Microsoft releases final IE 7 beta

The software maker released the third and last beta version of IE 7 on Thursday, getting closer to final delivery by the end of 2006. That will be the first major update to the popular Web browser in five years, and much of the focus for the new version is on security.

"Security was the No. 1 investment we made in IE 7, in terms of our development resources," Tony Chor, Microsoft's group program manager for the browser, said in an interview.

Critics have likened IE 6 to "Swiss cheese" because of the many security vulnerabilities in it. These flaws have been exploited in cyberattacks to drop malicious code onto people's PCs and commandeer their Windows systems, often turning them into remote-controlled "zombies" used to send spam and launch attacks on Web sites.

Microsoft left the browser relatively unchanged after the 2001 launch of IE 6 and even reassigned IE developers to work on other projects. But with IE users under attack and increased competition in the browser space, largely from Mozilla's Firefox, the company restarted its efforts and introduced IE 7 at a major security show last year.

"We did not spend a lot of time working on the IE browser for a few years," Chor said. "The increase in security attacks and the threat that our users were under really necessitated a reinvestment in IE...primarily around security."

The IE 7 beta 3 makes some feature changes from the beta 2. The new version also provides reliability, compatibility and security fixes--more than 1,000 bugs have been dealt with in total, according to Microsoft.

Fixing bugs found in the beta process is one of the ways Microsoft looks to improve browser security. Its two main methods of securing the browser are reinforcing the core of the IE application and adding features meant to help the user stay safe online, Chor said.

On the core side, IE 7 is built in large part on the same underpinnings as IE 6. There are parts of the browser it has rewritten from scratch, primarily for security reasons, Chor said. For example, earlier versions of IE had 14 different routines, or code sections, used to handle Web addresses. This resulted in security flaws, he said.

"In IE 7, we have exactly one routine. We get consistent results and a consistent security evaluation," he said. "There are other places where we have rewritten code or just removed code. With all those things, we reduce the surface area of IE to attack."

Despite the effort, some recent flaws that hit IE 6 also affected early releases of IE 7, leading some to question the security level of the new browser.

"It appears that Microsoft has put a few security features in IE 7, but the core of the Web browser, I am sure, will have just as many flaws as IE 6 has," said Tom Ferris, a security researcher who earlier this year found a bug in an IE 7 preview release.

Chor said Microsoft tries to think of all possible attack possibilities and thwart those when building the product. Also, he said, in many cases, Microsoft was hot on the tail of the problem, and had actually discovered the bug and fixed it in later builds of the browser.

"Of course we'd like to ship a product that is not affected by any vulnerabilities, but that's probably a lofty goal. I think it would be unrealistic to believe that any product would be 100 percent secure," Chor said.

Microsoft has built new security features into the latest beta to try to get closer to that goal. For example, IE 7 allows users to switch on ActiveX controls--Web applications often used in attacks--as needed and encourages safe browser settings.

It also has a filter to protect users against prevalent data-stealing online scams known as phishing. These attacks typically use spam e-mail messages to lure victims to fraudulent Web sites, where they are duped into disclosing sensitive information such as credit card numbers and Social Security numbers.

Video: Microsoft's IE7 Beta 3
A look at the latest entry in the browser sweepstakes.

"(Phishing) is a growing problem, and it has not been solved yet," said Alan Packer, product unit manager for family safety and reputation services at Microsoft. "We're putting together a solution that is going to help a lot. But our adversaries are not sitting still, and we expect to be in for a battle."

Microsoft's phishing filter uses three methods to prevent people from surfing to spoofed sites, Packer said. It analyzes Web pages and checks for characteristics of phishing sites; it compares addresses to a blacklist of known bad sites; and it includes a list of known trusted Web sites. Firefox is also getting a phishing shield, with help from Microsoft rival Google.

IE 7 is also part of Windows Vista, the successor to Windows XP, where it promises more security. On Vista systems, IE 7 runs with fewer user privileges in a virtual sandbox. This means that any malicious software that attempts to run shouldn't be able to touch the underlying operating system, Microsoft has said.

Security is the primary feature of the browser, but it does have other bells and whistles, such as tabbed browsing, RSS support, a search box on a more streamlined toolbar and improved printing capabilities, concepts that should be familiar to Firefox users.

Feature changes between the beta 2 and beta 3 releases include giving users the capability to add an e-mail button on the toolbar, reorder tabs and scroll horizontally while zooming in on a Web site, Microsoft said. Users can also update all RSS feeds at once, the software maker said.

IE 7 beta 3 works only with Windows XP Service Pack 2. It is available from Microsoft's Web site on Thursday. Prior to final release, slated for the second half of this year, Microsoft may provide so-called "release candidate" versions, the company said.

An updated version of IE 7 will also ship with the next Vista preview, Microsoft said.

The effort to build security into the next browser is part of the broader focus on security at Microsoft, which began with Bill Gates' Trustworthy Computing Initiative, launched in early 2002. That effort has had its setbacks, though, and Richard Stiennon, chief analyst at research firm IT-Harvest, has his doubts about how effective the IE push will be.

"It is all well for Microsoft to continue to improve the security of IE, but any update does not address the hundreds of millions of people who do not update their applications," Stiennon said. "Microsoft forgets that it has created this nightmare. Fixing the problems for the most savvy, who use the latest and greatest tools, does not make the problem go away."