Sunday, September 11, 2005

Patching Firefox... ignoring Internet Explorer

Firefox and Thunderbird GarageThe folks at Mozilla have responded to the report of a serious flaw in their browsers, including Firefox. The vulnerability relates to the handling of 'International Domain Names' (IDNs), which use local language characters. The browser's handling of these characters can be exploited to run malicious code on a user's PC.

One of the neat things about Firefox, however, is its ability to control all sorts of settings that lie just underneath the covers. CNet provides the following instructions on turning off IDN handling without having to patch your browser:

Type "about:config" in the address bar, hit Enter; type "network.enableIDN" in the filter toolbar, hit Enter; right-click the "network.enableIDN" item and select Toggle to change value to false.

Easy enough. Contrast this with Microsoft's Internet Explorer (or "IE") browser. It supports, for example, a powerful tool called Browser Helper Objects (or BHOs). BHOs allow third-party software developers to extend the functionality of IE.

In practice, though, many BHOs are used by spyware vendors who want to inspect and monitor your browsing activities. Are you visiting the site? A surreptitiously-installed spyware app -- using BHO technology -- can detect that operation and popup another window to, say, (or whichever advertiser pays them for competitive positioning). In other words, lots of IE configurations have all the privacy of a house without any window treatments.

Here's the kicker, though. BHOs are notoriously difficult to find and remove. Want to see which BHOs are installed on your PC? According to, Microsoft doesn't provide tools capable of either viewing or removing specific BHOs*. Only third-party tools, some of which may have dubious capabilities themselves, can be used to diagnose BHO problems. Or, if you're feeling particularly tech-savvy, you could risk open-heart surgery on the registry (that's where BHOs strap themselves into the IE browser).

Aside from the IE team's egregious omission of tools to monitor and control BHOs, the succession of serious security flaws in Microsoft's browser render it -- at present -- an inferior choice for Internet surfing. If you're not doing so already, download Firefox. And if you're already using it, make sure you take ten seconds out of your day to change the IDN setting. Mozilla offers temporary fix for Firefox flaw

* As of December, 2004, Microsoft apparently does offer a solution to disable all BHOs in an IE installation.

No comments: