How I’ll Judge IE7 Security

As an engineer, I’m proud of the protections we delivered by finishing IE7 but I want to set your expectations that we didn’t and, never will, reach perfection. There have been a few posts on ways to steal data or spoof URLs in IE7 but they really don’t detract from a very simple truth: IE7 will be more secure than IE6 was and frankly, comparisons to other browsers are still too early to be objective.

I want to talk about the “big picture” of how I will judge the progress we made in IE7 and how I think it could play out over the next months and years.

IE7 will be more secure against attacks because it has a smaller attack surface than IE6 and because the remaining attack surface was extensively re-engineered to be more secure. When you look at HD Moore’s month of browser bugs, he was able to find a significant number of crashing bugs in IE6 by attacking extensions like ActiveX controls. IE7 reduced the attack surface by disabling most ActiveX controls on the system and therefore none of the crashes worked against IE7 by default. Every day of that month counts as an example of how IE7 is more secure than IE6 was and we continue to see bugs that affect IE6 that don’t affect IE7.

Reducing attack surface is always a good security strategy but the security research community will double-down their efforts on our remaining attack surface and on non-default configurations. That means that there will be security bugs and we will build fixes for those bugs. MSXML is an ActiveX control that’s installed and used by many applications and as you saw earlier today, we just released a security update for versions 4 and 6 of that control. This update doesn’t apply to Windows Vista or Windows XP by default because the vulnerable versions of MSXML were never installed with Windows or IE. So if you don’t have them installed, you’re not exposed to the attack. If you’re not sure, don’t worry as Windows Update will install the correct update for you if needed.

There’s also a redirect bug in MHTML, an Outlook Express protocol for handling HTML files formatted for email. In this case, an attacker can redirect an URL through MHTML to try to steal your data from another site. The MHTML protocol is built by Microsoft but since it’s not a part of the IE product we wouldn’t just include the updated version in IE7, any more than IE7 would install a patch for the Windows Media Player.

While we’re waiting for the fix to the MHTML bug, I should point out that this it isn’t likely to impact many real customers. For an attacker to steal your data with this bug, they have to know almost exactly how you access your data. For example, you are probably safe from this bug if the attacker doesn’t what sites you use for banking. If you aren’t actually logged into your banking site when the attack hits, you won’t be an interesting target at all. And if other users report these sites to the phishing filter, IE would navigate you away from the confirmed phishing site further reducing the chances that you’ll lose something interesting.

You also may have heard about the address bar spoofing bug. The bug works because the address bar now gets focus when you open a new tab or window to about:blank, and by default, the selection is scrolled all the way to the end of the URL.  The idea of putting the focus in the address bar was intended to make it easy for you to start typing the address of a site that you want to visit.

In the spoof scenario, as soon as you click inside the page, the address bar scrolls back to the left jarringly and shows the real address of the page. That means that this spoof requires that the user have their guard down.  I spoke with the team about this bug and they are upset that it got through the process but it also highlights how much every browser still depends on users to inspect URLs that could be misleading or convoluted. We’re looking into the right fix but I think the change to show the address bar for all windows in IE7 is still a step forward in security from IE6. We’re also investigating new ways to make it easy for users to identify sites such as the EV certificates that Kelvin posted about last week. In the meantime, phishers will still be up against our Phishing Filter. The Phishing Filter team reports they had navigated customers away from over 1.2 M phishing sites as of 11/3.

I know that expectations are high for this release and I think we should keep them high but it’s still software so we have to be prepared for some bugs and the related fixes. George Ou wrote a post about how these flaws in the latest generation browsers fit in context of the previous versions. I feel good that customers running IE7 have protections against threats like the Direct Animation or VML attacks that came out in September and that the Phishing Filter is catching crooks in the act. I think that many serious Security and IT professionals will embrace the benefits of IE7, recognize the comparative benefits and understand that the software industry does have to practice constant continuing improvement as the state of security research advances.

Rob Franco
Lead Program Manager

Comments (20)

  1. hselburn says:

    Just curious, if the bug is present in Outlook Express, how about in Outlook 2003? I use Outlook Express for a newsgroup reader, but I use Outlook 2003 for email. Also, any idea on when the MHTML fix will be ready? I’m hoping it will before the next patch tuesday in December.

  2. Stefan Wenig says:

    Don’t you think it would really help to highlight the domain name portion of the URL (bold, color, etc)? this could easily prevent spoofs such as or etc.

    in this case, it would be helpful if IE know what portions of country-specific TLDs are individually registered. -> ->

    hightlighting, colour coding and other special formattings are also a way to mitigate IDN spoofing. just look at the example on top of page 5 of this paper:

  3. whisky says:

    Well, it’s true, my english ain’t that good, however I noticed a contradiction in terms: "…we delivered by ***finishing*** IE7…" and the rest of the article talking about bugs (plus another article about updates:

    Funny, isn’t it ? Or prolly that’s the MS way: deliver the software and patch it ’till you release another version.

    Anyway, keep up the good work, I have to say I was quite impressed by the difference between IE6 and IE7.

  4. goose says:

    "IE7 will be more secure than IE6 was…"

    You guys are AMAZING.

    At first I thought: "how on earth can you improve a perfect browser?" but I realised that you can really do anything if you keep security at the forefront like Microsoft has for years and years; a genuine commitment to keep the bad guys out.

    My hat’s off to you software mavens!

  5. behe says:

    I’d just like to say that one philosophy of open-source and free software applies even to closed-source software (especially IE7):

    With enough eyeballs, all bugs are shallow.

    Keep that in mind.

  6. Jeff says:

    "Funny, isn’t it ? Or prolly that’s the MS way: deliver the software and patch it ’till you release another version"

    Show me a software company or open source project that -doesn’t- release software and then follow up with patches until the next version.

    Not a contradiction, nor funny.

  7. Jeff says:

    Behe: true, but "with enough eyeballs, plenty of people will figure out how to bypass security" also holds.

  8. TMaster says:

    Thank you for IE7, I think it’s great. Can’t wait for subsequent upgrades either (better on-page search functionality anyone?)

    About the issue with the address bar: isn’t it possible to select all of the address, but having the caret in FRONT of the URL instead of after it? I could’ve sworn I’ve seen *some* application do that a little while ago. Sounds like the perfect solution to me?

  9. Rob Franco says:

    @Stefan Wenig, I like your suggestion to bold the domain name. We’re looking at ideas like this for the next release.

    @TMaster, yes, if the user selects the URL they can double-check the domain. There’s definitely room for improvement here along the lines of Stefan’s suggestion.

    @everyone, thank you for your positive support!

  10. pinto says:

    @Jeff, enough eyeballs leads to bypassing security?  So that’s why Linux, BSD, Apache and Firefox get hacked way more than Windows, Outlook, IE and IIS, right?  

    The popularity argument doesn’t work: Apache is more popular and less vulnerable than IIS.  Linux and Unix are more popular as internet-facing servers.

    Maybe careful inspection and quick response from legions of talented coders actually does help?  Maybe?

  11. Dave L. says:

    Downloaded the update today and first had to turn the phishing off because it was so slow and even with it off my computer is acting strangly.  Vpn login is slowslowslow.  Everything seems slower.  Even my computer start up.   So far I judge this to be just about even with most viruses.

  12. DeKaleAas says:

    I’ve hacked Ie7 some time ago. It was easy.. I made a document with javascript and C# and just wrote:

    [crack][b]do it[/b][/v][/dev]

    you need to do more to stop this worlds best hacker!

  13. whiskey says:


    If it’s finished, there’s no need for a patch. That was the contradiction: between ‘finish’ and bugs. If it’s patched every I_don’t_know_what_amount_of_time it’s not a finished version.

  14. Name says:

    there are more security holes in IE7 than the ones you mentioned!

  15. Mark Stevens says:

    As a lay person and mere user of the new IE7, want to know how I’ll judge the security? How flipping annoying to have it continually blocking ActiveX controls – and from Microsoft’s own sites too (Hotmail and the chief culprits). I have uninstalled it for this and other aesthetic reasons (it looks crap). Technically perfect I am sure, but as usual not user friendly. A helpful tip – let the users design it, not the software boffins.

  16. TMaster says:

    @ Rob Franco

    I was actually talking about doing this automatically: selecting all of the URL, but having the caret in front of it the moment the URL is automatically selected, thus showing the beginning of the URL, and not just the end of it. Then you should be able to see what the real server is – and therefore no longer vulnerable for this spoofing (and/or phishing, potentially) attack.

    I think this would be the best solution, still.

  17. @Name, you’re definitely right that there are more issues that will freeze or crash IE than what I talked about in my post. We find that some crashes are dangerous and could lead to attacks while other are annoying but not dangerous and attackers don’t have much motivation to use them against a user. Thanks for sending in this site, as always, keep them coming to

  18. @TMaster, you’re suggestion is in sync with the type of fixes we might implement, stay tuned.

  19. Jeremy says:

    Upon installing the beta version of IE7 I found that it reset my start page to the microsoft site – I consider this arrogant and a lack of respect for people being able to control their own computer. It kind of left a bad taste in my mouth as one of the types of viruses and malware we are constantly warned against are start page hijackers – how is this different?

    The speed issue as stated above is a problem – I ended up having to disable the Phishing filter entirely to have a normally operating computer. This is on Win XP Pro x64 bit edition. Truthfully I wasn’t very impressed with the current state of the release and if the current final does the same thing I will convert to another browser rather than waste the time fixing the product again.

    Jerry Price

    I’m also curious to see if you publish negative posts concerning real issues or if the request for opinions was simply a marketing ploy.

  20. http says:

    @Jeremy / Jerry Price: start page: this is annoying, but it will disappear the second time you open IE, even if you don’t change it.

    @Rob Franco + Stefan Wenig: Highlighting (bold or color) the domain name (without any extensions like password, ports, 5th level sub domain, etc.) would be an excellent idea that I would like to have to. The only disadvantage is that IE would have to know all current top-level domain names that this works. For new names like .name, .pro, etc. this could be a problem – or when the policy of these names have changed. For example many top level domain names (like .es, .name, .cn, etc.) can now be reserved with a second level, whilst earlier only third level domain names were possible. Would this require an IE update? Or a config file that users could update manually if they don’t want automatic updates?