[Retired Tech]

Microsoft Corp. has released Internet Explorer 7, the first major upgrade to its Web browser since 2001 with new features aimed at preventing online fraud and improving ease of use.

Microsoft's IE remains the most widely-used software to surf the Web, but the long gap between major releases allowed for the emergence of the company's most formidable browser competitor since it vanquished the once-dominant Netscape.

Mozilla Firefox, a free open-source browser, has steadily gained users since its introduction in 2004 with features such as an integrated search window to allow users to do a Web query without opening another page, tab browsing to toggle between different sites and a pop-up window blocker.

These features are included in the new Internet Explorer and Microsoft also touted the security improvements to the browser including color-coded warnings in the address bar to indicate whether a Web site can be trusted.

IE 7 is available immediately to Windows XP users and it will eventually serve as the default browser for Microsoft's much-anticipated Windows Vista operating system, due out to consumers in early 2007.

According to analysts, consumers increasingly identify the quality of an operating system with the quality of its browser and that makes a well-received browser important for Microsoft -- even if it is not sold as a separate product.

"How would it look if Microsoft didn't have a good browser as part of Windows? It wouldn't look good," said Forrester Research analyst Colin Teubner.

Microsoft said it is already at work on the next version of Internet Explorer to ensure that long gaps between updates do not occur again.

"Should we have done more, sooner, earlier? It's rare to not say that in hindsight," said Dean Hachamovitch, general manager of the Internet Explorer team at Microsoft.

Internet Explorer registered an 86 percent global share in October, Mozilla Firefox 11.5 percent and both Apple Computer Inc.'s Safari and Norway's Opera Software, less than 2 percent, according to OneStat.com.

"It's exciting to see Microsoft reenter the browser space after leaving for five years," said Christopher Beard, vice president of products for Mozilla. "It's great to see that IE is adopting the features that we popularized."

Mozilla said it also plans to release an upgraded browser, Firefox 2, within the next few weeks.

The upgrade will include a feature to allow users to restore work done online if the browser or PC crashes, a spell check function for e-mails or blog postings and suggestions for search queries.

Microsoft's Windows Live is the default search engine on Internet Explorer 7, but users will have the option to change to competing search engines. In Mozilla Firefox, the default search engine in the U.S. is Google Inc.

Competitors raised objections to Microsoft making its own search engine the default setting over concern that it would unfairly drive traffic to Windows Live, but analysts said consumers will eventually gravitate towards the search engine that produces the best results.

The new browser will be sent as an automatic security update and then users will have an option to install the new Internet Explorer onto their PC. Companies also have the option to block its workers from installing the new browser.

IE 7 is available for download at http://www.microsoft...ie/default.mspx

[Advertisements]

Microsoft has dismissed reports of a security vulnerability in its Internet Explorer 7 browser as "inaccurate".

Danish security firm Secunia on Thursdayclaimed that it haddiscovereda vulnerability in the new version of the Microsoft browser. The firm rated the flaw as "less critical".

An attacker could exploit the vulnerability by luring a user to a specially crafted website. Once that site is accessed, the attacker gains access to anyinformation from other websites that the user is visiting at the same time,including online banking and email services, according to Secunia.

Microsoft didn't challenge the fact that the flaw could lead to information disclosure, but denied that it affected the Internet Explorer 7 browser that wasreleased on Wednesday.

"These reports are technically inaccurate, the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all," Christopher Budd, a security program manager with Microsoft, argued in a posting to the Microsoft Security Response Center Blog.

"Rather, it is in a different Windows component, specifically a component inOutlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

He added that Microsoft isn't aware of any attacks exploiting the Outlook flaw and that the company plans to keep monitoring the situation.

[Retired Tech]

Microsoft has dismissed reports of a security vulnerability in its Internet Explorer 7 browser as "inaccurate".

Danish security firm Secunia on Thursdayclaimed that it haddiscovereda vulnerability in the new version of the Microsoft browser. The firm rated the flaw as "less critical".

An attacker could exploit the vulnerability by luring a user to a specially crafted website. Once that site is accessed, the attacker gains access to anyinformation from other websites that the user is visiting at the same time,including online banking and email services, according to Secunia.

Microsoft didn't challenge the fact that the flaw could lead to information disclosure, but denied that it affected the Internet Explorer 7 browser that wasreleased on Wednesday.

"These reports are technically inaccurate, the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all," Christopher Budd, a security program manager with Microsoft, argued in a posting to the Microsoft Security Response Center Blog.

"Rather, it is in a different Windows component, specifically a component inOutlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

He added that Microsoft isn't aware of any attacks exploiting the Outlook flaw and that the company plans to keep monitoring the situation.

[Retired Tech]

Address Redirection Cause of IE7 Issue

In a test conducted on the newly released version of Internet Explorer 7, on a "clean" environment set up within Virtual PC 2004, the browser failed the MHTML content retrieval test. The issue involves redirecting the Web browser to a local resource.

In examining the source code of Secunia's page, a JavaScript function first generates a resource location using pieces of strings, plus a randomly generated number as a throw-away parameter. The location points to a page that apparently triggers an HTTP 302 signal, purportedly that the site location has been rerouted.

The problem occurs when the browser -- or some other component of the Web browsing process -- takes the address of the rerouting for granted. With recent versions of IE, including IE7 in our test, the browser pulls up the alternate address regardless of what it contains.


In Secunia's innocuous test, the browser appears to open up the source code for Google News. However, the call to Google News was placed locally, meaning the redirection successfully forced the browser to parse a local resource request. It could conceivably just as easily have placed a request to execute a program locally.

Firefox 1.5 successfully squelched the redirection call to a local resource.

Yesterday, Microsoft stated that the vulnerable component was actually attributable to Outlook Express, not Internet Explorer. Back in 2003, when the vulnerability was first discovered, Microsoft did direct users to download Outlook Express patches, although those patches may have successfully shut off the accessibility for that vulnerability through OE, rather than change the redirection function itself.

This evidence indicates that the source of the vulnerability is probably deeper than both OE and IE. As SecurityFocus noted in its first 2003 reports of a vulnerability affecting Outlook Express, Microsoft initially -- and perhaps ironically -- offered explanations that tried to shift at least some of the blame to Internet Explorer.

Microsoft said Thursday it is investigating the issue, and plans to provide further guidance to customers.