Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Rumour and innuendo: time for a few facts…

July 27th 2006 in Uncategorized

I see rumour and innuendo and downright falsehoods muddying the waters around Internet Explorer 7.  Its as if some are trying to scare people away from the Web browser, which is sad.  IE7 is going to make a *big* difference to the safety and security of internet users.  How many recent exploits have affected IE7?

Am I an IE apologist?  I like to think I am not.  For years I have recommended Opera for its download manager, and I used to recommend Deepnet for its RSS integration and high security (before it screwed up my file type association settings one too many times).  I’ve even referred users to Kopassa for its fun thumbnail views and specialised research slant.

If we are going to put users first, we have to be balanced… that means no more “MS is the evil empire”.. no more “be secure run Linux”… no more “be safe run Firefox” … um, guys, if a user cannot stay safe on Windows there is no *way* he is going to be safe running Linux.  And as for Firefox… the bad guys are starting to focus on it now … and if Firefox is going to truly be as safe or safer than IE, then Firefox is going to have to ramp up its patching protocols… IE has the advantage of being covered by Windows, Microsoft and Automatic Updates – if something real bad comes out there is always the option of an out of band update.  Firefox users, on the other hand, have to wait for a new build to be released.

Ok, end of that rant.  I am seeing some silly FUD and allegations about what will or will not happen when IE7 is released so here are some reality checks about what will happen when IE7 is installed:

  1. IE7 will *NOT* take over as default browser when installed.

  2. IE7 will *NOT* change your default search engine.

  3. IE7 will *NOT* change your home page (although it will display a runonce page to make it easy for users to enable the Phishing Filter, and check regional settings).

  4. If you do not use Automatic Update, Microsoft Update or Windows Update, you will not be offered IE7.

  5. IE7 will be offered as a “high priority” update, not a critical update.

  6. I acknowledge that making IE7 “high priority” means that users who automatically accept all options in that section will download IE7, but I truly believe that the security improvements warrant the status of high priority and anyway, even as a “high priority” update, the user would have to be pretty inattentive to install IE7 and not realise it.

  7. Even if you select “express install” in AU, WU or MU, which normally installs *all* updates that have been downloaded with no further user interaction required, IE7 will *STILL* not install unless and until the user accepts the installation outside of AU, MU or WU.

  8. An opening screen for the IE7 install will appear which will say something along the lines of  “An upgrade to Internet Explorer is ready to be installed”.  The user will have three choices “Install”, “Don’t install” or “Ask me later” (note: the finalised text may change, but the intention – making sure that the user knows what is happening and has a choice, won’t change).  It will be very very hard for anybody to install IE7 by accident.

  9. Some are saying that even *more* stop-gaps and intermediary screens are needed.  I say, get real guys!  If the user is not going to feel it when they’re hit with a hammer, they’re not going to feel being stroked with a feather.  To quote Fduch’s comment in the IE blog… “You can “prevent this from being downloaded and installed” IF  1) You have eyes 2) You have brains 3) You can read 4) You can use computer.

    If a big blue screen is not enough to help people realise that they are about to install IE7, then typing “I agree” won’t make any difference.  If they don’t understand the blue screen, they’re not going to understand what they are agreeing to.

  10. If the user chooses to install IE7, the installer will remove any previous builds of IE7 that have been installed.

  11. If your organisation uses WSUS or System Management Server 2003 you do not need to install the blocker.  The blocker is to stop IE7 being offered via Automatic Update, Windows Update and Microsoft Update.  The blocker will *NOT* expire.


Comments are closed.

As we know, the gang behind Firefox don’t release security updates, they release entire new builds of their Web browser.
A new build has been released – which addresses numerous vulnerabilities – 7 of which are classed as “critical”:http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.5
You can download the new build here:http://www.mozilla.com/firefox/

Previous Entry

The company behind Kazaa has signed on the dotted line and will pay $115 million to music companies and some movie studios to finally settle the epic battle between it and the RIAA:
I’m not sure how much this will help Kazaa in Australia.  Kazaa’s assets in Australia were frozen after the Federal Court ruled against it […]

Next Entry