VeeshanVault

Microsoft Internet Explorer 7.0 Details Begin to Leak
By Mary Jo Foley, Microsoft Watch
March 15, 2005


Since it first revealed a month ago that it was pulling a U-turn by releasing a new version of Internet Explorer independent of Longhorn, Microsoft has been unwilling to share many particulars about its forthcoming browser.

Will Internet Explorer 7.0 have tabs? Will it comply with the CSS (Cascading Style Sheet) 2.0 standard? Exactly how will it make browsing more secure? Will it ship in 2005?

Microsoft's answers? No comment.

Microsoft has shared publicly that IE 7.0 will be focused primarily on improving security.

Company officials said recently that Microsoft plans to make IE 7.0 available to Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows XP Professional x64 users. A first beta of IE 7.0 is due out this summer.

But Microsoft is sharing quite a few more specifics about IE 7.0 privately with key partners, claim sources who requested anonymity.

Sources say that IE 7.0–which is code-named "Rincon," they hear–will be a tabbed browser.

IE 7.0 will feature IDN (international domain name) support; transparent PNG (Portable Network Graphics) support, which will allow for the display of overlaid images in the browser; and new functionality that will simplify printing from inside IE 7.0, partner sources said. The new browser also likely will include a built-in news aggregator.

(Coincidentally, or perhaps not, MSN just began testing a new Microsoft-developed RSS aggregator.)

Among the myriad security enhancements Microsoft is expecting to include in IE 7.0, according to partner sources:


Reduced-privilege mode becomes the default;
No cross-domain scripting and/or scripting access;
Improved SSL (Secure Sockets Layer) user interface;
Possible integration between IE 7.0 and Microsoft's Windows anti-spyware service, which currently is in beta.

Firefox Unleashes Spyware
Author: Andrew

It looks like the Prophets have been found correct and the age of Firefox Spyware is upon us. While the current Java Scheme requires user intervention, this is how it started on IE. Users were given Pop-up window choices to install a "necessary" program, choosing "Yes" would install the Spyware. I can hear the cyber cries now, as Firefox followers commit mass suicide, their beloved browser infallible no more.

"In a flurry of remote downloads, numerous changes to the registry took place and a sizeable amount of IE specific installs began downloading. Amongst the assortment was DyFuCA, Internet Optimizer, ISTsvc, Kapabout, sais (180 Solutions), SideFind, Avenue Media and something called djtopr1150.exe lurking in the Temp folder."


Double Standard

Is there a Double Standard for Internet Explorer? Of course there is. The Firefox community will quickly dismiss this sort of exploit. It will be considered not important because it requires user interaction. Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE. This is also why recommending Firefox, as a Spyware solution is very dangerous. Installing and using Firefox does not clean or prevent your system from being infected with Spyware. The parasites can still exist in memory, robbing your system of resources, killing performance and causing application crashes.


Pop-ups

The infallible Firefox is currently being plagued with Pop-under advertisements that are displayed when you minimize or close Firefox. These are related to the Flash Plug-in. It turns out that Firefox does have the ability to block these but it was disabled by default.

"Well, we shipped 1.0 with the capability to block these pop-ups and pop-unders but we didn't enable it because we were concerned about breaking legitimate uses"

This is an excuse for "We could not write it good enough to not break legitimate uses."

Many software manufacturers hide bugs that impair the security of programs, or even entire operating systems, without knowing whether some outsider has already found and exploited these bugs. The only proper course for a software manufacturer is to issue a software update as soon as possible after a problem is found, and to inform all customers that the update must be installed to correct an existing security problem.

One exception to the above are Open Source operating systems such as Linux and FreeBSD, and cryptography programs such as GNU Privacy Guard. Because the developers of these systems publish all of their source code for others to read, they can't rely on security through obscurity. The publication of source code actually improves security because the program or operating system can be peer-reviewed by anyone who cares to read it. Many security bugs that are overlooked in other operating systems have been caught and repaired in Linux, because of its extensive peer-review process.

noel wrote:Any piece of software, including the vaunted Linux operating system, is only as secure as the person using it.

Here's a hint. Any piece of software, including the vaunted Linux operating system, is only as secure as the person using it. What the hell do I know though. I just do this for a living.

archeiron wrote:I would be happier if they said that they were going to fix their handling of the CSS box model, add full CSS lvl 2 support, add mouse gestures and tabbed browsing, support native PNG alpha transparency, and implement the first native support for XForms of a mainstream browser, but I doubt that most of that will see the light of day in 7.0.

noel wrote:Any piece of software, including the vaunted Linux operating system, is only as secure as the person using it.

For the fourth time in three months, major security flaws in the upstart Firefox Web browser have pushed volunteers at the Mozilla Foundation into damage-control mode.

Mozilla's public acknowledgement of the vulnerabilities includes a chilling warning that an attacker could combine the flaws to execute malicious code without user interaction.

The vulnerabilities have been confirmed in Firefox 1.0.3. The Mozilla Suite is only "partially vulnerable" to the bugs, according to the Foundation.

Firefox users are urged to disable JavaScript immediately as a temporary workaround. Additionally, Mozilla recommends that the browser's software installation feature be disabled. This can be done by unchecking the "Allow web sites to install software" box, which can be found by selecting Options on the Tools menu and then Web Features.

Kelshara wrote:One is more likely to be attacked, that gives the other an edge.

noel wrote:Any piece of software, ... is only as secure as the person using it.

Fash wrote:the mozilla foundation can respond quicker than microsoft... and they do it for free.

Boogahz wrote:

Fash wrote:the mozilla foundation can respond quicker than microsoft... and they do it for free.

That's funny, I have never been charged anything for fixes to IE.

Hoarmurath wrote:And the updated Firefox is already available.

Winnow wrote:

Hoarmurath wrote:And the updated Firefox is already available.

And those paid Microsoft employees are already looking for ways to break it again.

OK, maybe not for another week as they'll be distracted by the Xbox 360 announcement today.

Zaelath wrote:

Winnow wrote:

Hoarmurath wrote:And the updated Firefox is already available.

And those paid Microsoft employees are already looking for ways to break it again.

OK, maybe not for another week as they'll be distracted by the Xbox 360 announcement today.

You make that sound sarcastic.. but there certainly was at least one MS employee that did nothing but find issues with Netscape on the bugtraq list.

Bill1ngA0L>> Hello, This is A0L billing. Please reply for with your credit card information to confirm the billing. Failure to do will suspend your account. Thanks, A0L Billing

Zaelath wrote:At least Mozilla didn't invent ActiveX

Boogahz wrote:Can you even get MS java anymore? I seem to remember having to go get Sun's Java downloads when I got XP.