Finally, A Safer Explorer

The downside: Splitting the Web browser from Windows means less convenience


Since the days of Windows 95, security experts have been beating up on Microsoft (MSFT ) for the way it integrated the Internet Explorer browser with its operating system. A decade and countless security vulnerabilities later, Microsoft is finally conceding that the critics were right. This means big changes are coming in the version of Internet Explorer that's due this fall.

I have been using an early, and still buggy, test version of Internet Explorer 7, which will be released both as part of Vista (the next release of Windows) and in a separate version for Windows XP. It goes a long way toward separating the browser from the operating system. That makes browsing safer but less convenient since a number of things that used to happen automatically will now require your intervention.

The great weakness of IE has been the way Microsoft empowered the browser to download and run programs automatically. It didn't take long for the bad guys to figure out that this was an open door for attacks. Microsoft imposed restrictions on these "drive-by downloads" a couple of years ago as part of a major update to Windows XP, but IE 7 makes the rules much stricter. You have to give explicit permission even to run programs already stored on your computer, with the exception of a handful of well-known tools such as Macromedia (ADBE ) Flash player or Real Networks' (RNWK ) RealPlayer. As long as people don't mindlessly give permission to everything, this should make it tougher for hackers to exploit flaws in existing programs.

IN EFFECT, MICROSOFT IS TAKING AWAY the browser's special, trusting relationship with Windows. And with Vista the divorce comes with a restraining order. Even when you let IE run a program, it won't be able to create or change files or system settings unless you give it additional permission. This makes it far harder for a malicious Web site to hijack your home page or install a program that monitors your keystrokes.

These changes will cause many of the "scripts" that automate Web sites, as well custom programs written for corporations' internal Web sites, to fail. That's why Microsoft is urging Web masters to start experimenting with the software months before its release. Based on my experience, most sites will be fixed with time to spare, but many corporations will drag their feet in fixing internal software.

A more visible security change is designed to help prevent fraud. The new IE will warn people when a link they click on is likely to take them to a "phishing" site, the sort of place that steals passwords or other personal information. On known phishing sites the address bar at the top of the window turns red, and a warning appears, while on suspect sites the bar turns yellow. And in an effort to keep Web sites from whisking you off to places you may not want to go, any new windows opened automatically must show their true identity in an address bar.

There are also some nice, if badly overdue, usability improvements. You will be able to open multiple pages within a single window and save the group as a single bookmark; rival browsers such as Firefox and Opera have long offered this "tabbed browsing" feature. And Microsoft has finally provided a reliable way to enlarge or shrink text, though in the version I've been testing the bigger text isn't always reformatted, so it sometimes sprawls off the right edge of the window. I hope this feature will be fixed before release.

The convenience IE offered over other browsers, such as Netscape, helped fuel the explosive growth of the Web. But that ease of use came at far too high a price. Partly because of the resistance of corporate customers that had built applications taking advantage of dangerous features, Microsoft was far too slow to fix them. But the software giant is finally biting the bullet, and late is a lot better than never.

For past columns and online-only reviews, go to Tech Maven at

By Stephen H. Wildstrom

    Before it's here, it's on the Bloomberg Terminal.