Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
IT Management Webcasts:
Developing and Implementing a Rollout Plan

Asking the Right Questions

Using ITIL to Manage Virtualization

IT Portfolio Rationalization

Understanding the Role of the Configuration Management Database (CMDB) in ITIL

'They Did What?!'

More Business/IT Alignment Webcasts

More ITSM Webcasts


Search EarthWeb Network

internet.commerce
Be a Commerce Partner
Giveaways
KVM over IP
Phone Systems
Register Domain Name
Cheap Plane Tickets
Cheap Airline Tickets
Cheap Plasma TVs
CSS Web Templates
2007 New Cars
Web Design
Compare Prices
Internet Security
Get Bonus Tones
Car Donations

Travel Ideas:
Huatulco Vacations
Aspen
Copper Mountain Ski
Telluride Hotels
Colorado Vacation Rentals
Destin Hotels
Miami Hotel
Orlando Vacations
IT Management : Columns : Executive Tech: Is IE 7 Really More Secure Than IE 6?

 
Whitepaper: Understanding VoIP—Leveraging Technology for a Competitive Edge This white paper shows how converging your traditional voice and data networks can save money and increase efficiency and productivity throughout your organization—just what it takes to remain competitive in today's marketplace.  >
 
Whitepaper: The Converged IT Organization—A Best Practices Approach For Ensuring Success with IP Telephony Learn about a new organizational approach for planning, implementing and managing converged networks. Whether your company has already embraced convergence or is still evaluating options, use this Executive Brief to compare and validate your own perspectives on the best way to organize for IPT success. >
 
Whitepaper: Driving Agility Through Business Communications Applications—A New Era of Intelligent Communications Meet the growing demands for increased speed and precision in global business. Learn about a whole new category of business communications applications and services that promises to compress the world even further, connecting workers, customers and processes to the right people, at the right time, in the right medium. >
 
Whitepaper: Business Communications Applications on Any Network Business Communications Applications are quickly becoming a requirement for businesses seeking competitive differentiation through increased business agility. Learn how Avaya is mapping out a leadership position in this application category and delivering tangible business value to those enterprises implementing its solutions. >
 
Whitepaper: Migrating to Converged Networks and IP Telephony Applications Learn how enterprises and their IT support staffs can ensure that they are receiving the full mission-critical benefits of converged applications by lowering the risks associated with the migration to IP telephony and using the most sophisticated monitoring and management of applications and infrastructure. >
 

Related Articles
Free Software (Just Pay Here)
How Trustworthy Is the TRUSTe Logo?
Hundreds of ETFs Are Heading Your Way
How ETFs Are Changing the Market
- ITSMWatch Newsletter -
email:
IT Focus
Coping With Compliance

Sarbanes-Oxley and other reporting requirements have greatly complicated the jobs of many IT professionals. These articles include advice, information and tips for effectively managing your compliance efforts.

Looking for the Silver Lining

Compliance Threatened by Archive Failures

10 Tips for Managing 404 Compliance

Sharing the Burden of Compliance

Corporate Compliance Regulations and Standards

Product Watch
CLARiiON - Disk Based Mid-Tier Arrays From 3 To 480 Drives
Sun x8 Express Ethernet Cards - Quad GigE and Dual 10 GigE PCI-E Cards
Fanurio - Time Tracking Software for Freelancers
GFI LANguard Network Security Scanner (N.S.S.) - With Vulnerability Scanning and Patch Management Features
mirabyte Feed Writer - RSS Editor

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Are blades right for you? Don't guess. Assess. IBM BladeCenter can simplify your infrastructure. This online tool, co-sponsored by AMD™ Opteron™, helps determine if blades are right for you.

Is IE 7 Really More Secure Than IE 6?
October 24, 2006
By Brian Livingston

Brian Livingston Microsoft released its long-awaited Internet Explorer 7.0 browser on Oct. 19. The free download allows Windows users to replace IE 6.0, which hasn't had a serious feature update since it first came out in 2002.

IE 6 has been a serious p.r. problem for the Redmond software company, producing a string of warnings -- seemingly every month -- that its code is vulnerable to drive-by downloads and other ills that can be exploited by hacker Web sites.

The good news is that IE 7 resolves many of these security weaknesses, some of which Microsoft never got around to patching in IE 6. The new version of the browser isn't perfect, however, so you still have problems to be aware of.

The Advances in IE 7

IE 7 includes more security enhancements than can be described here. But a short list of the most important changes would have to include the following:
More Executive Tech Columns

Free Software (Just Pay Here)

How Trustworthy Is the TRUSTe Logo?

Tableau 2.0 Charts Your Business Success

Will IE 7.0 Be Capable of Secure RSS?

How to Know When Unsubscribing Isn't Safe

Better zone control. IE 6's "trusted sites zone" gives vast power to Web sites to install programs on visitors' machines and take other actions. As a result, IE 7 by default gives this zone only the same privileges as sites in the "Internet zone." You can easily increase the capabilities of trusted sites, but this requires some knowledge that the average user doesn't have. Another improvement is that the "intranet zone," which also gives elevated privileges to sites, doesn't exist in home versions of Windows. This opens up fewer opportunities for Web sites to pose as "intranet" sites.

ActiveX opt-in. Many troubles with IE 6 over the past few years have involved "active content," usually in the form of ActiveX controls. This Microsoft-invented technology allowed Web sites to install code and do other nasty things on visitors' PCs. IE 7 by default doesn't run such code, protecting novices against attacks from untrustworthy sites.

Phishing filter. Microsoft maintains a large database of sites that appear to be posing as banking sites to capture passwords from gullible recipients of "phishing" e-mails. IE 7 warns the user when the browser is visiting a site in this database. Surprisingly, the phishing filter is not enabled by default. You need to turn it on, which is simple because IE 7 invites you to do this the first time it's opened.

Protected Mode. Available only when IE 7 is running on Windows Vista -- not XP or 2003 -- Protected Mode prevents Web sites from modifying system files or settings. This should provide users with even greater protection against rogue sites.

Several other security improvements reside under the hood of IE 7. For more information, see Microsoft's IE 7 Technology Overview.

The "First Security Hole" in IE 7

Much was made last week about the "first vulnerability" that was supposedly found in IE 7. There is in fact a vulnerability, but it's also one that's present in IE 5 and 6, which Microsoft has never corrected, although it's easy for you to work around it.

Denmark-based security firm Secunia reported on Oct. 19 that malicious Web sites could grab data from other sites that had IE 7 windows open. For example, if you happened to be logged in to your online banking application and concurrently visited a hacker site, the bad site could see information from your banking site.

Microsoft developers poo-pooed the weakness, saying in an Oct. 19 blog post that the problem actually exists in an Outlook Express component, not a part of IE 7.

I've examined this claim and find that IE 7 does have a real problem, regardless of whether the code being exploited is considered a part of Outlook Express. In addition, the SANS Internet Storm Center confirmed on Oct. 20 that IE 7 is vulnerable.

Secunia has posted a harmless browser test page that you can use to test your own copy of IE, and I urge you to do so. The firm also provides a description of the problem in two separate advisories: one for IE 7 and the other for IE 5 and 6.

I tested a workaround recommended by Secunia and found that it works. Use the Tools, Internet Options menu item in IE, select the Security tab, then change the Custom Level. Switch options to run ActiveX content to "Disable," then run Secunia's browser test again. After making this change to my copy of IE, the test no longer found that my browser was vulnerable.

Of course, no version of the Firefox browser has ever been vulnerable to the Secunia test. Until Microsoft closes this and other IE holes for good, Firefox gets my recommendation as the safest browser you can use to surf the Web.

Getting the Benefits of IE 7

Because some Web sites still require the use of Internet Explorer to function properly (or at all), every company should upgrade to IE 7 as soon as your tests indicate that it doesn't conflict with your line-of-business applications. By upgrading, you may be able to avoid some IE 6 problems when users unknowingly visit sites that attempt drive-by downloads or other shady tricks.

Microsoft will start offering IE 7 as a high-priority download as early as Nov. 1. Downloading the new browser is expected to be phased in over a period of several months to reduce the bandwidth demands on Microsoft's servers. If you discover that your company does have an incompatibility, however, you'll want to delay the downloads until you're fully ready.

If that's your situation, Microsoft provides an IE 7 Blocker Toolkit, which prevents the download from being offered to end users in the regular Windows Update process. It's also possible to use software such as Windows Server Update Services to prevent IE 7 from being offered. For more information, see Microsoft's IE 7 Automatic Updates announcement and Blocker Toolkit FAQ.

These tools won't prevent a determined end user from navigating directly to Microsoft's site and downloading IE 7 on his or her own initiative. But they will keep most end users from seeing an offer to upgrade to IE 7 in the first place -- until you give the all-clear.

Even if you rely on Firefox for most of your browsing, upgrading to IE 7 as soon as possible gives you a bit of extra assurance that at least you're not using the world's least secure browser (the one we know as IE 6).

An Executive Tech update

This column stated on Oct. 10, 2006, that Gratis Internet had reached a settlement in 2006 with New York State for selling 7.2 million Americans' e-mail addresses, phone numbers, and home addresses. In fact, a firm named Datran Media reached the settlement and paid a $1.1 million fine for knowingly purchasing the addresses from Gratis, in violation of Gratis's published privacy policy. A corrected version of the column is posted online.

Brian Livingston is the editor of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.


Executive Tech Archives


JupiterWeb networks:

Graphics.com

Search JupiterWeb:

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Newsletters | Tech Jobs | E-mail Offers