527 188
Overall median 3060 42 1506 35
High severity mean 274 13 21 8
High severity median 53 10 21 8
Per vulnerability issue
Overall mean 1830 523 1535 210
Overall median 210 27 1506 44
High severity mean 217 17 21 8
High severity median 61 23 23 8
Weighted by relative danger
Overall mean 1533 478 1025 112
Overall median 121 23 23 23
High severity mean 252 13 21 7
High severity median 52 10 21 1
Per fully-disclosed vulnerability report
Overall mean 1594 592 1527 387
Overall median 119 23 1506 12
High severity mean 57 5 21 1
High severity median 48 5 21 1

The Washington Post Security Fix column conducted a similar study comparing patch delay between Microsoft products and Mozilla products in 2003 through 2005, using different sources than the above information. Note that, unlike the above information, the Security Fix study ignores unfixed vulnerabilities.

The following graphs illustrate present security figures in each browser over time. Higher levels mean greater danger. The graphs span from February 9, 2004 to today.

A graph showing the number of security advisories over time in Internet Explorer, Firefox, and Opera.

A graph showing the number of security vulnerabilities over time in Internet Explorer, Firefox, and Opera.

A graph showing the relative cumulative danger of security vulnerabilities over time in Internet Explorer, Firefox, and Opera.

Primitive

In today's fast growing Internet world, we are seeing a greater demand for web applications that are both powerful and versatile. This calls for new technologies to be developed, and quickly. In order to create and organize these new technologies, a standards body called the World Wide Web Consortium (W3C) formed. Their members include people from many of the world's largest technology companies, all working together to develop technology standards that will take the Internet to the next level and beyond.

Unfortunately, in the last several years, one of the most significant members of the W3C has failed to adopt the very standards that it helped to create. Microsoft, feeling confident with Internet Explorer holding over 90% of the market, stopped adding the new technological developments to its web browser. Microsoft employee Dare Obasanjo explained, “In an almost text book example of how monopolies work, Microsoft abandoned innovation in IE in a move that showed that at this point IE was considered a cost center not a revenue generator.” The W3C has continued to develop technologies that would give websites new levels of functionality, break down barriers for the disabled, and aid software and search engines in actually understanding the information that's presented on the Web. Many of these technologies exist, but with Microsoft's incredible weight in the market and unwillingness to develop their browser, they've been unable to see the light of day.

By 2006, Internet Explorer had fallen nearly a decade behind in Internet technology. Practically all of the standards that it supports are met and exceeded by other competing browsers, who are now diving deep into a new world of Internet technology that Internet Explorer has yet to touch. While Internet Explorer is in high use, web developers are forced to either stay with outdated technology, often costing them double or triple the time and money, or turn away a majority of their potential visitors. As time goes on, an increasing number of personal websites, development journals, and online tools are being made using technology not supported by Internet Explorer.

Since their market dominance began to slip following the release of the Firefox web browser, Microsoft finally decided to develop Internet Explorer again. However, web standards experts who have reviewed the new additions in Internet Explorer 7 see the situation as too little too late. Overall, IE7 only made about as much progress over IE6 as Firefox 1.5 and Opera 9 did over their immediate predecessors.

The following table is a summary of web technology support among the three most popular web browsers, including the new version of Internet Explorer (IE 7). The three technologies listed are fundamental in modern web design. For more information, see the extended Web browser standards support page.

Standards support
Technology IE 6 IE 7 Firefox 2 Firefox 3 Opera 9
HTML / XHTML 73% 73% 90% 90% 85%
CSS 2.1 51% 57% 92% 93% 94%
DOM 50% 51% 79% ? 84%

What alternatives are there?

Luckily, there are several good alternatives to Internet Explorer, and all of the major ones are available completely free of charge.

Firefox

Firefox is a new free web browser that is quickly gaining massive popularity and a lot of media attention. It is all-around safer, easier, and more useful than Internet Explorer. Since its premier in November 2004, it has been downloaded over 300 million times and is now used by 10% - 20% of the public. Firefox has been developed by a group of highly dedicated and skilled open source programmers who work without pay. Their motivation isn't money, but simply to make the best web browser available, so that they and their friends and family can have a better web browsing experience.

On top of popular modern features like tabbed browsing, phishing protection, and popup blocking, Firefox offers a wide range of features not available in Internet Explorer:

Switching to Firefox is easy. Your Favorites, passwords, and other settings from Internet Explorer are carried on to Firefox automatically, so you don't need to worry about losing anything. Setup is quick and easy, and no technical skills are required to get Firefox running on your system.

Here are some official Instructions for switching from Internet Explorer to Firefox.

Get Firefox!

Firefox is available on all major platforms. See the System requirements for details.

Opera

If you're looking for a second option, try out Opera. Opera is very small and lightweight, yet is packed with useful features. Like Firefox, it offers tabbed browsing, phishing protection, popup blocking, themes, and better security, it's nearly tied with Firefox in webpage technology support, and it's also completely free.

Although Opera doesn't have the robust extension system that Firefox offers, it comes with many more features right out of the box:

Here are some official Instructions for switching from Internet Explorer to Opera.

Get Opera!

Opera is available on all major platforms.

Flock

Flock is a free cutting-edge social web browser that is based on Firefox and optimized for blogging, newsreading, sharing photos, and generally making the most of the modern Web. If you are regularly involved in these kinds of social aspects of the Web, Flock may prove to be an ideal out-of-the-box browser for you. Like Firefox, Flock supports its own brand of over a hundred extensions that can further enhance your Web experience.

Get Flock!

Flock is available on all major platforms. See the System requirements for details.

How do I set up these browsers?

Setting them up is a snap. Just go to the website and follow the download link. Open the file that you download (either by clicking “Run” or “Open” at the start of the download or by double-clicking the program icon when it's done), and you'll be given a simple installation screen. From there, you can just agree to everything that comes up and it'll all work out nicely. If you find that you don't like it and want to go back to Internet Explorer, all you have to do is start up Internet Explorer like you normally do. Installing a different web browser will not break or replace your old one, so there's no reason not to give one of the alternative browsers a try.

After you've installed the browser, make sure you click on the right icon to start it up. You don't want to click on the blue “e” anymore. The Firefox icon looks like an orange fox wrapped around a globe, Opera looks like a red “O”, and Flock looks like a flock of little blue blobs.

What if a website doesn't work in an alternative browser?

Modern alternative browsers like those listed above very rarely have problems with websites. They adhere closely to the web technology standards, meaning that all websites should look and function more or less the same in all browsers.

On occasion, you might come across a website that has errors in its code. In some older webpage formats, still widely used, there is no clear standard regarding how errors are to be treated by the web browser, and you may experience slight differences in different browsers.

You may also experience issues resulting from Internet Explorer's incorrect implementation of many standard webpage elements. Webpages are made up of a large set of rules written by the webpage author. If the author adjusts the rules to suit Internet Explorer's incorrect behavior, the webpage might not look right in other browsers that handle the rules correctly. In fact, Microsoft has announced plans to make new upcoming versions of Internet Explorer behave more in accordance with the standards — and therefore, more like the other web browsers — even if it causes problems with these poorly-coded websites.

Some sites are designed to use Microsoft's ActiveX technology, which most other browsers choose not to support because of the serious security holes in ActiveX. Even Microsoft advises users to disable ActiveX for regular web browsing, and it will be disabled by default in the new versions of Internet Explorer.

Most often, if a website doesn't look correct in an alternative browser, it is because the website wasn't written correctly, not because of a fault of the browser. If you experience a problem, it is best to contact the website administration and inform them. They should be embarrased for shutting out a significant and growing percentage of their potential visitors due to not following the established web standards. In fact, in some cases it is illegal for a business website or a government website to not work properly in these alternative browsers.

Fore more information, see the following resources:

How to direct Internet Explorer users to this information

If you own a website and are familiar with server-side scripting, you may redirect Internet Explorer users to <http://www.webdevout.net/browser-warning?forward_uri=location> where location is the URL of the document that the user attempted to access, but without the redirect. Note that the entire location, including any query parameters, must be stored within the forward_uri parameter, so be sure to encode it properly.

You may also limit this warning message to occurring only once per browsing session. It is recommended that you do this from your website, but if that isn't possible, you may instead add &once to the end of the request for this page to achieve that effect. This will only work properly for users that accept cookies.

If your website supports PHP, you may use my prebuilt script for detecting and redirecting Internet Explorer users. Follow the instructions in readme.txt.

Alternatively, you may use the basic informative version by linking to <http://www.webdevout.net/ie-is-dangerous>. It is recommended that you use the previous method for automatic redirections.

If you have further questions, you may direct them to dhammond@webdevout.net. I encourage website owners to spread this message, and I am flexible with the use of this document. This article is under a very generous Creative Commons License and you may reproduce it and modify it under the stated terms.