Why you should switch to Firefox now

commentary Recent flaws in the way Microsoft processes common Internet image files and a decision to offer IE updates only to Windows XP users lead to just one logical conclusion: bail on Microsoft Internet Explorer.

Can you imagine the Internet without pictures? A new flaw in the way Windows, and therefore Internet Explorer, renders JPEG images--one of the most common image formats on the Web--should make you think twice about whether you should display them. At the very least, it should nudge you into considering an alternative Internet browser, such as Firefox.

The code to exploit this flaw is now public. Usually, exploit code release is the first step toward a new virus or worm, and as we have seen before, the time from exploit to virus is generally about two to three weeks. In other words, the clock is ticking.

The GDIplus vulnerability, in a nutshell
If you use a Windows operating system older than Windows 2000 or have already updated to Windows XP SP2, you're immune to the flaw. There are many ways to render JPEGs, but the Graphic Device Interface plus DLL, or gdiplus.dll, is enabled only in Windows 2000 and Windows XP. Because gdiplus.dll is vulnerable to a buffer overflow attack, malicious code lurking inside an infected JPEG file could allow new, potentially malicious code to take over the use of your computer (or, at the very least, crash it). Unfortunately, the apps that run in Windows 2000 and XP are also vulnerable.

Microsoft Office is vulnerable
The list of these vulnerable apps is not short and includes:

• Microsoft .Net Framework 1.x
• Picture It Digital Image Pro 7.x and 9.x
• Digital Image Suite 9.x
• FrontPage 2002
• Greetings 2002
• Internet Explorer 6.0
• Office 2003 Professional Edition
• Office 2003 Small Business Edition
• Office 2003 Standard Edition
• Office 2003 Student and Teacher Edition
• Office XP
• Outlook 2003 and 2002
• Picture It 2002, 7.x, and 9.x
• PowerPoint 2002 and PowerPoint 2003
• Project 2002 and Project 2003
• Publisher 2002
• Visio 2002, Visio 2003
• Visual Studio .Net 2002 and 2003
• Word 2002

Now, what happens if you patch your system with Windows XP SP2, then load one of the above apps? Believe it or not, the potential exists for that app to overwrite the patched gdiplus.dll with an older, more vulnerable version. You can see what a nightmare this has become already. Thus, Microsoft has posted a free online tool to assess the current vulnerability of your computer.

What if you don't use Microsoft apps on your Windows computer? Surprisingly, your solution might be even more complicated.

Macromedia products not vulnerable
Some non-Microsoft apps, such as those from Macromedia, also regularly use JPEG files. Turns out, some Macromedia apps do install the vulnerable gdiplus.dll, but they actually use the Microsoft graphics library instead to process JPEGs. That means products such as Macromedia Contribute, Dreamweaver, Fireworks, Flash, Flashpaper, FreeHand, RoboSource Control, and Studio MX are not affected by the GDI flaw. Nonetheless, if you do load any of these apps after you've patched your system, make sure they don't overwrite the patched version of gdiplus.dll. To find out more about software vulnerability to this flaw, see this US-CERT document for more details.

Microsoft: Upgrade to Windows XP or else In a separate but related development, Microsoft announced that future security enhancements for its Internet Explorer will be available through its Windows XP update service only. By refusing to offer separate security enhancements for Internet Explorer, which is the main vector for any JPEG-related worm or virus, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits. The average cost to upgrade to Windows XP is about AU$150; you do the math.

Firefox is a start but not the whole solution If you've taken my past advice, you've already bailed on Internet Explorer and installed Mozilla Firefox as your default Internet browser. For the most part, you can avoid the JPEG flaw, right? Wrong. Because Microsoft bundles IE deep within Windows, you can't avoid IE by not using it. For example, say you get an HTML e-mail message from someone that includes a JPEG image. If you're using Outlook 2002 or earlier, it calls on IE to render that image. The same is true for Microsoft Word and other Office apps that offer a Web view. Outlook 2003 at least gives you the option of viewing an image or not, but should you choose to view it, Outlook 2003 will still call IE. You can remove Internet Explorer from Windows, but it would take a column twice as long as this to cover all the Registry settings and such you'd need to tweak to do so.

Have you switched to Firefox yet? Why or why not? Talk back to me.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Add your opinion

Add your opinion

* indicates information we require to process your submission

Subject: *
Comments: *
Full name: *
E-mail address: *

Your e-mail will not be displayed

Posting options: *

Display all details Do not display details

Security Code: *

You must read and type the 6 chars within 0..9 and A..F

 

1. I proudly use firefox 1.0pr cos what reason have i to use ie? it's microsoft, it's venerable and it's featureless. Anonymous -- 27/09/04

   I proudly use firefox 1.0pr cos what reason have i to use ie? it's microsoft, it's venerable and it's featureless.

   • Reply to comment
   • Reply to story
   • Report offensive content

2. I switched to Firefox 6 weeks ago and haven't look back. Absolutely love it. To be able to create mutliple tabs in a Windows is a god send. Anonymous -- 28/09/04

   I switched to Firefox 6 weeks ago and haven't look back. Absolutely love it. To be able to create mutliple tabs in a Windows is a god send.

   • Reply to comment
   • Reply to story
   • Report offensive content

3. I patched Windows XP on a friends laptop I was fixing for them. The OS was fixed fine, but because I didn't have their Office XP CD with me (yes it is a legitimate copy), that didn't get patched. When will MS learn that it is too much effort to Anonymous -- 29/09/04

   I patched Windows XP on a friends laptop I was fixing for them. The OS was fixed fine, but because I didn't have their Office XP CD with me (yes it is a legitimate copy), that didn't get patched.
   
   When will MS learn that it is too much effort to locate the CD-ROM in the real world. It is not always going to be next to the desktop (particularily in corporate environments).

   • Reply to comment
   • Reply to story
   • Report offensive content

4. I downloaded Firefox 1.0pr several days agog and have used it quite a bit and found it to be fast and easy to use, with many features and function I like. It doesn't, however, support the addons I've come to be quite dependent on such as Google and Yahoo Anonymous -- 30/09/04

   I downloaded Firefox 1.0pr several days agog and have used it quite a bit and found it to be fast and easy to use, with many features and function I like. It doesn't, however, support the addons I've come to be quite dependent on such as Google and Yahoo toolbars, Pluck, etc. I've found these addons really make browser life much easier, and unless Firefox comes out with dual support for IE addons, switching will really be a pain. I'm a Windows 2000 user for 3 of 5 systems, and only plan on upgrading when I upgrade hardware. This means Microsoft's lack of concern regarding my wellbeing is now an issue and things like Linux, Firefox, and Open Office are now firmly in consideration for the future. So pain, or no pain, Microsoft is forcing me to look at alternatives I never thought I'd have to.

   • Reply to comment
   • Reply to story
   • Report offensive content

5. I have been using Firefox since version 0.2 (when it was Phoenix). Always relatively stable even back then and a pleasure to use. Wouldn't use anything else now, given a choice. Also, check out Thunderbird, the matching email client. It's earlie Anonymous -- 30/09/04

   I have been using Firefox since version 0.2 (when it was Phoenix). Always relatively stable even back then and a pleasure to use. Wouldn't use anything else now, given a choice.
   
   Also, check out Thunderbird, the matching email client. It's earlier days for it, but it handles the basics with aplomb.
   
   Pete

   • Reply to comment
   • Reply to story
   • Report offensive content

6. It's a complicated topic indeed! I would suggest if you don't have Windows XP, get it. If you don't have XP Service Pack 2, get it now. It offers far greater security than a machine without it or running any other operating system. Secondly, I haven't mov Anonymous -- 01/10/04

   It's a complicated topic indeed! I would suggest if you don't have Windows XP, get it. If you don't have XP Service Pack 2, get it now. It offers far greater security than a machine without it or running any other operating system. Secondly, I haven't moved from Internet Explorer because even when a flaw is exposed, Microsoft always do their best and are always quick to release a fix or patch for it. If you do not use Microsoft software, then I suggest you do. If you refuse to then you may suffer the consequences in the long run. From my experiences, no company offers full and quick support in these kind of situations like Microsoft does.

   • Reply to comment
   • Reply to story
   • Report offensive content

7. I know many people who are using their computers for simple purposes who have avoided many viruses and other problems by sticking with Win98. We all know that at the moment we cannot 'comfortably' avoid Microsoft products, so do they and they expect to ma Anonymous -- 14/11/04

   I know many people who are using their computers for simple purposes who have avoided many viruses and other problems by sticking with Win98. We all know that at the moment we cannot 'comfortably' avoid Microsoft products, so do they and they expect to make a lot of money from hyping-up this problem that they created themselves.
   
   I WOULD NOT BE SURPRISED IF THE VIRUS THAT EVENTUALLY EXPLOITS THIS VULNERABILITY WAS SECRETLY WRITTEN BY MICROSOFT.
   
   My opinion. There is no excuse for no longer providing support for Win2000. Microsoft has the resources. (would THAT be an understatement?) Many people and businesses have paid 'good' money expecting to be able to use this software and I pity them.
   I use WinXP. :( and thankfully, didn't have to pay for it myself.

   • Reply to comment
   • Reply to story
   • Report offensive content

8. I have tried to download firefox and have successfully used it. But, everytime my computer is turned off,even though firefox is defaulted, it goes back to IE. I am running ME. Any ideas ??? Anonymous -- 11/12/04

   I have tried to download firefox and have successfully used it. But, everytime my computer is turned off,even though firefox is defaulted, it goes back to IE. I am running ME. Any ideas ???

   • Reply to comment
   • Reply to story
   • Report offensive content

9. I've tried Firefox web browser. But I'm staying with Internet Explorer Michael Streader -- 01/02/06

   Yes I have tried Firefox web browser cos of the hype and people telling me to try it out. But but I just don't like Firefox and I don't see why I need to use it when I don't have problems with Internet Explorer 6. So why should I change to alternative web browsers. I reckon the latest Internet Explorer 6 is good cos it has pop up ad blocker, it does help me from downloading potentially harmful programs, it does protect my PC from potentially damaging files by alerting warnings, it allows me to block downloads from specific publishers and the latest Internet Explorer does have a stronger zone defense. I know that Internet Explorer 6 is not flawless. But I've had no security problems using Internet Explorer 6. So I don't see the point swithing for Firefox just for tabbed browsing feature, integrated search and RSS. Also now Microsoft new Internet Explorer 7 Beta 2 Preview for Windows XP SP2, has those features, security improvements and many more improvements. So I'm sticking with Internet Explorer

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

Login

E-mail Password (forgot?)

Login Remember

Like 124,000 other people join the community and get the latest news from the IT industry.