Has Microsoft Gotten Security Religion?

by Preston Gralla

Maybe, just maybe, Microsoft has gotten religion when it comes to spyware and how vulnerable Internet Explorer is to attack. But I worry that the company has only half-way measures planned, and won't take a few major steps it needs to take to lock down the browser.

Bill Gates, at a keynote speech at the RSA security conference, said that Internet Explorer will finally get a new version, Version 7, well before Longhorn is expected to hit. Beta is due mid-year. And that new version, he claims, will include features to fight spyware, phishing attacks, and malware.

In essence, Gates was forced into this. Firefox is a far superior, far safer browser, and it's been eating away at Internet Explorer market share.

At the show, Gates was short on details, so we don't really know how IE will protect against these threats. But no matter how safe Microsoft makes IE, I worry that there are several things that it won't do, but should. It should do away with ActiveX controls altogether; it's simply too dangerous a technology and should be abandoned. That would increase safety significantly.

Even more, it should no longer tie IE directly into the operating system. Having the two so closely tied together means that an attack on IE is an attack on your whole computer, not just your browser. There's no technical reason IE can't be untethered from Windows; after all, Firefox and other browsers aren't directly tied in.

I don't expect this to happen, though. But I do hope that Microsoft will use the revamp of IE to finally give it tabbed browsing, which the company inexplicably has so far refused to do.

In other news from the conference, Gates said Microsoft won't charge for its consumer antispyware product, which is still in beta. A new version of it, he said, will be out by mid-year. This is very welcome news, because despite some flaws, it's a very good and useful piece of software.

The good news in all this is that Microsoft is finally committed to fighting spyware and other malware, and has changed its product plans accordingly. But I worry that it will only take half-way measures.

What do you think about the Microsoft security announcement? Let me know.


2005-02-16 15:30:40
[Microsoft] should no longer tie IE directly into the operating system
+1, and I might add from +3 years ago as well.
2005-02-22 05:16:31
IE, its evolution and the OS link
IE was created and evolved when the web was a much safer and more exclusive place. That world no longer exists. They need to scrap IE as it exists and start from scratch. IE when running should be isolated from the OS and controlled just like any other piece of managed code running in the .NET framework.