The browser under attack

As luck would have it, there seems to be a strong link between my scheduled vacations and a general outbreak of security threats. Last year, the Sobig e-mail virus broke just as I was packing the car for vacation, crippling networks everywhere. I had to delay my departure and join in the firefighting back at the office. Today, as I prepare for some much-needed time off, I’m again faced with a new wave of security threats, this time through the browser. Although the Sobig virus was much more painful, browser-based security issues now threaten the de facto operating philosophy of many IT departments: Minimize deployment hassles by pushing key enterprise applications through the browser.

At InfoWorld, our SFA, Web analytics, and CM (content management) systems are currently delivered in the browser, and others are moving in that direction. Clearly, the browser as an application delivery mechanism is here to stay. But is the continuing drive toward the browser ultimately a path to trouble? I’m starting to see some disturbing warning signs.

Many of you are already thinking, “Isn’t this just about getting rid of Internet Explorer?” But IT managers who think dumping IE is the end of all their troubles ought to dig a little deeper into the subject. IE justifiably gets most of the negative attention when it comes to browser vulnerabilities -- I counted just short of 100 vulnerabilities when I searched the Vulnerability Notes Database for “Internet Explorer” -- but enough vulnerabilities in other browser environments have popped up to give me pause.

The runscript vulnerability in Apple’s Safari that was fixed in May suggests that Apple and OS X are not immune to browser-based attacks. And the recent shell: URI (Uniform Resource Identifier) problem in the Mozilla family of browsers shows that they aren’t absolutely pristine themselves -- although those particular vulnerabilities relied on an underlying flaw in Windows. Granted, these problems are quite small when compared to IE’s woes, and it makes sense to move users to the relative safety of Firefox, but with non-IE browsers gaining market share, I wouldn’t be surprised at all to see an uptick in exploits against them.

Part of what we are dealing with has very little to do with technology and more to do with exploits that attack the open philosophy behind the browser and the Web itself. And that’s what worries me most. The location window common to all browsers is infinitely malleable. Anyone who has passed a few moments waiting for a meeting to start by checking a sports score or an eBay auction knows the sense of self-determination the browser brings. IT can control where end-users browse, but should IT actively prevent a salesperson who’s just pulled a 14-hour day from taking a quick peek at a game score while working on a presentation, even if that freedom might lead to preventable spyware infection down the line?

Slightly more than a year ago, I urged IT to end its resistance to technologies that users want, saying: “The days of the paternalistic top-down IT department are nearly gone.” But lately, with the continuing scourge of spyware, phishing scams, and other browser-driven exploits, I’m seeing more end-users running to Papa for refuge from an IT environment that seems to be growing more chaotic rather than less. The browser will remain the center of the IT universe for the time being, but it’s going to be a long fight to keep it there in all its open glory.