Internet Explorer myths

As Microsoft's Internet Explorer 6 has grown stale and the second Browser Wars have heated up, Internet Explorer has been the subject of much criticism and praise. Somewhere in the midst of it all, some misconceptions have popped up here and there. This article will address some false claims and hot topics found in the public and media regarding the Internet Explorer web browser.

Some claims below are partially true, partially false. In these cases, this article will attempt to put the situation into better perspective.

This page does not mean to give the illusion that all hype or criticism about Internet Explorer is false. Depending on the individual, there may be very good reasons to use Internet Explorer or there may be very good reasons to use something else, and not all reasons either way are touched upon in this article.

See also: Firefox myths and Opera myths.

Table of Contents

  1. Features
    1. Internet Explorer doesn't support web standards
    2. IE7 will be standards compliant
    3. Internet Explorer is catching up with the competition in standards support
    4. IE7's fixes for common hacks will make it more difficult to target
    5. Microsoft sets the standards (or should)
    6. Microsoft deliberately goes against the standards
  2. Security
    1. Internet Explorer is only insecure because of its popularity
    2. Switching to an alternative browser will make you perfectly secure
    3. IE7 solved all of its security shortcomings
    4. ActiveX is not a significant source of security vulnerabilities
  3. Performance
    1. Internet Explorer starts up faster than Firefox
    2. Firefox is faster than Internet Explorer
  4. Miscellaneous
    1. Microsoft developed Internet Explorer from scratch
  5. Full disclosure



Internet Explorer doesn't support web standards


Claim sources: 1, 2, 3, 4, 5, 6

Although Internet Explorer's level of standards support falls far short of its competition, it does support the major web standards to some degree. Every major version of Internet Explorer has improved on its support for the core web standards, including HTML, CSS, and DOM. The criticism comes from the fact that, relative to the other major browsers right now, Internet Explorer implements many aspects of these standards incorrectly or not at all, and Microsoft has historically added support for proprietary extensions that were not previously formalized as a standard, which has created problems in cross-browser web development efforts. When Internet Explorer 6 was first released, it was very much a competitor in the area of standards support, but after several years of no improvements to its layout engine while other browsers have continued to improve, it has simply fallen years behind.

Below is a brief summary of how well Internet Explorer, Firefox, and Opera support the most significant standards and emerging technologies. A “Y” indicates perfect support, while a “100%” is the result of rounding. More information is available in the Web browser standards support resource.

Standards support
Technology IE 6 IE 7 Firefox 2 Firefox 3 Opera 9
HTML / XHTML 73% 73% 90% 90% 85%
CSS 2.1 51% 57% 92% 93% 94%
CSS 3 changes 10% 13% 24% 27% 19%
DOM 50% 51% 79% ? 84%
ECMAScript 99% 99% Y Y Y

IE7 will be standards compliant


Claim sources: 1, 2, 3, 4, 5, 6, 7, 3

Again, people often mistakenly view this issue as all-or-nothing: that a browser either supports standards or doesn't. Internet Explorer 7 will have a number of improvements in some widely-used web standards, but IE7 has only made a fraction of the progress necessary to reach other browsers' level of standards support. (At the time of writing, the first IE 7 release candidate has already been released.)

Refer to the table above for figures.

Internet Explorer is catching up with the competition in standards support


Claim sources: 1, 2, 3

Although the Internet Explorer development team has put standards support as a major focus, Internet Explorer 7 has not made significant progress in catching up to the competition. According to this site's standards support tables, the overall rate of standard support improvement in the latest versions of Internet Explorer, Firefox, and Opera have been about the same considering the length of development time.

See the table above for standards support figures.

IE7's fixes for common hacks will make it more difficult to target


Claim sources: 1, 2

Due to Internet Explorer's large number of display bugs, web developers have made use of several “hacks” to feed correction code exclusively to Internet Explorer. The most commonly used hacks included * html {} (also called the “Tan hack”), which selected only Internet Explorer due to a parsing bug, and html>body {}, which selected all modern browsers excluding Internet Explorer because it didn't support the > combinator. Internet Explorer 7 has these particular issues fixed, so the hacks no longer single it out. Although a few of the most common problems that called for the use of hacks have been fixed, there are many cases in which web developers still need to single out Internet Explorer.

Despite the fixes, there are still several effective ways to send special code to Internet Explorer users. The method recommended by Microsoft and some prominent figures in the web standards community is conditional comments. This technique involves modifying the HTML source, which some web developers find too much of a hassle compared to CSS hacks. Fortunately for them, I discovered a simple new CSS hack: *:first-child+html {}. This works just like the Tan hack, but only targets Internet Explorer 7 and possibly some future versions. Like other similar CSS hacks, you should be careful when using it and stick with conditional comments whenever possible, since behavior in future versions and obscure or upcoming browsers is unpredictable. But it makes for a trivial replacement for the Tan hack in IE7. To select all modern browsers excluding IE7 and below, html>/**/body {} easily replaces the html>body {} hack and is also valid CSS.

See also: CSS hacks

Microsoft sets the standards (or should)


Claim sources: 1, 2

Some people believe that, due to Internet Explorer's current domination in the market, Microsoft should be the one who defines the standards and other browsers should follow Microsoft rather than the World Wide Web Consortium (W3C). This claim is often presented as if Microsoft and the W3C each think that its respective sets of rules are correct and the other's are wrong, which isn't the case. Microsoft is a member of the W3C and has played a role in the development of their standards. The Internet Explorer development team admittedly strives to support W3C standards, but has simply fallen far behind due to the five-year development halt and some lack of direction beforehand. Internet Explorer Group Program Manager Chris Wilson stated in an official blog post, “I want to be clear that our intent is to build a platform that fully complies with the appropriate web standards, in particular CSS 2 ( 2.1, once it's been Recommended).”. They have lately been working closely with the Web Standards Project (WaSP) to direct Internet Explorer development to support the most demanded web standards in upcoming versions.

Many of the rendering aspects of Internet Explorer that some claim to be Microsoft standards are actually bugs and incomplete implementations of W3C standards, and many of these oddities are being fixed in future versions. This means that websites that rely on Internet Explorer's current behavior may fall apart in future versions just as they do today in more standards-compliant web browsers. This is a fact of which Microsoft has warned web developers, and before Internet Explorer 7 was released, they called for web developers to fix their pages for the new version.

Microsoft deliberately goes against the standards


Claim sources: 1, 2, 3, 4

While Internet Explorer does implement many things differently from how today's standards are defined and supports many nonstandard CSS, HTML, and DOM features, indications are that deliberately adding nonstandard features is not the intended path of future Internet Explorer development. Also, most of the differences are due to genuine bugs or features that were developed before there was an established standard for easily achieving the same task.

Internet Explorer 3 was the first major browser with any CSS support, before CSS Level 1 became a W3C standard in December 1996. Later versions improved on support, but Microsoft regarded compatibility with websites as a top priority, even if those websites relied on Internet Explorer's old buggy behavior. As a result, Internet Explorer 5.5 had numerous fundamental differences from the CSS standard. In 2001, they addressed the issue with Internet Explorer 6 which offered a doctype switching feature that allowed them to make fundamental fixes to their engine without breaking old sites. However, they didn't have enough time to make all of the changes needed for the rewrite, and Internet Explorer 6 retained lots of bugs. Unfortunately, Internet Explorer platform development didn't continue after version 6 until 2005 when they began the Internet Explorer 7 engine development, which continued to fix fundamental differences from the W3C CSS standard.

Internet Explorer first began to support webpage scripting in version 3, two years before DOM Level 1 became a W3C standard in October 1998. Version 4 added more features, still before there was a standard. Version 5.5 was released before there was any W3C-endorsed DOM event model, and version 6 came just a year after the first W3C event model standard, after many sites were already making use of Internet Explorer's proprietary event model. There are some indications that Microsoft plans to support the W3C event model in an upcoming version of Internet Explorer.

Some members of the Internet Explorer development team have publicly expressed a commitment to W3C standards. Internet Explorer Group Program Manager Chris Wilson stated the following in a May 2006 blog post:

Yes, I will continue to improve standards support and compliance in IE, and make the web better. That's my job, my charter, my vision, and my passion. The day it isn't, I'll quit. The day the development of the standards-based platform in IE goes on a back burner again, I'll quit. My management up to and including Bill Gates has said we are back in the saddle with IE, so I have a job to get back to.

Internet Explorer 7 didn't add any layout or scripting engine feature that wasn't already at least part of a W3C working draft.

It should be noted that there are often long-term problems with supporting features that haven't been made finished standards yet, as history has shown. Working drafts can change dramatically before they are finalized, and the W3C reserves a “Candidate Recommendation” stage for browsers to begin safely implementing support for the upcoming standard. But Internet Explorer does not have a significant history of supporting proprietary alternatives to already established standards except for legacy reasons.



Internet Explorer is only insecure because of its popularity


Claim sources: 1, 2, 3, 4

While it is reasonable to argue that a popular application will be more likely to attract attention from malicious people, the evidence shows that there are deeper problems with Internet Explorer than just popularity. Since early 2005, Internet Explorer has been steadily losing market share, yet its present vulnerability count and rate of vulnerability discovery have continued to increase. Furthermore, Internet Explorer has taken an average of roughly 50 times as long as Firefox or Opera to fix critical exploited vulnerabilities after they have been discovered. As the popular Apache web server has shown against its less popular rival IIS, it's very possible to be the most popular application in a class and still suffer fewer vulnerabilities and attacks.

The following graph illustrates the number of open (not completely fixed) vulnerability reports from Secunia over time, from February 9, 2004 to the present. For more charts and figures, see the Web browser security summary resource.

A graph showing the number of security advisories over time in Internet Explorer, Firefox, and Opera.

Switching to an alternative browser will make you perfectly secure


Claim sources: 1, 2, 3, 4, 5

Word-of-mouth advocacy among the general public tends to oversimplify relatively complex ideas. An example is security, and the occasional misconception that a piece of software can make your system perfectly secure. Something as complex as a web browser will almost certainly have security vulnerabilities crop up from time to time. No major web browser or operating system has a perfect security record.

There are often some fundamental differences between the architectures of other browsers compared to Internet Explorer with regard to security, and Microsoft has shown a relatively poor record of fixing its browser's vulnerabilities. However, there is never any guarantee that a particular browser is perfectly safe. Although you may be significantly less prone to attacks, it is still important to use reasonable caution when manually downloading files and plugins from untrusted websites, and make sure you are running an up-to-date version.

The following is a brief summary of the vulnerability levels in the three most popular web browsers. The information was collected from Secunia, a leading computer software security monitoring company. This information was last updated February 10, 2009. For more charts and figures, see the Web browser security summary resource.

Security vulnerabilities
Aspect Internet Explorer Firefox Safari Opera
Highest values at one time
Vulnerability reports 39 9 2 4
Vulnerability issues 41 13 3 8
Relative danger 204 44 20 27
Present values
Vulnerability reports 38 5 2 1
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1

IE7 solved all of its security shortcomings


Claim sources: 1, 2, 3, 4

Although Internet Explorer 7 fixed a number of security issues and added features to help reduce the impact of security vulnerabilities, such as site-by-site ActiveX permissions and a phishing detector, several security vulnerabilities from Internet Explorer 6 remained. Furthermore, the Internet Explorer development team has indicated that their response to security vulnerabilities won't likely see any major change. Patrick Mann, the security test lead for Internet Explorer, gave his response in a public question-and-answer session:

Q: I would like to know what progress is being made in speeding up the time between vulnerability discovery and the time a pat[c]h is created.

A: I know you won't like my answer Joe, but we need to balance a lot of conflicting interests in developing and releasing patches. We have a ton of versions/platforms/languages to test, we go through a compatibility test pass with partners to ensure we don't break their line of business apps - you get the picture. The 2 month cycle for security updates we are on seems to be a pretty good schedule for the majority of customers.

Some people are under the impression that Internet Explorer 7 was a clean slate in regard to security. IE7 inherited most of its code from IE6, and with it, several of the publicly known vulnerabilities that hadn't been fixed. There were some significant changes to the security zone model in IE7, but many of the known vulnerabilities had no relation with the components that were changed. After IE7 was released, several old vulnerabilities from IE6 were found to still affect the new version, and most of the other old vulnerabilities haven't yet been tested in IE7. From tested previously known vulnerabilities alone, IE7 was released with more known security vulnerabilities than Firefox had at the time, according to Secunia.

ActiveX is not a significant source of security vulnerabilities


Claim sources: 1, 2

ActiveX is very often cited as one of the top culprits for Internet Explorer's security problems, and some people have responded claiming that ActiveX doesn't make the product any less secure. In truth, a large number of the most serious Internet Explorer vulnerabilities are directly related to the ActiveX engine. The following is a list of all Internet Explorer vulnerability reports by Secunia rated “highly critical” or above at the time of this writing, with vulnerabilities related to ActiveX listed in bold:

The following is what Microsoft has to say to ActiveX control developers about ActiveX's security implications:

An ActiveX control can be an extremely insecure way to provide a feature. Because it is a Component Object Model (COM) object, it can do anything the user can do from that computer. It can read from and write to the registry, and it has access to the local file system. From the moment a user downloads an ActiveX control, the control may be vulnerable to attack because any Web application on the Internet can repurpose it, that is, use the control for its own ends whether sincere or malicious.



Internet Explorer starts up faster than Firefox


Claim sources: 1, 2, 3

The Internet Explorer window does typically come up faster than Firefox the first time you double-click on the program icon, but this is mainly because core Internet Explorer libraries are actually loaded into memory as your computer is starting up. Furthermore, not all components of the web browser are in memory when the browser window comes up. Some components, such as the favorites manager, are only loaded into memory when you access them, while Firefox loads everything at once. If all components of Internet Explorer were loaded at once, load time would likely be much closer to that of Firefox, if not longer.

A self-admitted Opera fan who was later hired as a technical writer for Opera ASA developed a series of browser speed tests that is often cited in browser comparison discussions. I have personally attempted to reproduce those tests, but my results have shown a somewhat different order from his. Different hardware and software configurations can significantly affect relative browser performance, and it is important to recognize that before accepting results from a single computer and only 1 to 3 trials per aspect tested. Although his tests might not have included bias per se, his use of so few trials raises doubts over the accuracy of the results.

Firefox is faster than Internet Explorer


Claim sources: 1, 2, 3, 4

In regard to webpage rendering, Firefox is most often faster than Internet Explorer, but different browsers use different algorithms to determine and display the page layout, and Internet Explorer is sometimes known to be faster under certain conditions, especially with pages that are small, have a simple layout, or contain errors in the source.

As mentioned above, Internet Explorer also tends to show up quicker than Firefox the first time you double-click on the program icon.



Microsoft developed Internet Explorer from scratch


Claim sources: 1, 2, 3

The vast majority of Internet Explorer's code today was likely written by Microsoft itself, but the browser was originally developed from the source code of Spyglass Mosaic, a relatively unknown browser developed by Spyglass, Inc. that was loosely derived from NCSA Mosaic (a more popular web browser whose original developers later went on to create Netscape). Microsoft licensed its source code under an agreement that it would pay Spyglass a portion of its earnings on the offspring Internet Explorer browser. When Microsoft released the browser free of charge the next year and therefore only had to pay Spyglass a minimal quarterly fee, Spyglass threatened with a lawsuit which they settled out of court for $8 million. For more information, see the Wikipedia Article on Spyglass.

Full disclosure


I personally use Mozilla Firefox for casual web browsing and regularly promote the use of modern browsers such as Firefox, Opera, and, currently to a lesser extent, Safari. I do not promote the use of Internet Explorer mostly due to its relatively poor standards support and security record, as well as its history of abandoning development efforts. My intention for this page is not to promote my personal views, but to address some recurring false claims either in favor of, against, or neutral toward Internet Explorer and to present the truth in a balanced manner. The information on this page is based on my own research and may contain errors. If you believe something on this page is inaccurate or unbalanced, please e-mail me or visit the discussion forum. I believe this page currently has more depreciatory debunkings than appreciatory ones, and I would like suggestions for more negative false claims to balance it out.