IE7: Are we right back where we started from?

by Michael "Mullins CCNA, MCP" | Oct 25, 2006 8:40:00 PM

Tags: Web browsers, Microsoft Outlook, Groupware, Michael Mullins CCNA, MCP, Microsoft Internet Explorer 7, vulnerability, security, Web browser, Microsoft Corp., flaw, Security Solutions Newsletter

Takeaway: The long-awaited Internet Explorer 7 debuted last week—and a brand-new flaw promptly debuted a day later. While Redmond argued that the vulnerability actually comes from Outlook Express, it still affects IE7. But Mike Mullins says it doesn't bode well for the browser update, whose security enhancements Microsoft has been touting. Get his take in this edition of Security Solutions.

Last week, Microsoft released the long-awaited Internet Explorer 7, the much-anticipated update to the software giant's perennially security-challenged browser. As part of its strategy for wresting back market share from the popular Firefox browser, Microsoft has emphasized the browser's various security enhancements.

But a mere 24 hours later, the first security flaw had already surfaced—sort of. Secunia Advisory 22477 classified it as an IE7 vulnerability, but Microsoft holds that the problem—a flaw in Outlook Express that can purportedly affect many browsers, not just IE7—has been exaggerated.

And yet, it's not the only snag. Some compatibility problems have also emerged, although some companies have rushed out fixes.

But we've been hearing about IE7 for a long time now, and these almost instantaneous problems are more than frustrating—and they're more than likely not the last to emerge. While we're waiting, let's explore this flaw further and examine how to protect your organization.

When Microsoft initiated the Security Development Lifecycle (SDL) in March 2005, its beta project for IE7 was months away from an anticipated summer release. At the 2005 annual RSA Conference, Bill Gates himself said, "Our primary goal is to improve security and safety for all our customers—consumers and businesses, regardless of size—through a balance of technology innovation, guidance, and industry leadership. . .We're committed to continued innovation that addresses the threats of today and anticipates those that will undoubtedly emerge in the future." I guess nobody at Microsoft had ever heard of Internet Explorer vulnerabilities.

This is a major slap in the face, not to Microsoft, but its customers and consumers. Since Internet Explorer 4.0 released with active scripting support (or ActiveX Scripting), there's been a constant and consistent discovery of vulnerabilities—the first one, published by Bugtraq, came in May 1999. Flaws have continued to steadily emerge in the seven years since.

And here we are again: If you're running IE7, you're vulnerable. I'm not going to debate whether this flaw comes from IE7 or Outlook Express, because you're still at risk if you're using IE7. (You can test your browser for this vulnerability on the Secunia Web site.)

Why does this vulnerability put you at risk? If you're browsing through your financial information or reading your e-mail and you open up another tab—a major highlight of IE7—to browse to a potentially malicious site, attackers could view the information you're displaying in the other tabs—how's that for security?

The workaround for this vulnerability is to disable Active Scripting support—a common "fix" for this type of vulnerability. To disable ActiveX in IE7, follow these steps:

1. Go to Start | Control Panel, and double-click Internet Options.
2. On the Security tab, click Custom Level (this will cover all of your Internet browsing).
3. Scroll to Scripting, select Disable under Active Scripting, and click OK twice.

This process disables both the main enhancement and the security threat with your new browser.

Final thoughts

After years of tough security talk and publicity, Microsoft managed to fall victim to not listening to its own rhetoric or the customers that use its software. Most of us understand that living in a connected world means that security and functionality will always be inversely proportional. However, when you design and distribute something intended for use on the wild and wooly Internet, you need to deliver a product that focuses first on security and then on functionality.

I have two thoughts for Microsoft: Stop using the world as your beta testers. Discovering a vulnerability less than 24 hours after a new release is no security focus at all.

And to all you security-minded users out there, which browser do you trust to use on the Internet?

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Print/View all Posts Comments on this article

Software Development spamme@... | 10/25/06

Agreed but Tony Hopkinson | 10/26/06

Not M$'s fault spamme@... | 10/26/06

No legacy support? What planet? georgeou | 10/26/06

Since you ask... Ashby | 10/27/06

@george cbrown@... | 10/30/06

Other OS's steve.edwards@... | 10/30/06

What I think we need to realize IMHO. buhlig@... | 10/30/06

Hourly crash damian205 | 10/31/06

What Makes Me Laugh rickk@... | 10/31/06

Bloat??? relaxdiego | 11/01/06

Legacy support hmcm@... | 11/11/06

No lagacy support? rebuttal bob in FL | 11/28/06

George, surely you jest here - if Windows was backwards Deadly Ernest | 11/29/06

Success exacerbated the problem but Tony Hopkinson | 10/27/06

How do you mean w2ktechman | 10/27/06

Amen hmcm@... | 11/11/06

MS backwards Compatibility??? john.foggitt@... | 10/30/06

Not True rickk@... | 10/30/06

You Sure? steve.edwards@... | 10/30/06

Ok, Pentium III rickk@... | 10/30/06

Be Like Mac Luc Ippersiel | 11/14/06

Like Firefox or Safari? georgeou | 10/26/06

It is a major design flaw, it's not necessarily a major Tony Hopkinson | 10/27/06

89 remotely exploitable firefox flaws in last 1.6 years georgeou | 10/27/06

With or without NoScript ? Tony Hopkinson | 10/27/06

Remotely exploitable flaws in Firefox georgeou | 10/27/06

You are aren't you Tony Hopkinson | 10/27/06

Still don't know what your point is georgeou | 10/27/06

Ok fine it's less integrated Tony Hopkinson | 10/27/06

Explain to me how that affects the total number of remotely exploits? georgeou | 10/27/06

Eh ? Tony Hopkinson | 10/28/06

Sorry, that is absolutely wrong georgeou | 10/28/06

I didn't Tony Hopkinson | 10/28/06

Please provide one example of this georgeou | 10/28/06

You keep talking security I'm talking design Tony Hopkinson | 10/29/06

Internet Explorer is more dangerous to use than Firefox TechExec2 | 10/27/06

Just to add to this.... Luc Ippersiel | 11/14/06

Gee thanks for explaining that... q34e@... | 10/31/06

I Agree relaxdiego | 11/01/06

Thank You rickk@... | 11/02/06

What's Starting to Crawl Under My Skin rickk@... | 10/27/06

Could n't agree more - with one minor proviso Tony Hopkinson | 10/27/06

Heresy? I guess we know who you work for ID10Tnolonger | 10/27/06

Heresy gsquared | 10/27/06

Yeah, That Makes Sense rickk@... | 10/27/06

Huh? relaxdiego | 10/30/06

Actually, Yes I Have Tried Linux rickk@... | 10/30/06

Running ubuntu 6.06 LTS-now Kubuntu upgraded craiglarry@... | 11/14/06

You think FF and IE7 are equal? malcolm davis | 10/30/06

Not My Point rickk@... | 10/30/06

What is your point? Get real malcolm davis | 10/30/06

Nice example of one-sidedness... Edouard.Brun@... | 10/31/06

MORE nice examples of one-sidedness... malcolm davis | 10/31/06

RE: MORE nice examples of one-sidedness... Edouard.Brun@... | 10/31/06

Re: Malcolm Davis rickk@... | 10/31/06

WOooo.......ooowweeeeee! Ole Man | 10/31/06

Re: Ole Man rickk@... | 10/31/06

RE: WOooo.......ooowweeeeee! Edouard.Brun@... | 10/31/06

My bad, I forgot what group I was participating. malcolm davis | 10/31/06

Although... Edouard.Brun@... | 10/31/06

Most users do NOT talk about browsers, they click icons LibraryGeek | 11/28/06

Microsoft governed by $$$$$ tHEaNTImIKE | 10/30/06

That May Be Your Opinion rickk@... | 10/30/06

This may hurt... Edouard.Brun@... | 10/31/06

This may HURT and SURPRISE you! Ole Man | 10/31/06

Don't Confuse rickk@... | 10/31/06

"Don't Confuse" Yourself Ole Man | 10/31/06

Ole Man, shut up already relaxdiego | 11/01/06

Second that!! NOW LEFT TR | 11/02/06

Most people decide to use a program based on the input Deadly Ernest | 11/29/06

Not really a vulnerability onclejon@... | 10/30/06

Not really a vulnerability onclejon@... | 10/30/06

Not surprised cwoody382 | 10/30/06

If everyone Spent as much ProperName | 10/30/06

And... rickk@... | 10/30/06

My Bet Bad Boys Drive Audi | 10/30/06

Logos Bible Study Software and IE7 jjvolk@... | 10/30/06

Get a life fire17@... | 10/30/06

Thank-you ProperName | 10/30/06

Almost Like... rickk@... | 10/30/06

Agree rickk@... | 10/30/06

AAAaaaa.........nnnnnnnd? Ole Man | 10/31/06

Chaa, Like Monkey's will fly from my ... JimmyKil | 10/30/06

What?s the process for FireFox ?? How is it patched? Ole Man | 10/30/06

Bunk hellums@... | 11/09/06

Ditto gometrics | 11/09/06

Downloaded IE7 three times on two computers craiglarry@... | 11/13/06

I must be crazy HARDCASe_z | 11/28/06

Correct nothing comes out perfect, but it should come out Deadly Ernest | 11/29/06

Well, I installed Internet Explorer 7 , but I barely use it Pcfreakske2000 | 11/29/06

Simply not a fair assessment georgeou | 10/26/06

Agreed. Edouard.Brun@... | 10/27/06

Iagree. Very ubfair and useless article onclejon@... | 10/30/06

Compatibility pcmooten@... | 10/27/06

HP Director stopped loading for me, too abfleishman@... | 11/10/06

HP Director stopped loading pcmooten@... | 11/12/06

HP Director stopped loading pcmooten@... | 11/12/06

hey mike tjguidry@... | 10/27/06

While I'm not going to bash as meanly as the others.. Tony K | 10/27/06

Some Pretty Excellent Points rickk@... | 10/27/06

Yup, and proven, too Tony K | 11/02/06

Yes... rickk@... | 11/02/06

Beta testing hmcm@... | 11/28/06

You have a good point, but... craiglarry@... | 11/28/06

Clarification hmcm@... | 11/28/06

put the cookies on the bottom shelf craiglarry@... | 11/29/06

????????? hmcm@... | 12/07/06

Sorry I didn't make it clear craiglarry@... | 12/07/06

Still puzzled hmcm@... | 12/07/06

IE6 is vulnerable to on this test lorddragondan@... | 10/27/06

Has nothing to do with Active X georgeou | 10/27/06

Sorry I wasn't clear lorddragondan@... | 10/27/06

Active scripting has nothing to do with Active X. georgeou | 10/28/06

Complete Utter B*LLSH*T vrioux@... | 10/27/06

Sure? Kiltie | 10/30/06

NO FOOLPROOF SECURITY gometrics | 10/30/06

However,.... hmcm@... | 11/28/06

Flaw in Outlook Express hwinshipjr@... | 10/30/06

Microsoft is just like Detroit... Awf Tin Wong | 10/30/06

And if they offered you $75K to come work for them? hellums@... | 11/09/06

Disabling scripting or Active X? mypl8s4u2 | 10/30/06

I THINK WE HAVE ALL MISSED THE POINT. zczc2311@... | 10/30/06

In other words, ZCZC ... ttocsmij | 10/30/06

You got it! and wow a realistic reply! zczc2311@... | 10/31/06

LOL... NOW LEFT TR | 11/02/06

This isn't about Vista, it's about blowing a minor issue out of proportion georgeou | 10/30/06

So Explian how... NOW LEFT TR | 11/02/06

OK, Your Answer rickk@... | 11/02/06

#6: Locked down security zones yoavc@... | 12/07/06

Microsoft bias: are we right back where we started from? FilElli | 10/31/06

Biased? Ole Man | 10/31/06

Heed your own advice... NOW LEFT TR | 11/02/06

Name calling tselca@... | 11/02/06

Reading hmcm@... | 11/28/06

FilElli in ID theft fiasco... NOW LEFT TR | 11/22/06

Finally A Fair Statement - "I 'trust' no browser" rickk@... | 11/22/06

It's in the details annew | 11/28/06

The problem lies in IE7, in that it allows other applications Deadly Ernest | 11/29/06

MS listened to its clients, yeah right, took them several years Deadly Ernest | 11/29/06

No, not back at the start, we just haven't left the gate yet. Deadly Ernest | 11/29/06

stalled young-ed@... | 11/29/06