Is IE Finally Safe?

It's gut-check time. Tonight, I'm going to give a talk about Microsoft Internet Explorer (IE) 7.0 to a local user group, and I'm not sure how to handle this. I've almost made a career out of complaining about the many problems IE has caused over the past decade. But with IE 7.0, it seems, Microsoft finally got it right.

If you're having trouble with that assessment, you can now test IE 7.0 for yourself: Microsoft shipped the Beta 2 version of the product recently, and it's pretty solid. So solid, in fact, that the company is providing free phone support to Beta 2 users. It will also support upgrading systems from IE 7.0 Beta 2 to the final version, which is due late this year.

Support issues aside, IE 7.0 Beta 2 is interesting on several levels. In my mind, there have always been two major concerns with IE: functionality and security. With IE 7.0, Microsoft mostly addresses both of these quite nicely. It picks up the tabbed browsing and integrated search functionality that other browsers have offered for years and adds unique new features such as a Quick Tabs view that visually lays out the open browser windows in a graphical grid, and new printing functionality that's surprisingly first rate. (Anyone who has tried to print from IE can tell you what a miserable experience that is.)

IE 7.0 also picks up a new, Windows Vista-inspired UI, which doesn't work tremendously well in non-Vista OSs such as Windows XP and Windows Server 2003. Unlike the simple clarity of the Mozilla Firefox toolbar, in which the Back, Forward, Refresh, Stop, and Home buttons are all laid out logically to the left of the Address Bar, Microsoft chose to scatter these often-used buttons to the wind. Back and Forward are in the customary spot, but Refresh and Stop are incongruously to the right of the Address Bar. The frequently used Home button is even more poorly positioned in the second row of UI controls in an area called the Command Bar. So much for simplicity.

With regards to security, Microsoft finally seems to have solved most of IE's ills, though I should note that the approach is similar to that of User Account Protection (UAP) in Vista: security as an afterthought. After years of letting IE compromise system after system, I'm happy to see Microsoft finally brought under control. But the features seem tacked onto an otherwise insecure product. I hope it holds up under the scrutiny of the many hackers who will continue targeting IE.

Here's what I mean. IE's use as an attack vector has generally centered around its support for ActiveX, the insecure helper application technology that Microsoft derived from COM back in the mid-1990s. Firefox is more secure than IE for two reasons: One, it's less-frequently used (and thus less likely to be attacked). Two, Firefox doesn't support ActiveX. In the version of IE 6.0 that shipped with XP Service Pack 2 (SP2), Microsoft added a few valuable features: Pop-up ad blocking, a way to prevent so-called drive-by software downloads, and the Manage Add-ons interface, which helps users disable ActiveX controls and other browser plug-ins. Not surprisingly, two of those three features are aimed directly at ActiveX abuse.

IE 7.0 has many more new security features. A feature called ActiveX Opt-In automatically disables any ActiveX controls that the user hasn't explicitly enabled for use on the Web. Thus, it helps protect your system even against controls that were already on the hard disk when IE 7.0 was installed. IE 7.0 also includes protection against cross-domain scripting attacks and phishing sites (though, sadly, that feature is optional), and the Manage Add-ons interface has been updated to allow for uninstalling certain ActiveX controls. This all seems like a worthy if dubious attempt at righting the wrongs of the past.

IE 7.0 will be more secure on Vista. There, a unique feature called IE Protected Mode ensures that IE 7.0 always runs in lower security privileges than even a standard user account, regardless of the privileges of the user. Thus, while it's possible for the user to manually change IE settings via the application's UI, it's not possible for these changes to be made programmatically or via a Web download.

From an administrative standpoint, IE 7.0 is more configurable than ever before. All its new features--including the valuable phishing filter--are fully managed via Group Policy, and customization can occur, as before, via an IE Administration Kit (IEAK).

In the past few weeks of using IE 7.0, I've run into several compatibility issues, which is reason enough for you to begin evaluating the product with your own Web applications. I've also missed a few features I take for granted in Firefox, such as the inline search feature and download manager. But it's clear that IE 7.0 has basically reached functional equality with Firefox. The only question is whether Microsoft's security add-ons stand the test of time.

I don't think friends should let friends use IE, but IE 7.0 changes the equation. What's your take? Is your business ready for a new browser?

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.