RSSMicrosoft Windows Exec Talks IE Security
By Nate Mook | Published November 16, 2004, 10:40 AM
Editor's Note: This is part two of a two-part interview. In part one, Schare discusses what changes to expect in Internet Explorer and how Microsoft views the release of Firefox 1.0.
With no major updates to Internet Explorer scheduled until Longhorn arrives in 2006, Microsoft has found itself having to evangelize the current merits of IE while competition heats up from newcomers such as Firefox.
Gary Schare, Director of Windows Product Management at Microsoft, sat down with BetaNews to discuss the future of IE, including the possibility of tabbed browsing, Mozilla's "free ride," and why Microsoft feels it is better equipped to handle security.
BetaNews: Tell us a bit about the changes made to IE in Windows XP Service Pack 2.
Gary Schare: My belief is if you ask 100 people who claim they understand SP2, what's in it, they'll say "A firewall, Security Center and a pop-up blocker." And if you ask them to go any deeper on what else changed in IE to help security, they'll not have much insight into that. So that's one area that is really critical for us, because browser security is so commonly in the news, and has been obviously one of the evils that the Mozilla folks have been teeing off on.
There's really two major areas that we've focused on to improve security in SP2 with IE, and we view it as a major upgrade - it's not just adding a pop-up blocker and getting it out the door. One area is infrastructure changes that the user really doesn't see: changes to how security zones work and the underlying security in between them; changes to the APIs that IE calls within Windows, that are much safer APIs.
In fact the IFRAME issue that made the news recently, that doesn't affect SP2 - that one is actually interesting in that it's not that we patched it in SP2 before we shipped, it's that it doesn't exist because we have entirely new APIs. So, the whole class of vulnerabilities are eliminated by underlying changes. There’s a whole host of infrastructure changes that just make IE a lot better from the security perspective.
The second is more in the user interface, which is on the area of downloading. We've done a number of things - pop-up blocker is one piece of it, download monitoring is another, where we now provide a lot richer, better user interface when a user goes to a Web site and either trying to download something themselves or the site's trying to trick them into downloading something. We've done a number of things there with the information bar and how we deal with signed ActiveX controls. Really just made it a lot harder for the criminals out there to stick spyware and other malware on your computer without the user really agreeing to install something.
At the end of a day, security is a job that is really never done, because threats evolve out there and because software's built by humans, there's always going to be issues to deal with. We will continue to do security updates ongoing for all supported versions of Windows.
BetaNews: Security is obviously an important feature and a major, if not the top, focus of Microsoft right now. Does Microsoft feel it can provide better security and updates than Firefox or alternatives? Is IE a better option when it comes to enterprises rolling out a Web browser across their desktops.
Gary Schare: We absolutely do. When we look at security, we look at it far beyond the individual software product. Security itself is an industry-wide problem, and that's been pretty widely discussed. No one vendor is singled out with security issues. Criminals are out there trying to further their own needs, which these days has developed a lot more into stealing money than it is just messing with peoples' computers. So they're going to target whoever they can target in order to further their cause. We've banded together with many different areas of the technology industry and beyond to fight this battle, and that's one of the strengths of going with a company like Microsoft that has the resources and the warewithall to get behind this.
While we have the IE team, that does a lot of work: threat modeling and fixing the actual security vulnerabilities that crop up, figuring out better features to make the products more secure. We have the Microsoft Security Response Center that's on point to deal with any threat that comes up and do the initial analysis of it, band together with ISPs and antivirus vendors and others to shut down networks and get virus signatures out when needed. They work directly with law enforcement to take down servers that are delivering malicious code, go after the writers of the worms and viruses and the exploits, go after the people doing spam and doing phising scams. It's a multi-dimensional attack against this and Microsoft is applying a lot of resources.
Frankly a lot of work we do will probably help the Mozilla guys too, but it's not clear they're going to be able to drive this kind of an effort on behalf of their products. Nor is it clear how they are going to respond to threats that come up once they do have an actual installed base of customers using their product. You can't just put a patch out overnight and say you’re done. You have to actually test hundreds of thousands of scenarios and put a process in place before you release these things.
BN: Are a lack of updates and innovations on a feature level are hurting IE? Considering we won't see major changes until Longhorn, is that hindering IE's ability to compete or to perform.
GS: Not really, because we have this great advantage of this ecosystem of software developers that adds value to the platform. People who are the early adopter types who are going to be interested in a bunch of new features like tabbed browsing, advanced management of favorites, search toolbars that are integrated in and so forth, they can choose from those things today.
I've been on record this week, that I use the Maxthon browser as my everyday browser. It is built on the IE platform so it's IE compatible. It uses the IE favorites, the IE cache; it uses all the IE security infrastructure and gives me tabs and a couple of other features on their own menu. So there's quite a bit of innovation out there today.
BN: How does Microsoft feel about third party browsers such as Maxthon and Avant Browser, which integrate much-demaned features with an IE engine underneath. Does Microsoft feel this is pulling users away from IE, or adding more of an IE user base? Isn't there a risk by pushing third-party browsers and making users more comfortable with a non-IE interface?
GS: There you're only look at one dimension, which is the dimension of features. You're saying, "If I can get tabs in Maxthon, well I can go get tabs in Firefox, therefore I am going to switch." But that does away with all of the security stuff that we've just talked about, all those processes, the maturity of IE itself and the IE rendering engine, the compatibility with Internet sites, the compatibility with corporate applications - many of which use custom ActiveX controls that wouldn't run in Firefox in the first place.
Within the enterprise you're probably not going to see enterprises shift over to a tabbed browser on behalf of their users. Individual end users might decide "Hey, I like this feature and I'm going to go for it." But on balance, I don't think you're going to see the mainstream end user jump to tabs or jump to any other more advanced feature in the browser. For those users the browser is the Web site that they visit.
BN: Do users even care about the underlying technology, the IE engine for example, or is the interface and features more important?
GS: I think they should be aware of those things, because they're making a larger decision than just this feature or that feature. They are making a complete platform change, which has long term implications, so we do think they should think about those things and we hope we can make them aware of them.
BN: I thank you very much for talking with us, Gary.
GS: This is a great discussion and I would be happy to circle back again if you have further questions, want to dig deeper in any areas, and of course as things change on our end and evolve we'll be in touch with you to keep you up to speed on what we're up to.
I have no problems switching software when something "better" comes along. In fact, I tend to leave options open whenever possible. (For example, I use Open Office no less than Microsoft Office.) Given that, I have been trying Firefox on and off for over a year now. I tried it exclusively for the two full months of mid-June to mid-August. For better or worse, I have always returned to I.E., but more recently as Maxthon.
Firefox is well-hyped by many who hate Microsoft. Believe me, I don't like the company one teeny bit myself, but I place that aside when I seek productivity. Firefox had me running around putting out [broken browser] fires more than I was actually working. I will admit the final release is quite good, but it still lacks a certain "maturity" seen in I.E. After giving it much thought, I think that is best described as a lack of "useability" or a polished user interface in Firefox. Clearly, there are no specific resources and formalized procedures to evaluate and improve Firefox in that manner. Microsoft's I.E., even with its flaws, clearly shows someone spent a great deal of effort thinking about the end user's direct interaction with the browser.
On the other hand, Firefox is [still] more a techie product requiring frequent "under the hood" fixes with a weird preference set called "about:config" which is hidden to users. (And then there are the plug-ins which even Firefox users have admitted to creating many problems I've seen in Firefox.) Seventy-five percent of the changes I needed to make to Firefox to fit my browsing habits (and not specific to I.E.) required accessing "about:config" and its arcane structure and wording. Why would a browser hide so many essential preferences from users? Duh.
And before someone says something, I will go on record saying I have *never* had a security problem with I.E. Why not? I do not stop thinking when I sit down at my computer. I keep the browser patched. I exercise common sense. I don't just click any box that comes up. But even that said, I guess one day Microsoft will indeed need to protect users more from themselves than anyone else.
And one final vote again for--Maxthon! It's I.E. as it should have been built/upgraded by Microsoft. If Bill Gates is truly smart, he will hire the single guy that develops Maxthon to continue working on I.E. or developing their next generation of browser. Seriously Microsoft, give the developer [a.k.a. Bloodchen] of Maxthon a very high-paying position. He deserves it already, for covering your behind over the last year or so.
Score: 0
|As a Reseller, I'm very close to the end-user and I know what they are doing with their browser ... clicking everywhere , in any box without reading the content ... this way, they get quickly an infected computer (spyware/virus).
I'm dealing daily with infected computers. It's clear that computers with Firefox/Thunderbird and immunized with tools like Spybot (I sell my computers configured like that) remain secure for a longer period than 'normal' computers.
Score: 0
|Quote:
...all those processes, the maturity of IE itself and the IE rendering engine, the compatibility with Internet sites...
What a load of old b***ocks (self-censored btw). I have been doing html coding and testing it with Mozilla and IE and I deliberately have to break the w3.org rules (or find a way around the problem) so that the page displays correctly in IE. Many programmers do this not even knowing the W3 standards, IE just breaks a lot of html requirements.
McDragon
Ljubljana, Slovenia
Score: 0
|The HTML spec is just a recommendation, not a standard. You don't see ISO or ECMA ratifying HTML spec anywhere don't you?
Score: 0
|Two New IE Vulnerabilities Surface
http://www.betanews.com/...urface/1100732470#51409
Score: 0
|It would seem Microsoft has a lot of people doing other things than developing IE; tracking people posing as security risk. Perhaps if people didn't hack IE so much, Microsoft could spend more time and money developing it. Just a thought.
Score: 0
|Microsoft is the biggest target, that is why they have the most holes discovered, at least they try to fix them. I would bet that as soon as firefox gets more users, more holes will be exploited. Also, I've tried using firefox about 10 different times because of all the hype, but I still fail to see what is better about it. It's page rendering is one of the slowest and least accurate, all of the features people keep saying Microsoft should include require plugins anyway, and its a very obvious rip-off of everything that has been out for the IE crowd for several years. It brings no new features, other than letting the anti-Microsoft nuts feel better about themseleves.
Score: 0
|I'd like to see IE and Firefox trade their status for a day. Who would fix the bugs in Firefox being exploited? Thousands of developers? Or would Firefox @ 90% usage become exploited by all with no one to fix it? Atleast MS has someone to do the dirty work.
Score: 0
|"We've ... just made it a lot harder for the criminals out there to stick spyware and other malware on your computer without the user really agreeing to install something."
And you think that's acceptable? It's quite *tricky* to install software without the user's knowledge or approval and that's all right because at least it isn't as easy as it used to be? What a joke!
Score: 0
|The IE user is a blind fool. Years ago, it was M$ that did the blinding. Now its the user him/herself that purposes ignores the signs that a switch is in order.
Firefox had a security patch put out already. A bug was found, and less than two days later, the patch was ready for download. But IE users ignore the incredible reaction time. I spoke with one woman who believed they new about it before and released the patch a month after it was found. Fortunately, in an open developement community, we have access to build notes and the builds themselves. But this woman shook her head, upset that I could explain the situation while all she had to voice was her imagination.
A rational person accepts a better product when it comes along. Nobody should be ashamed to switch to FireFox. If I had evangelized IE and saw that FireFox was indeed better, which I'll explain below, then only my pride keeps me from admitting it. Not the facts. The argument that "I know IE and I don't wanna switch" is false. That phrase is used by a person who doesn't wish to change.
If a major bug was found in FireFox (possible), and it wasn't possible to fix for months, I would switch. I'm not an extremist. Extremists commit cyber-suicide by sticking with dying platforms and old kernels.
Now. FireFox is better than IE and better than Mozilla and Netscape in many ways.
1. It is secure! You cannot argue that. Gary himself said that security is fleeting and changes constantly. So secure is in the moment. And currently FireFox is secure. To measure and platform security trackrecord is smart and if done will show that for longer than any other, IE has been the secure choice. But as Gary stated, security changes, and to stay secure, we should look at current security risks. IE has lately suffered more security threats than any browser ever in history. And that's only lately. "Sure cuz its been around a long time!" If so, then these problems have been too, and we'll continue to find these old problems surface. FireFox if only for a year, will be the safest browser. Hackers/crackers are geared to hit IE and will continue for as long as the target is larger.
2. Tabbed browsing is fast and leaves a smaller footprint in the system resources, though most people don't know. Rendering is dependant on the system so don't believe what someone else says about their machine.
3. Extensions. IE has many toolbars, over 73% use reporting technologies to "spy" on you. It is a proven statistic that the majority of IE add-ons are spyware adware.
Firefox currently does not have any spyware developers, lol.
Weigh the pros and cons and do what you want...
Score: 0
|