Tag Archives: Microsoft Browser

Internet Explorer only? IE doubt it

Fewer businesses standardizing browser use on Internet Explorer, but the practice isn’t gone yet.

Just as Internet users in general have defected in huge numbers from Microsoft Internet Explorer over the past several years, the business world, as well, is becoming less dependent on the venerable browser.

Companies that used to mandate the use of IE for access to web resources are beginning to embrace a far more heterodox attitude toward web browsers. While it hasn’t gone away, the experience of having to use IE 6 to access some legacy in-house web app is becoming less common.

“Things have changed a lot in the last three years, and I think a lot of it has to do with the emergence of the modern web and the popularity of mobile. They have made it very different for companies to truly standardize on a browser,” says Gartner Research analyst David Mitchell Smith.

One example of the changing face of business browser use is SquareTwo Financial, a Denver-based financial services company that works primarily in distressed asset management. The firm’s 280 employees handle both consumer and commercial business, buying and selling debt, and a franchise program means that there are upwards of 1,500 more people working at SquareTwo affiliates. According to CTO Chris Reigrut, the company takes in roughly $280 million in annual revenue.

“In addition to buying and selling debt, we also provide a software-as-a-service platform that our franchises (and we) use to actually negotiate and litigate the debt,” he tells Network World.

Square Two hasn’t needed to standardize, he says, because keeping their offerings diverse is part of the idea – the company’s various online resources all have differing requirements.

“We do distribute Firefox on Windows systems – however, Safari and IE are both frequently used. Our internal wiki is only officially supported on Firefox and Safari. Our SaaS ‘client’ is a pre-packaged Firefox install so that it looks more like a traditional thick-client application. Most of our employees use their browser for a couple of internal systems, as well as several external services (i.e. HR, training, etc),” says Reigrut (who, like the other IT pros quoted in this story is a member of the CIO Executive Council Pathways program for leadership development).

The Microsoft faithful, however, are still out there. Many businesses have chosen to remain standardized on IE, for several reasons. SickKids, a children’s research hospital in Toronto, sticks with Microsoft’s browser mostly for the ease of applying updates.

“We have more than 7,000 end-point devices. Most of those devices are Windows workstations and Internet Explorer is included as part of the Microsoft Windows operating system. As such, this makes it easier and integrates well with our solution to manage and deploy upgrades, patches and hotfixes to the OS including IE,” says implementations director Peter Parsan.

“Internet Explorer is more than a browser, it is the foundation for Internet functionality in Windows,” he adds.

The complexity of managing an ecosystem with more than 100 types of software – running the gamut from productivity applications to clinical programs – requires a heavily controlled approach, according to Parsan.

Smith agrees that IE still has its advantages for business users that want just such a strictly regimented technology infrastructure.

“If you want a managed, traditional IT environment … really, your only option is Internet Explorer,” he says, adding that both Firefox and Chrome lag behind IE in terms of effective centralized management tools.

Some companies, however, have gone a different way – standardizing not on IE, but on a competing browser.

Elliot Tally, senior director of enterprise apps for electronics manufacturer Sanmina, says his company’s employees are highly dependent on browsers for business-critical activities. Everything from ERP to document control (which he notes is “big for a manufacturing company”) to the supply chain is run from a web app.

Tally says Sanmina made the move to standardize on Chrome in 2009, in part because of a simultaneous switch to Gmail and Google Apps from IE and Microsoft products.

“It made sense to go with the browser created and supported by the company that created the apps we rely on. Also, Chrome installs in user space so it doesn’t require admin privileges to auto-update,” he says. “It also silently auto-updates, as opposed to Firefox, which requires a fresh install to update versions, or IE, which is similar. Chrome, over the last year or so, has supported web standards better than any other browser, and (until recently) has offered significantly better performance.”

Plainly, broad diversity exists both in the actual browsers used by workers and the approaches businesses have taken in managing their use.

That diversity, says Smith, is the reason Gartner has been advising clients against standardization from the outset.

“Standardize on standards, not browsers,” he urges. “That was a controversial position for 10 years. People really didn’t agree with it, they didn’t listen to it, and they paid the price.”

Microsoft, as well, has had to pay a price.

“[Standardization] hurts Microsoft’s reputation as an innovator; as a forward-thinker,” he says. “When people’s impression of using Microsoft technology – whether it’s a browser, whether it’s an operating system – is something that is two or three versions old, because they’re dealing with it through what enterprises want.”


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Researchers hack IE9 during second day at Pwn2Own

Researchers from VUPEN Security exploited previously unknown vulnerabilities in Internet Explorer 9 at the CanSecWest conference

Internet Explorer 9 was the second browser to succumb to white-hat hackers during the Pwn2Own contest at the CanSecWest security conference in Vancouver.
MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com
Contest hacks the heck out of Chrome

A team of vulnerability researchers from French security firm VUPEN Security exploited a pair of previously unknown vulnerabilities in the latest version of Microsoft’s browser on Thursday.

The attack was demonstrated on a fully patched 64-bit Windows 7 with Service Pack 1 system and earned the VUPEN team 32 points in the annual Pwn2Own competition sponsored by TippingPoint’s Zero Day Initiative (ZDI) program.

The rules have changed for this year’s Pwn2Own contest, its focus shifting from who can hack a browser faster, as it was in previous editions, to who can write the highest number of reliable exploits. Researchers earn 32 points for exploiting previously unknown browser vulnerabilities, also known as zero-days, and 10 points for exploiting patched vulnerabilities selected by the organizers.

VUPEN is currently in the lead with 124 points, 64 of which were earned for a zero-day exploit against Google Chrome on Wednesday and a similar one against Internet Explorer 9 on Thursday. The team claims to have similar exploits for Apple’s Safari and Mozilla Firefox.

VUPEN’s Internet Explorer 9 exploit leveraged two vulnerabilities — a remote code execution (RCE) that bypassed the browser’s anti-exploitation mechanisms like DEP (Data Execution Prevention) or ASLR (address space layout randomization) and one that bypassed its post-exploitation defense, commonly known as the sandbox, or Protected Mode in Internet Explorer’s case.

The Internet Explorer 9 Protected Mode limits what attackers can do on the OS once they exploit a RCE vulnerability inside the browser. However, according to security researchers, IE’s Protected Mode is less restrictive than Google Chrome’s sandbox. This is expected to improve with Internet Explorer 10 on Windows 8.

It’s also worth noting that the order in which browsers get attacked at this year’s Pwn2Own contest has nothing to do with difficulty. Participating researchers come with their zero-day exploits prepared in advance and the order in which they demonstrate them is purely a matter of personal choice rather than an indication of one browser being harder to hack than another.

The zero-day RCE vulnerabilities are shared with TippingPoint, but not the sandbox-escape ones, which are considered highly valuable and rare. The organizers will share the details with the affected vendors after the contest is over.