Microsoft released its long-awaited Internet Explorer 7.0 browser on Oct. 19. The free download allows Windows users to replace IE 6.0, which hasn't had a serious feature update since it first came out in 2002.
IE 6 has been a serious p.r. problem for the Redmond software company, producing a string of warnings -- seemingly every month -- that its code is vulnerable to drive-by downloads and other ills that can be exploited by hacker Web sites.
The good news is that IE 7 resolves many of these security weaknesses, some of which Microsoft never got around to patching in IE 6. The new version of the browser isn't perfect, however, so you still have problems to be aware of.
The Advances in IE 7
IE 7 includes more security enhancements than can be described here. But a short list of the most important changes would have to include the following:
Better zone control. IE 6's "trusted sites zone" gives vast power to Web sites to install programs on visitors' machines and take other actions. As a result, IE 7 by default gives this zone only the same privileges as sites in the "Internet zone." You can easily increase the capabilities of trusted sites, but this requires some knowledge that the average user doesn't have. Another improvement is that the "intranet zone," which also gives elevated privileges to sites, doesn't exist in home versions of Windows. This opens up fewer opportunities for Web sites to pose as "intranet" sites.
ActiveX opt-in. Many troubles with IE 6 over the past few years have involved "active content," usually in the form of ActiveX controls. This Microsoft-invented technology allowed Web sites to install code and do other nasty things on visitors' PCs. IE 7 by default doesn't run such code, protecting novices against attacks from untrustworthy sites.
Phishing filter. Microsoft maintains a large database of sites that appear to be posing as banking sites to capture passwords from gullible recipients of "phishing" e-mails. IE 7 warns the user when the browser is visiting a site in this database. Surprisingly, the phishing filter is not enabled by default. You need to turn it on, which is simple because IE 7 invites you to do this the first time it's opened.
Protected Mode. Available only when IE 7 is running on Windows Vista -- not XP or 2003 -- Protected Mode prevents Web sites from modifying system files or settings. This should provide users with even greater protection against rogue sites.
Several other security improvements reside under the hood of IE 7. For more information, see Microsoft's IE 7 Technology Overview.
The "First Security Hole" in IE 7
Much was made last week about the "first vulnerability" that was supposedly found in IE 7. There is in fact a vulnerability, but it's also one that's present in IE 5 and 6, which Microsoft has never corrected, although it's easy for you to work around it.
Denmark-based security firm Secunia reported on Oct. 19 that malicious Web sites could grab data from other sites that had IE 7 windows open. For example, if you happened to be logged in to your online banking application and concurrently visited a hacker site, the bad site could see information from your banking site.
Microsoft developers poo-pooed the weakness, saying in an Oct. 19 blog post that the problem actually exists in an Outlook Express component, not a part of IE 7.
I've examined this claim and find that IE 7 does have a real problem, regardless of whether the code being exploited is considered a part of Outlook Express. In addition, the SANS Internet Storm Center confirmed on Oct. 20 that IE 7 is vulnerable.
Secunia has posted a harmless browser test page that you can use to test your own copy of IE, and I urge you to do so. The firm also provides a description of the problem in two separate advisories: one for IE 7 and the other for IE 5 and 6.
I tested a workaround recommended by Secunia and found that it works. Use the Tools, Internet Options menu item in IE, select the Security tab, then change the Custom Level. Switch options to run ActiveX content to "Disable," then run Secunia's browser test again. After making this change to my copy of IE, the test no longer found that my browser was vulnerable.
Of course, no version of the Firefox browser has ever been vulnerable to the Secunia test. Until Microsoft closes this and other IE holes for good, Firefox gets my recommendation as the safest browser you can use to surf the Web.
Getting the Benefits of IE 7
Because some Web sites still require the use of Internet Explorer to function properly (or at all), every company should upgrade to IE 7 as soon as your tests indicate that it doesn't conflict with your line-of-business applications. By upgrading, you may be able to avoid some IE 6 problems when users unknowingly visit sites that attempt drive-by downloads or other shady tricks.
Microsoft will start offering IE 7 as a high-priority download as early as Nov. 1. Downloading the new browser is expected to be phased in over a period of several months to reduce the bandwidth demands on Microsoft's servers. If you discover that your company does have an incompatibility, however, you'll want to delay the downloads until you're fully ready.
If that's your situation, Microsoft provides an IE 7 Blocker Toolkit, which prevents the download from being offered to end users in the regular Windows Update process. It's also possible to use software such as Windows Server Update Services to prevent IE 7 from being offered. For more information, see Microsoft's IE 7 Automatic Updates announcement and Blocker Toolkit FAQ.
These tools won't prevent a determined end user from navigating directly to Microsoft's site and downloading IE 7 on his or her own initiative. But they will keep most end users from seeing an offer to upgrade to IE 7 in the first place -- until you give the all-clear.
Even if you rely on Firefox for most of your browsing, upgrading to IE 7 as soon as possible gives you a bit of extra assurance that at least you're not using the world's least secure browser (the one we know as IE 6).
An Executive Tech update
This column stated on Oct. 10, 2006, that Gratis Internet had reached a settlement in 2006 with New York State for selling 7.2 million Americans' e-mail addresses, phone numbers, and home addresses. In fact, a firm named Datran Media reached the settlement and paid a $1.1 million fine for knowingly purchasing the addresses from Gratis, in violation of Gratis's published privacy policy. A corrected version of the column is posted online.