Microsoft Puts IE Enhancements on Fast Track

By Peter Galli  |  Posted 2005-05-02 Print this article Print

Microsoft isn't waiting for Longhorn to ship before boosting security in Internet Explorer.

"Longhorn" wont make its first appearance until the end of next year at the earliest, but with enterprises demanding better security tools, Microsoft Corp. is not waiting for the next version of Windows to ship before it makes changes to improve the security of some key components such as Internet Explorer, which will see a significant security upgrade in its next release.

"We made the decision that the things we were doing wouldnt just be in Longhorn and that we needed to get them into the hands of the current installed base as well. IE 7 is down-level to [Windows] XP, even though somewhat of a superset of it is the browser in Longhorn," said Microsoft Chairman and Chief Software Architect Bill Gates in an interview at WinHEC here last week.

In Longhorn, IE will run in its own protected space, thus isolating it from other parts of the operating system.
But even before Longhorn hits, Microsoft is adding several security enhancements to IE 7.0, which is due in beta this summer. The newest version of the browser will have technology to prevent cross-domain scripting, and the default mode will be one with a reduced privilege level to help prevent attackers from using IE as a stepping-off point for other attacks.

Version 7.0 may also include integration with Microsofts nascent anti-spyware technology, which is in beta.

Bill Gates at the RSA Conference previewed the next version of Internet Explorer. Click here to read more. Administrators said that the plan to isolate IE from the rest of Windows makes good security sense but that it is also ironic.

"Years ago, during the browser wars with Netscape [Communications Corp.], one argument being made to the [Department of Justice] was that IE was coupled to the operating system, integrated with the operating system, so it couldnt function as a stand-alone application," said David Robert, a systems manager for a global consulting and engineering company in Cambridge, Mass.

That meant IE was integrated with the operating system, and if something compromised IE, it had easy access and hooks into Windows. "But, if you consider that IE is probably one of the most-used products and has the most access to untrusted systems on the Internet, it kind of makes some sense to almost have IE behave like a bastion host," Robert said.

Matthew Patton, a network security engineer in Arlington, Va., said he does not believe Microsofts moves will be very effective. "Cross-domain scripting, for example, is a problem local to IE, and isolating IE from the operating system doesnt change anything in that regard," Patton said.

While the company works out the security kinks in IE, Microsoft has finally started to travel the long road that will end in the public release of Longhorn next year on the client side and in 2007 on the server side.

The Redmond, Wash., software maker is entering the third decade of Windows computing, which really became pervasive in its second decade with the release of Windows 95. Gates said he believes the advances that 64-bit computing and Longhorn will bring will be key early features and drivers of this decade, but he said the companys Trustworthy Computing effort "will be the biggest category for as long as I can see out in the future—lets say for the rest of this decade."

"We have moved from where people were asking if we really cared enough two years ago to now being viewed as a key security partner," he said. "That doesnt mean weve solved everything. Theres still more to be done, and its still our top issue, and a decade from now, making sure these things still dont stand in our way will probably still belong at the top of the list."

Network security engineer Patton does not agree with that characterization. "Windows has been Swiss cheese from Day One," he said. "Microsoft is finally starting to turn things around, and I dont mean to trivialize that, but its appalling that it took them a decade to get the message and only after the likes of the Department of Justice started putting their boot to Gates neck."

Virtualization is another key technology for Microsoft, and the company will be building that support into Windows, making sure the emulation is "very, very efficient," Gates said. "[Virtual machines are] coming up in a number of scenarios—whether its backward compatibility, load balancing, certain security things—and we are putting a huge investment into it."

Microsoft must be careful that the VM does not become a security weakness through which an attacker could insert a VM under the operating system, negating Windows security protections, Gates said. "So the operating system will have to become enabled to be able to look down and have whats called a chain of trust where it looks if it is a trustworthy [VM] running on trustworthy hardware. So Windows has to see whats underneath it," he said.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.
Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel