Microsoft has released another beta version of the
forthcoming Internet Explorer 7, and users have already found several bugs.
Meanwhile, Mozilla has released a security update for Firefox 1.5. But the big
news this week is actually the lack of news. After much hype, the Kama Sutra worm
was a big bust, so to speak.

Details

Microsoft’s latest version of Internet Explorer—IE 7—is
coming along, and the software giant released another
beta version of the browser last week. Any brave soles who want to give it
an early try can get a preview and download a
Beta 2 copy from Microsoft’s Internet Explorer 7 Web page.

Innovations in IE 7 include tabbed browsing and a new
interface that drops the massive old-style toolbars. Another “new”
feature is a search box that opens results in separate tabs.

A much-anticipated addition to IE 7 looks to be native
support for RSS feeds. In fact, IE 7 Beta 2 delivers selected RSS updates to
your Favorites Center.

Since this is only a beta version, there’s not much use in
going into any real detail at this time. The only real news about this impending
major release is how successfully the new security features work, and we won’t know
much about that until it makes it to final release.

Microsoft says it’s improving protection against phishing by
warning users of suspicious sites—a very important move since phishing really is
the biggest danger most unsophisticated users face on the Web. Of course, we
don’t know yet whether this will be effective or merely annoying.

Although details could change before the final release, it
looks as though IE 7 will include an integrated version of the Microsoft
AntiSpyware tool (which Redmond had renamed Windows Defender) to monitor all Web
site attempts to download spyware onto users’ systems.

Meanwhile, someone has already found an IE 7 vulnerability. According
to U.K.-based
Tech Digest, an unspecified hole in IE 7 can trigger a denial-of-service
event or even permit an attacker to plant malware on the vulnerable system.
Microsoft is supposedly aware of the problem but claims it’s unimportant, and the
company has plans to patch the hold for the next beta release.

News.com has also reported a number of bugs in
IE 7, including a very important one to many users. IE 7 doesn’t appear to get
along with McAfee security software, and you can’t run both on the same system.
Both companies say they’re working on a fix. In addition, some other security
software simply blocks IE 7 from installing. (Do they know something we don’t?)

As far as the competition goes, Mozilla isn’t resting on its
Firefox laurels. The company released a
security update on February 1 that plugs security holes in Firefox 1.5. The
latest version is Firefox
1.5.0.1, which addresses multiple memory leaks and other threats. Mozilla
says 1.5.0.1 is more stable, provides better support for Mac OS X, and now
supports Iceland’s domain name extension!

The most serious security hole plugged by the latest release
is the Localstore.rdf
XML injection threat, a vulnerability rated critical. (Mozilla has embargoed details of this threat.)

The rest of the addressed threats are either moderate or low
risks. Mozilla asks that users review the known
bugs in Firefox 1.5.0.1 before reporting new ones. The most important
problem for many users is the fact that many early Firefox extensions won’t
work in the latest release and will require updates.

Final word

Well, Kama Sutra was a
bust. If you remember, I didn’t think it
was much of a danger anyway, but I had to cover it because this was a real threat with a
nasty payload.

The reason it didn’t amount to much was simply because so
many people have now adequately protected their systems with decent security
software. If you didn’t take such precautions, however, and opened the wrong e-mail,
you probably suffered a lot of damage.

But this brings up a good question: When malware writers
realize that spreading something with a payload that doesn’t trigger for a few
weeks means most users will take steps to
protect themselves, will they start monitoring just when antivirus updates
go out and then time their initial attacks based on that information? If so,
that could make some antivirus brand users vulnerable to one attack and not the
next.

And will malware writers stop planting malicious payloads that
don’t activate for a few weeks and stick with the ones that attack in a few
days—before antivirus signature files have a chance to include them? What do
you think? Will the law of unintended consequences actually make the security
world more dangerous due to our very success?

Also watch for…

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.