How I'll Judge IE7 Security

As an engineer, I’m proud of the protections we delivered by finishing IE7 but I want to set your expectations that we didn’t and, never will, reach perfection. There have been a few posts on ways to steal data or spoof URLs in IE7 but they really don’t detract from a very simple truth: IE7 will be more secure than IE6 was and frankly, comparisons to other browsers are still too early to be objective.

I want to talk about the “big picture” of how I will judge the progress we made in IE7 and how I think it could play out over the next months and years.

IE7 will be more secure against attacks because it has a smaller attack surface than IE6 and because the remaining attack surface was extensively re-engineered to be more secure. When you look at HD Moore’s month of browser bugs, he was able to find a significant number of crashing bugs in IE6 by attacking extensions like ActiveX controls. IE7 reduced the attack surface by disabling most ActiveX controls on the system and therefore none of the crashes worked against IE7 by default. Every day of that month counts as an example of how IE7 is more secure than IE6 was and we continue to see bugs that affect IE6 that don’t affect IE7.

Reducing attack surface is always a good security strategy but the security research community will double-down their efforts on our remaining attack surface and on non-default configurations. That means that there will be security bugs and we will build fixes for those bugs. MSXML is an ActiveX control that’s installed and used by many applications and as you saw earlier today, we just released a security update for versions 4 and 6 of that control. This update doesn’t apply to Windows Vista or Windows XP by default because the vulnerable versions of MSXML were never installed with Windows or IE. So if you don’t have them installed, you’re not exposed to the attack. If you’re not sure, don’t worry as Windows Update will install the correct update for you if needed.

There’s also a redirect bug in MHTML, an Outlook Express protocol for handling HTML files formatted for email. In this case, an attacker can redirect an URL through MHTML to try to steal your data from another site. The MHTML protocol is built by Microsoft but since it’s not a part of the IE product we wouldn’t just include the updated version in IE7, any more than IE7 would install a patch for the Windows Media Player.

While we’re waiting for the fix to the MHTML bug, I should point out that this it isn’t likely to impact many real customers. For an attacker to steal your data with this bug, they have to know almost exactly how you access your data. For example, you are probably safe from this bug if the attacker doesn’t what sites you use for banking. If you aren’t actually logged into your banking site when the attack hits, you won’t be an interesting target at all. And if other users report these sites to the phishing filter, IE would navigate you away from the confirmed phishing site further reducing the chances that you’ll lose something interesting.

You also may have heard about the address bar spoofing bug. The bug works because the address bar now gets focus when you open a new tab or window to about:blank, and by default, the selection is scrolled all the way to the end of the URL.  The idea of putting the focus in the address bar was intended to make it easy for you to start typing the address of a site that you want to visit.

In the spoof scenario, as soon as you click inside the page, the address bar scrolls back to the left jarringly and shows the real address of the page. That means that this spoof requires that the user have their guard down.  I spoke with the team about this bug and they are upset that it got through the process but it also highlights how much every browser still depends on users to inspect URLs that could be misleading or convoluted. We’re looking into the right fix but I think the change to show the address bar for all windows in IE7 is still a step forward in security from IE6. We’re also investigating new ways to make it easy for users to identify sites such as the EV certificates that Kelvin posted about last week. In the meantime, phishers will still be up against our Phishing Filter. The Phishing Filter team reports they had navigated customers away from over 1.2 M phishing sites as of 11/3.

I know that expectations are high for this release and I think we should keep them high but it’s still software so we have to be prepared for some bugs and the related fixes. George Ou wrote a post about how these flaws in the latest generation browsers fit in context of the previous versions. I feel good that customers running IE7 have protections against threats like the Direct Animation or VML attacks that came out in September and that the Phishing Filter is catching crooks in the act. I think that many serious Security and IT professionals will embrace the benefits of IE7, recognize the comparative benefits and understand that the software industry does have to practice constant continuing improvement as the state of security research advances.

Rob Franco
Lead Program Manager