Skip navigation

Is Internet Explorer Finally Safe?

It's gut-check time. Tonight, I'm going to give a talk about Internet Explorer (IE) 7 to a local user group, and I'm not sure how to handle this. I've almost made a career out of complaining about the many problems IE has caused over the past decade. But with IE 7, it seems, Microsoft finally got it right.

If you're having trouble with that assessment, you can now test IE 7 for yourself: Microsoft shipped the Beta 2 version of the product recently, and it's pretty solid. So solid, in fact, that the company is supporting Beta 2 with free phone support. It will also support upgrading systems from IE 7 Beta 2 to the final version, which is due late this year.

Support issues aside, IE 7 Beta 2 is interesting on a number of levels. In my mind, there have always been two major issues with IE: Functionality and security. With IE 7, Microsoft mostly addresses both of these quite nicely. It picks up the tabbed browsing, and integrated search functionality that other browsers have offered for years, and adds unique new features like a Quick Tabs view that visually lays out the open browser windows in a graphical grid, and new printing functionality that is surprisingly first-rate. (Anyone who has tried to print from IE can tell you what a miserable experience that is.)

IE 7 also picks up a new, Vista-inspired, user interface, which doesn't work tremendously well in non-Vista operating systems like XP and Windows 2003. Unlike the simple clarity of the Mozilla Firefox toolbar, where the Back, Forward, Refresh, Stop, and Home buttons are all laid out logically to the left of the Address Bar, Microsoft chose to scatter these often-used buttons to the wind. Back and Forward are in the customary spot, but Refresh and Stop are incongruously to the right of the Address Bar. The Home button, which has to be frequently used, is even more poorly positioned in the second row of UI controls, in an area called the Command Bar. So much for simplicity.

With regards to security, Microsoft finally seems to have solved most of IE's ills, though I should note that the approach here is similar to that of User Account Protection (UAP) in Windows Vista: Security as an afterthought. After years of letting IE compromise system after system, I'm happy to see it finally brought under control. But the features seem tacked on an otherwise insecure product. I hope it all holds up under the scrutiny of the many hackers who will continue targeting IE.

Here's what I mean. IE's use as an attack vector has generally centered around its support for ActiveX, the insecure helper application technology that Microsoft derived from COM back in the mid-1990s. Firefox is more secure than IE for exactly two reasons: One, it's less-frequently used (and thus less likely to be attacked). Two, Firefox doesn't support ActiveX. In the version of IE 6.0 that shipped with Windows XP Service Pack 2 (SP2), Microsoft added a few valuable features to IE: Pop-up ad blocking, a way to prevent so-called drive-by software downloads, and the Manage Add-ons interface, which helps users disable ActiveX controls and other browser plug-ins. Not surprisingly, two of those three features are aimed directly at ActiveX abuse.

In IE 7, there's a lot more. A feature called ActiveX Opt-In automatically disables any ActiveX controls that the user has not explicitly enabled for use on the Web. Thus, it helps protect your system even against controls that were already on the hard drive when IE 7 was installed. IE 7 also includes protections against cross-domain scripting attacks, phishing sites (though, sadly, that feature is optional), and the Manage Add-ons interface has been updated to allow for uninstalling certain ActiveX controls. This all seems like a worthy if dubious attempt at righting the wrongs of the past.

IE 7 will be more secure on Windows Vista. There, a unique feature called IE Protected Mode ensures that IE 7 always runs in lower security privileges than even a standard user account, regardless of the privileges of the user. Thus, while it's possible for the user to manually change IE settings via the application's user interface, it's not possible for these changes to be made programmatically or via a Web download.

From an administrative standpoint, IE 7 is more configurable than ever before. All of its new features--including the valuable phishing filter--are fully managed via Group Policy, and customization can occur, as before, via an IE Administration Kit (IEAK).

In the last few weeks of using IE 7, I've run into a number of compatibility issues, which is reason enough for you to begin evaluating the product with your own Web applications. I've also missed a few features I take for granted in Firefox, such as the inline search feature. But it's pretty clear that IE 7 has basically reached functional equality with Firefox. The only question is whether Microsoft's security add-ons stand the test of time.

I don't think friends should let friends use IE, but IE 7 changes the equation. What's your take? Is your business ready for a new browser?

This article originally appeared in the May 9, 2006 issue of Windows IT Pro UPDATE.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.