Browser

Browsers take the stage, thanks to the IE 7 beta and a Firefox security update

The Kama Sutra turned out to have more bark than bite, and this worm threat has pretty much fizzled. Meanwhile, Microsoft has released another beta version of Internet Explorer 7, and Firefox answered with a security update for Firefox. John McCormick has the details in this edition of the IT Locksmith.

Microsoft has released another beta version of the forthcoming Internet Explorer 7, and users have already found several bugs. Meanwhile, Mozilla has released a security update for Firefox 1.5. But the big news this week is actually the lack of news. After much hype, the Kama Sutra worm was a big bust, so to speak.

Details

Microsoft's latest version of Internet Explorer—IE 7—is coming along, and the software giant released another beta version of the browser last week. Any brave soles who want to give it an early try can get a preview and download a Beta 2 copy from Microsoft's Internet Explorer 7 Web page.

Innovations in IE 7 include tabbed browsing and a new interface that drops the massive old-style toolbars. Another "new" feature is a search box that opens results in separate tabs.

A much-anticipated addition to IE 7 looks to be native support for RSS feeds. In fact, IE 7 Beta 2 delivers selected RSS updates to your Favorites Center.

Since this is only a beta version, there's not much use in going into any real detail at this time. The only real news about this impending major release is how successfully the new security features work, and we won't know much about that until it makes it to final release.

Microsoft says it's improving protection against phishing by warning users of suspicious sites—a very important move since phishing really is the biggest danger most unsophisticated users face on the Web. Of course, we don't know yet whether this will be effective or merely annoying.

Although details could change before the final release, it looks as though IE 7 will include an integrated version of the Microsoft AntiSpyware tool (which Redmond had renamed Windows Defender) to monitor all Web site attempts to download spyware onto users' systems.

Meanwhile, someone has already found an IE 7 vulnerability. According to U.K.-based Tech Digest, an unspecified hole in IE 7 can trigger a denial-of-service event or even permit an attacker to plant malware on the vulnerable system. Microsoft is supposedly aware of the problem but claims it's unimportant, and the company has plans to patch the hold for the next beta release.

News.com has also reported a number of bugs in IE 7, including a very important one to many users. IE 7 doesn't appear to get along with McAfee security software, and you can't run both on the same system. Both companies say they're working on a fix. In addition, some other security software simply blocks IE 7 from installing. (Do they know something we don't?)

As far as the competition goes, Mozilla isn't resting on its Firefox laurels. The company released a security update on February 1 that plugs security holes in Firefox 1.5. The latest version is Firefox 1.5.0.1, which addresses multiple memory leaks and other threats. Mozilla says 1.5.0.1 is more stable, provides better support for Mac OS X, and now supports Iceland's domain name extension!

The most serious security hole plugged by the latest release is the Localstore.rdf XML injection threat, a vulnerability rated critical. (Mozilla has embargoed details of this threat.)

The rest of the addressed threats are either moderate or low risks. Mozilla asks that users review the known bugs in Firefox 1.5.0.1 before reporting new ones. The most important problem for many users is the fact that many early Firefox extensions won't work in the latest release and will require updates.

Final word

Well, Kama Sutra was a bust. If you remember, I didn't think it was much of a danger anyway, but I had to cover it because this was a real threat with a nasty payload.

The reason it didn't amount to much was simply because so many people have now adequately protected their systems with decent security software. If you didn't take such precautions, however, and opened the wrong e-mail, you probably suffered a lot of damage.

But this brings up a good question: When malware writers realize that spreading something with a payload that doesn't trigger for a few weeks means most users will take steps to protect themselves, will they start monitoring just when antivirus updates go out and then time their initial attacks based on that information? If so, that could make some antivirus brand users vulnerable to one attack and not the next.

And will malware writers stop planting malicious payloads that don't activate for a few weeks and stick with the ones that attack in a few days—before antivirus signature files have a chance to include them? What do you think? Will the law of unintended consequences actually make the security world more dangerous due to our very success?


Also watch for…


Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks