In the wake of last week's Internet Explorer security bug marathon, Microsoft is considering changing the Authenticode security scheme to allow administrators to decide which ActiveX controls are downloaded. This would replace the current "all or nothing" approach, which requires users to choose between three security settings with no option to filter the actual controls that are installed.
The Internet Explorer security bugs were so bad they delayed the release of the new version of the browser, 4.0, which was due today. Microsoft has announced a two-week delay so that bug fixes can be checked on the new release. Interestingly, many of the security problems in Internet Explorer are closely tied to the lack of security in Windows 95. Microsoft has examined the feasibility of tightening security in Windows 95 before but has called that impractical due to its legacy architecture. Windows NT, for example, is far more secure and less susceptible to problems caused by Internet Explorer and ActiveX controls
