For the past few weeks, Microsoft officials have been doing something the company hasn't done in a long time: talk up Microsoft Internet Explorer (IE). The timing for these discussions couldn't be more transparent. The Mozilla Foundation just released version 1.0 of its eagerly awaited Firefox Web browser, which is responsible for wresting 3 percent to 6 percent of IE's market share away over the past several months. But I'll give Microsoft credit for this much: The company is being honest about the fact that it hasn't done a good job of explaining exactly why it believes IE is still the best Web browser available. So now the company is trying to stem the flow of positive Mozilla stories--some of which, frankly, were generated by yours truly--and introduce a contrary argument.
Last week, I spoke with Gary Schare, the director of Windows Product Management at Microsoft. Schare told me that some misconceptions exist about IE and Firefox and that some tech reporters were jumping on the Firefox bandwagon without fully exploring the concerns. For its part, Microsoft hasn't done a good job of explaining its IE strategy, he said.
"It pains us a bit," Schare said. "A bad reputation is hard to turn around, and it won't happen over night. We have to tell the story. Things have changed. And our commitment to security is bearing fruit." No other company, Schare said, let alone any browser maker, is making the kind of commitment to security that Microsoft is. And although he didn't say it this way, he seemed to agree with my opinion that some aspects of Firefox's development are troubling. First, who are the people writing Firefox, and why do we trust them more than Microsoft to write good software? IE, after all, is mature. Second, is Firefox benefiting more from "security through obscurity" than it is from being well-designed? That is, will Firefox vulnerabilities dramatically rise if more people begin using that browser?
Although Microsoft is able to make a strong case for IE, it has some more explaining to do about the situation with Windows XP Service Pack 2 (SP2). With SP2, Microsoft has released a significantly updated version of IE that includes many low-level improvements as well as the widely reported pop-up blocker and plug-in manager. But this version of IE isn't available to non-XP users and won't ever be made available outside of SP2. "You need to separate security updates and patches from features and enhancements," Schare said. "We will continue to release security updates and patches for all supported Windows and IE platforms. However, we do not plan to retrofit the old \[IE\] versions with the new features from SP2." Those features, apparently, are a benefit to those users who adopt XP. That's fine for XP users but unlikely to please Windows 2000 and Windows 9x users.
The improvements in the IE version that ships with XP SP2 are dramatic. Microsoft has made low-level changes to the security zone architecture that make it more difficult for malicious software (malware) to cross zones and wreak havoc under the security settings of the local user. The company also locked down the Local Machine Zone (LMZ), which was previously the most open zone; now, if malware is able to somehow access the LMZ, it will be unable to cause any damage because the LMZ is now the more secure of the zones. "Most of the IE exploits we saw in the past won't work now," Schare said, noting that Microsoft also changed the very APIs on which IE is based. The new APIs are much safer than the old APIs, which will be phased out over time. "The new APIs came through for us just last week," Schare explained, discussing the recent IE IFRAME vulnerability. "\[The exploit\] didn't affect SP2 at all. Many people think that happened because we had added a certain fix to SP2, but that's not the case. It doesn't work on SP2 because of the new APIs. That entire class of vulnerabilities is automatically mitigated by the new architecture."
Next week, I'll continue my discussion of IE and why Microsoft believes it to be the best browser available, especially for businesses. In the meantime, I'm curious: I've heard from a lot of Firefox fans, but if you're sticking with IE for specific reasons, I'd like to hear about it. Why do you use IE?
