“Just switch to firefox” isn’t yet a viable solution
There is yet another zero-day exploit for IE (the second within four days).
We’re two weeks away from Microsoft’s next patch cycle and I’ll bet dollars to donuts we won’t see a patch before then.
What options does an enterprise have in these cases? Recommending that the enterprise as a whole switches completely to a different web browser (usually Firefox) isn’t yet a viable solution. Whysat? Glad you asked;
- There is no freebeer solution to patch Firefox wholesale. Granted, the auto update feature would work but what about hosts that are broken and aren’t getting updated? How do you tell which hosts are updated and which aren’t? How do you tell which hosts are on which version of Firefox?
- What about standard in-house web apps that don’t work in Firefox? Granted, IEview is a great plugin, but how do you deploy that to all hosts on the network and maintain change control across all hosts?
- Switching from IE to Firefox for the average user isn’t as easy as it sounds. There are many sites that simply won’t work in Firefox and users won’t necessarily know or remember this. So when the site doesn’t work they’ll call the help desk to say “the Internet is broken.”
Don’t get me wrong, I’m not poo-pooing Firefox by any stretch. However, this isn’t a fix, it’s a temporary broke-around.
The fix is for Microsoft to start a beta-patch program, whereby they release patches rapidly in cases like this, so that shops can decide on their own whether to patch or not (rather than having that decision made for them by Microsoft).
Another bitch of mine is that Microsoft provides what I call ‘out of cycle’ protection to subscribers of its Live OnceCare service. As quoted from Microsoft’s Security Response Center Blog:
Windows Live OneCare users who’s current status is green, are already protected from known malware that uses this vulnerability to attempt to attack systems.
I strongly believe that charging customers for protection from vulnerabilities in their products is a conflict of interest. That would be like Ford charging car owners to replace a faulty fuel tank!
