While Microsoft's chairman Bill Gates told security professionals that security is job number one on Tuesday, he's leaving it up to developers like those working up the next version of Internet Explorer to make it happen.
Internet Explorer 7 (IE 7), said Gary Schare, director of product management for IE, will reduce the chance that spyware spreaders can use silent drive-by downloads to infect PCs with malicious software.
"Drive-by download" is the term for the hacker practice of using vulnerabilities, usually those in a browser, but sometimes within Windows, to install software when users simply surf to a malicious Web site.
"There are two primary ways that drive-by downloads are done, either through a vulnerability in IE itself or an add-on, or because the user has the security setting set too low," said Schare.
IE 7, which is currently in beta preview for Windows XP, will slash some of the first and offer a tool to help users avoid the second, Schare promised.
The new browser -- set to release for XP before the end of the year and to be included with the new Windows Vista when it ships around the same time -- further reduces the attack surface area, said Schare, by disabling most ActiveX controls tucked inside Windows.
Called "ActiveX Opt-in," the feature turns off all but a handful of ActiveX controls, and requires explicit user consent for others to run within IE 7. "We're going to disable nearly every control," said Schare, "especially the ones which don't need to be in Internet Explorer."
Although the list hasn't been finalized, Schare said that among the few controls which would be enabled off the bat would be Flash's and Acrobat's, as well as the one used by Windows/Microsoft Update.
"The ones that really matter are those in Windows," Schare said, acknowledging that Microsoft had to repeatedly patch older versions of IE against ActiveX-based flaws during 2005. Those bugs all involved ActiveX controls within Windows itself that were not intended to be used by IE, but could be used to hack into a PC.
Vulnerabilities have been an ongoing problem for IE. Out of the 10 months that Microsoft issued fixes in 2005, eight included at least one patch for Internet Explorer.
"All of the code in IE was reviewed [for IE 7]," said Schare as he explained why Microsoft believes non-ActiveX vulnerabilities will also be rarer in the new browser. Some sections of IE code were entirely rewritten, he said, including that involving cross-domain scripting, another area where IE's been patched several times over the last two years.
"We've also added new protections from future vulnerabilities," Schare said, but would not get specific.
"Security is a journey. What's shipping today [as IE] is much more secure than two years ago."
Another new feature in IE 7 will help users keep their overall browser security settings at a high enough level to ward off attacks, said Schare. Called "Fix My Settings," the feature warns users with a color-coded alert when security settings are too low. If the settings aren't changed, IE 7 will refuse to navigate to any Web site the next time it's launched.
"We think this will put an end to the last bastion of drive-by downloads," said Schare.
Last week, four researchers at the University of Washington published a paper that said an unpatched Internet Explorer was significantly more likely to suffer from a drive-by than an unpatched Firefox browser.
Schare, of course, took exception with the study, and argued that IE, even the current IE 6.0, was secure.
"What they were trying to do was admirable, trying to measure how much spyware was out there, but their research can’t tell you which browser is safer. They were using a five- to six-year-old IE compared to a one-year-old Firefox.
"It's like removing the seat belts and airbags from a car during a crash test," Schare said. "[Today's] IE users aren't going to see drive-bys like their research indicated."
Assuming that the browser is patched, of course. Although Schare said that installation numbers for IE fixes was "in the millions," Microsoft doesn't have statistics on the percentage of IE users working with an up-to-date patched edition.
IE 7 Beta Preview 2 for Windows XP SP2 can be downloaded from http://www.microsoft.com/windows/ie/ie7/default.mspx.