Microsoft Windows Exec Talks IE Security
Editor's Note: This is part two of a two-part interview. In part one, Schare discusses what changes to expect in Internet Explorer and how Microsoft views the release of Firefox 1.0.
With no major updates to Internet Explorer scheduled until Longhorn arrives in 2006, Microsoft has found itself having to evangelize the current merits of IE while competition heats up from newcomers such as Firefox.
Gary Schare, Director of Windows Product Management at Microsoft, sat down with BetaNews to discuss the future of IE, including the possibility of tabbed browsing, Mozilla's "free ride," and why Microsoft feels it is better equipped to handle security.
BetaNews: Tell us a bit about the changes made to IE in Windows XP Service Pack 2.
Gary Schare: My belief is if you ask 100 people who claim they understand SP2, what's in it, they'll say "A firewall, Security Center and a pop-up blocker." And if you ask them to go any deeper on what else changed in IE to help security, they'll not have much insight into that. So that's one area that is really critical for us, because browser security is so commonly in the news, and has been obviously one of the evils that the Mozilla folks have been teeing off on.
There's really two major areas that we've focused on to improve security in SP2 with IE, and we view it as a major upgrade - it's not just adding a pop-up blocker and getting it out the door. One area is infrastructure changes that the user really doesn't see: changes to how security zones work and the underlying security in between them; changes to the APIs that IE calls within Windows, that are much safer APIs.
In fact the IFRAME issue that made the news recently, that doesn't affect SP2 - that one is actually interesting in that it's not that we patched it in SP2 before we shipped, it's that it doesn't exist because we have entirely new APIs. So, the whole class of vulnerabilities are eliminated by underlying changes. There’s a whole host of infrastructure changes that just make IE a lot better from the security perspective.
The second is more in the user interface, which is on the area of downloading. We've done a number of things - pop-up blocker is one piece of it, download monitoring is another, where we now provide a lot richer, better user interface when a user goes to a Web site and either trying to download something themselves or the site's trying to trick them into downloading something. We've done a number of things there with the information bar and how we deal with signed ActiveX controls. Really just made it a lot harder for the criminals out there to stick spyware and other malware on your computer without the user really agreeing to install something.
At the end of a day, security is a job that is really never done, because threats evolve out there and because software's built by humans, there's always going to be issues to deal with. We will continue to do security updates ongoing for all supported versions of Windows.
BetaNews: Security is obviously an important feature and a major, if not the top, focus of Microsoft right now. Does Microsoft feel it can provide better security and updates than Firefox or alternatives? Is IE a better option when it comes to enterprises rolling out a Web browser across their desktops.
Gary Schare: We absolutely do. When we look at security, we look at it far beyond the individual software product. Security itself is an industry-wide problem, and that's been pretty widely discussed. No one vendor is singled out with security issues. Criminals are out there trying to further their own needs, which these days has developed a lot more into stealing money than it is just messing with peoples' computers. So they're going to target whoever they can target in order to further their cause. We've banded together with many different areas of the technology industry and beyond to fight this battle, and that's one of the strengths of going with a company like Microsoft that has the resources and the warewithall to get behind this.
While we have the IE team, that does a lot of work: threat modeling and fixing the actual security vulnerabilities that crop up, figuring out better features to make the products more secure. We have the Microsoft Security Response Center that's on point to deal with any threat that comes up and do the initial analysis of it, band together with ISPs and antivirus vendors and others to shut down networks and get virus signatures out when needed. They work directly with law enforcement to take down servers that are delivering malicious code, go after the writers of the worms and viruses and the exploits, go after the people doing spam and doing phising scams. It's a multi-dimensional attack against this and Microsoft is applying a lot of resources.
Frankly a lot of work we do will probably help the Mozilla guys too, but it's not clear they're going to be able to drive this kind of an effort on behalf of their products. Nor is it clear how they are going to respond to threats that come up once they do have an actual installed base of customers using their product. You can't just put a patch out overnight and say you’re done. You have to actually test hundreds of thousands of scenarios and put a process in place before you release these things.
BN: Are a lack of updates and innovations on a feature level are hurting IE? Considering we won't see major changes until Longhorn, is that hindering IE's ability to compete or to perform.
GS: Not really, because we have this great advantage of this ecosystem of software developers that adds value to the platform. People who are the early adopter types who are going to be interested in a bunch of new features like tabbed browsing, advanced management of favorites, search toolbars that are integrated in and so forth, they can choose from those things today.
I've been on record this week, that I use the Maxthon browser as my everyday browser. It is built on the IE platform so it's IE compatible. It uses the IE favorites, the IE cache; it uses all the IE security infrastructure and gives me tabs and a couple of other features on their own menu. So there's quite a bit of innovation out there today.
BN: How does Microsoft feel about third party browsers such as Maxthon and Avant Browser, which integrate much-demaned features with an IE engine underneath. Does Microsoft feel this is pulling users away from IE, or adding more of an IE user base? Isn't there a risk by pushing third-party browsers and making users more comfortable with a non-IE interface?
GS: There you're only look at one dimension, which is the dimension of features. You're saying, "If I can get tabs in Maxthon, well I can go get tabs in Firefox, therefore I am going to switch." But that does away with all of the security stuff that we've just talked about, all those processes, the maturity of IE itself and the IE rendering engine, the compatibility with Internet sites, the compatibility with corporate applications - many of which use custom ActiveX controls that wouldn't run in Firefox in the first place.
Within the enterprise you're probably not going to see enterprises shift over to a tabbed browser on behalf of their users. Individual end users might decide "Hey, I like this feature and I'm going to go for it." But on balance, I don't think you're going to see the mainstream end user jump to tabs or jump to any other more advanced feature in the browser. For those users the browser is the Web site that they visit.
BN: Do users even care about the underlying technology, the IE engine for example, or is the interface and features more important?
GS: I think they should be aware of those things, because they're making a larger decision than just this feature or that feature. They are making a complete platform change, which has long term implications, so we do think they should think about those things and we hope we can make them aware of them.
BN: I thank you very much for talking with us, Gary.
GS: This is a great discussion and I would be happy to circle back again if you have further questions, want to dig deeper in any areas, and of course as things change on our end and evolve we'll be in touch with you to keep you up to speed on what we're up to.