July 2, 2004

Replace and disable Internet Explorer now

Author: Jem Matzan

You've probably heard about a particularly nasty Trojan horse attack recently which exploited several vulnerabilities in Microsoft Internet Explorer and Internet Information Services. While viruses and Trojans have been around for years, this particular attack was new because it used several vulnerabilities at once, and it didn't require the user download or install any programs or visit any malicious Web sites. It's time to say goodbye to Internet Explorer and its security flaws forever. Here's how to do it.

Before you go removing your only Web browser, you need to have something to replace it with. There are two primary alternatives to Internet Explorer: Mozilla and Opera.

Mozilla is actually a suite of programs; it's a Web browser, email client, address book, and calendar all rolled into the same basic framework, but we're talking about the browser only now. Mozilla has two derivatives: Netscape, which is a proprietary version of the Mozilla suite, and Firefox, which is a stripped-down version of Mozilla. Those with slow machines may have a better experience with Firefox, since it is only the bare browser component of Mozilla with some modifications. If you're looking for the most IE-like Web browser (in terms of interface), Firefox is your best bet.

All Mozilla derivatives offer pop-up ad blocking, tabbed browsing (which allows you to have several Web pages open in one single window, as opposed to opening them all in separate instances of the program), and superior security and stability. Firefox and Mozilla are both free software, meaning you are not restricted in how you use, modify, or distribute them.

Opera is a proprietary Web browser with lots of excellent features. Like Mozilla, Opera has pop-up ad blocking and tabbed browsing capabilities, and it also has a built-in email client and address book. Despite having many of the same key features, Opera has a different look and feel from Mozilla and Mozilla-based Web browsers, and it's drastically different from Internet Explorer. Some may enjoy that, others will find it irritating. Opera also has built-in ads that display near the top of its browser window; if you want them to go away you have to pay almost $40.

All of these programs can automatically import your IE Favorites from the folder called Favorites in your user's Documents and Settings directory.

There is no harm in installing more than one of these programs. Try them all, if you like, before making a decision, and be sure to give yourself at least a week's time to adjust to each program's different features and interface.

No matter which you choose to install, the new program will at some point ask you if you'd like to make it your default browser. You should say yes, although if you're installing multiple browsers each one will want to check if it's the default every time you start it unless you tell it to stop asking. As long as IE is no longer the default and you have a different program to browse the Web, your mission has basically been accomplished. At this point you can safely remove IE from your computer -- mostly.

Extend and exploit: why IE is a security disaster

There's only so much you can do with HTML and cascading style sheets (CSS). You can do more with high-level Web languages like PHP, ASP, Perl, and Python, but you still need HTML to display Web programs. A more powerful solution is to create an applet -- a separate program that is downloaded and run through your Web browser upon request. Sun Microsystems created the Java language for this purpose, and Microsoft responded by introducing the ActiveX control subsystem. The difference is, Sun designed Java with security in mind, and Microsoft didn't. Microsoft's idea of ActiveX security is to require that publishers digitally sign their programs and to require that end-users assent to the installation of ActiveX applets. There is no way to know what an ActiveX applet will do until you've run it, at which point it is too late to stop any damage it has done. Digital signatures do nothing to stop malicious code.

No matter how many security patches Microsoft releases, ActiveX can still destroy your system or steal your data. The only way to prevent it from potentially harming you is to disable ActiveX, thereby limiting IE's functionality.

The second disastrous extension that Microsoft added to IE is the Browser Helper Object, a file that loads with Internet Explorer and has unrestricted freedom to download, run, and install programs or applets without your permission or knowledge. The security risk here is obvious and self-explanatory; coincidentally this is one of the tools used in the above-mentioned recent Trojan horse attack.

BHO exploits cannot be detected or stopped by antivirus software. Some kinds of spyware detection programs can detect these kinds of attacks, and some can't. Rather than downloading and installing more software to fix problems in IE, it's best to just use a different browser.

As a program, IE simply was not designed to be secure. SecurityTracker.com keeps a list of IE's security alerts -- see for yourself how serious the threats are to Internet Explorer and how often they occur. Compare that list with the list for Mozilla. Which one would you rather use?

How to remove IE

Once you've decided to get rid of IE, you can use the following process, provided you have Internet Explorer version 6 or later installed. Ironically, the easiest way to remove Internet Explorer versions earlier than version 6.0 is to first upgrade to 6.0 -- a process best done through Windows Update. If you're using Windows 95 and want to remove IE, Microsoft has instructions here.

In Windows NT 4.0, 98, 98SE, ME, 2000, and Advanced Server Limited Edition, open up your Control Panel, which is found in the Start Menu under Settings. Then double-click on Add/Remove Programs; a new window will appear with this same title. Select Add/Remove Windows Components from the left-hand icon column and then uncheck the box next to Internet Explorer. Click Next and IE will disappear from your system; click Finish to complete the process. All IE icons will be removed from your quick launch, desktop, and Start menu.

Depending on which operating system you're using and how it has been updated and configured, the option for removing Internet Explorer may alternately be in the Add/Remove Installed Programs section instead of the Add/Remove Windows Components section, but the basic process remains the same.

In Windows XP the process is exactly the same, except you have some further options to limit Internet Explorer. In the same Add or Remove Programs window, Windows XP has an additional option for those with Administrator rights: Set Program Access and Defaults, which is the last icon down on the left-hand icon bar. Click on it and you'll see some different profiles to choose from. Click on Custom; this will list some program defaults and access controls that you can change manually. The first group in the list is for your Web browser. Uncheck the box labeled "Enable access to this program" next to Internet Explorer. You'll notice there is a button for the system default -- you'll want to click the dot next to your new browser to make it the default if it isn't already set.

Internet Explorer is, unfortunately, built into Windows in all versions after 98 and can't be fully removed. No matter what you do, IE will still be available in a limited capacity for the purpose of running Windows Update, which requires Internet Explorer to run. It will not be generally available to users, however, and since you set your default browser to whatever you installed earlier, IE will never open on its own when you click a link offline. This is the best you can do; Windows security is all about reducing risk, rather than eliminating it. If you start Windows Update, an IE window will open and you can use it for browsing sites other than Windows Update despite the fact that it's been "removed" and "disabled." This is one of the main problems with Windows -- there are always loopholes like this one that compromise your system's security. A more effective long-term answer to such security concerns might be to switch to GNU/Linux.

Jem Matzan is the author of three books, a freelance journalist and the editor-in-chief of The Jem Report.

Category:

  • Security
Click Here!