Attacks, Flaw Reports Mar IE 7 Release
Microsoft released a major update of its Internet Explorer Web browser this week, but the red-letter occasion was stained by reports of anti-virus miscues, phishing attacks and what turned out to be untrue reports that the new product contains previously documented security flaws.
First came a run of junk e-mail claiming to be from Microsoft that tried to get recipients to click on a link and download the latest version of IE (the link, as you may have already guessed, installs a Trojan horse program that opens a back door for hackers on infected PCs.)
Then came reports of a vulnerability in IE 7 that was somehow carried over from the older IE 5.5 version. Vulnerability watcher Secunia said it developed a proof-of-concept attack using the bug that could allow a maliciously crafted Web site to steal any data a user may enter at a separate Web site.
Not exactly, Microsoft responded. In a post to its Security Response Blog Thursday evening, Microsoft said the problem is related to a component of Outlook Express, the default e-mail client installed on Windows PCs.
"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express," the company said.
Microsoft urged users to temporarily disable anti-virus and anti-spyware software before installing the program, noting that IE 7 makes a large number of changes to the Windows registry, which the table of contents on Windows that determines which programs should be loaded when Windows or certain user accounts are started up. Some security software will block those changes.
Finally, some of the top tech blogs have been less than impressed with IE 7, according to a round-up at USA Today. Computerworld also has a decent compilation of IE 7 coverage. I have traditionally been hard on Microsoft with respect to security in IE, and I don't think undeservedly so, either. I'm afraid it's going to take some time for Microsoft to win back some credibility on browser security (and plain old functionality) in the tech community.
For my part, I was asked several times in today's Security Fix Live Web chat what I thought about IE 7. In retrospect, my response the final time I answered was probably below-the-belt, but it gets to the point I was just trying to make about trust.
A reader asked: "Why should I bother upgrading to IE 7 since Firefox is a superior browser? IE6 works fine for the limited amount of usage I need."
My response: "Would you leave a loaded gun sitting on the table in a house with toddlers? Hopefully not. Okay, that's a little harsh, but think of it this way: lots of things on Windows use IE's built in rendering engine, and if you have a more secure version of the browser available, why not switch to it? This advice is especially aimed at households where more than one person uses the PC. "
Final note: If you want to install IE 7, keep in mind that it requires you to validate your copy of Windows.
The comments to this entry are closed.