Security Watch

Russ' IE 7.0 Wish List

Details about the next version of Internet Explorer are sketchy, but at least we can hope for the best.

The much-anticipated keynote address at this year's RSA conference by Bill Gates took place last week was a letdown for many. Although he did announce Internet Explorer 7.0, and that it would be available for Windows XP SP2 users, he failed to provide any real details as to what it will include. URL obfuscation and anti-phishing techniques seem like obviously new features and were stressed as technologies Microsoft is currently working on, but specifics just weren't there.

There are a number of features I'd like to see in IE 7.0. Some of the top ones include:

  • Something that makes a URL stand out when the underlying link isn't based on the same URL as the covering link. In other words, if the covering text says www.mcpmag.com, the underlying link must also start with that URL. If it doesn't, the underlying link should be displayed together with its covering text. I realize this could screw up text on a page, and is problematic if the covering text is simply the words "click here"; still, we need to get people to realize that what's under a link isn't necessarily what it says it is. It could come in the form of a pop-up warning indicating that the link may not be taking you where you think.
  • Don't render obfuscated links. If the URL is http://1234567890/fred.htm, don't render it as a link. I can't think of a legitimate use of such a link in the first place.
  • A much stricter job of parsing HTML. The HTML specification is pretty free and easy when it comes to what must be in what parameters, or what can be in what tags. Gate's title for his RSA keynote was "Raising the Security Bar"; but what we could use right now is some "Lowering of the tolerance bar" when it comes to HTML specifications. Much stricter interpretation of the HTML specification would dramatically reduce, if not eliminate, many of the spyware/adware scams out there today. Further, it makes content scanning more feasible, as there will be less variation in the expected content structure.

Gates made several other positive announcements during his keynote:

  • Microsoft's anti-spyware tool will be free to all licensed users of Windows. Finally, a core product that will deal with these miscreants and help prevent those evening phone calls from panicked friends and family members. It doesn't matter to me whether the tool is the most effective on the block; it provides a basic level of protection that will only get better over time. Microsoft's Spynet project should yield great results as more people opt in, giving more user experience feedback and early warning about new threats.
  • Microsoft is committed to providing a consumer anti-virus solution, probably this year. It's one thing for Microsoft to realize its platform is a feeding ground for viruses, Trojans, bots and worms; it's another to be responsible for having a product that effectively protects that platform. It should be very interesting to see how Microsoft deals with the media over the issue of heuristics (the ability in anti-virus software to detect a malicious piece of code without having seen it before). Microsoft should be better at that than anyone else. Let's see if it succeeds.
  • Microsoft's acquisition of Sybari is a great step forward for enterprises. Sybari's product is not an anti-virus solution, but rather an infrastructure for deploying and managing one or many anti-virus engines. This means you can create your own multiple scanning environment, so if one AV vendor doesn't catch something, maybe another's will. This is an excellent way of minimizing the risk new and changing viruses can have on an e-mail environment.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Sybari is true plumbing, in the best sense of the word, which is one of Microsoft's strengths. I've been told it's already integrated the RAV product (the European AV company it bought early last year) into Sybari, so I expect to see the initial offering from Microsoft of the repackaged Sybari product to include that engine by default. You can add engines from all of the top AV companies.

Although his keynote lacked a lot of detail, Gates did mention that this was another step in the "Trustworthy Computing" path he outlined several years ago in his famous memo. I wish it wouldn't take so long; but hey, it's a huge company and at that size, it's hard to be quick on your feet.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular