Interview: Microsoft Exec Talks IE7, RSS
Following a decision to release a standalone version of IE7, browser development at Microsoft has come fast and furious. BetaNews this week sat down with Gary Schare, Director of IE Product Management, to discuss the changes coming in IE7, Firefox's growth, and how Microsoft will bring RSS to the mainstream.
When BetaNews last spoke to Schare in late 2004, he explained why Microsoft had no plans to add features like tabbed browsing directly into Internet Explorer or update its CSS support. After much feedback, things changed in early 2005. With a standalone IE7 now feature-complete, Schare delves into the reasoning and gives us a look at what to expect when the browser is released later this year.
BetaNews: Let's start with the basics. Exactly one year ago at the RSA Conference, you announced the plan to restart IE development and release a beta version for testers before the end of summer. Can you recap the reasoning behind this switch and give us some insight as to the goals of IE7?
Gary Schare: We really didn't announce a restart of IE development, we announced an extension of the development to bring the work that we were doing in IE7 for Windows Vista down to Windows XP users. It's not like we were starting from a standing start a year ago. We simply broadened the reach to bring a lot of the innovations -- both the end user experience and the security innovations that we were doing for IE in Windows Vista -- to the Windows XP installed base.
BetaNews: Originally IE 7 was supposed to come as part of the larger package of Windows Vista. Did the growth of alternative browsers such as Firefox and Opera affect the decision to move forward with Internet Explorer 7 on its own?
Gary Schare: The primary driver behind expanding the reach of IE7 to Windows XP was security. That was the core of the message that we delivered last year at RSA and remains true to this day. The nature of the attacks you're seeing on the Internet, along with the nature of just how things have evolved and the worries that our customers have, made it a very easy decision to bring that technology to Windows XP for security reasons.
In addition, when we talked to customers, they said they really would like to see a lot more than just security. There are a number of new feature areas that were showing up in alternative browsers -- ones built on the IE platform like Maxthon and Avant Browser, as well as the alternatives such as Netscape, Firefox and Opera -- that people said they would really love to see in addition to better security.
BN: How big is the IE development team at Microsoft now? We're seeing new faces post on the IE Blog almost daily.
GS: We've been growing the team. That's part of the natural growth cycle that development teams at Microsoft go through, typically as they ramp up for major releases. We can't release specific numbers, because frankly a lot of the contribution to the Internet Explorer effort comes from people who don't report into the IE ward. These are build managers and test managers on Windows Vista, and people that do other kinds of infrastructure around the company.
Some of the code that goes into IE itself comes from the Networking team in Windows. It's impossible to pin a number on it, but we certainly have been growing it because as we ramp up to two major releases -- both IE7 for Windows XP and IE7 in Windows Vista -- it takes a fair number of people to pull that all together.
BN: Once we're past the IE7 release time, would the team then shrink in size?
GS: In this case we plan to continue aggressive development of Internet Explorer. There are a number of things we wanted to do in IE7 that we didn't quite get to, and there are new innovative things that people have been dreaming up, which we plan to come out with in future releases. We don't have specific milestones in place just yet, but we definitely plan to keep investing quite heavily.
BN: When BetaNews last spoke to you in November 2004, you said another standalone release of IE was not necessary because of the community of add-ons available (like those for tabbed browsing). Now, IE7 is building in a lot of new native functionality within the browser. Why the change?
GS: The additional functionality is only one half of the equation; the other half is security. The kind of changes required to protect our customers were things we had to change at the core IE platform. Thus, a lot of changes we made -- rewriting entire sections of the code, changing the way ActiveX works with ActiveX Opt-In, and changing the way the security settings worked -- required changes to the core of IE itself.
In addition, the features are things our customers have asked for. There are certain customers that love using the IE add-ons and will keep doing that. And there are many other customers who say we want to use IE, but we want to see some additional features like tabs, better printing, page zooming, integrated RSS, and so forth.
BN: How much more secure is IE7 than IE6?
GS: It's impossible to quantitatively measure that, but when you look across the areas of investment we've made, they're very, very substantial. For example, let's look at the anti-phishing work. We hadn't really done anything significant to help users fend off phishing attacks in IE6. There was a little bit of anti-spoofing work done there, which has been helpful, but now we're really giving users the kind of trust information they need to know whether they're on their actual bank site, or a fraudulent site that's pretending to be their bank.
ActiveX Opt-in, another big area of focus. We've done a lot of work in IE over the years to improve the security of ActiveX, and did some great work for IE6 in Windows XP SP2 with the information bar and the redesigned Authenticode dialog. Yet there was still more work we could do, and we found a large surface area of potential attack with ActiveX controls that are preinstalled within Windows. With ActiveX Opt-in, we're disabling most of those by default and letting the user decide if they need to use them to access a particular site or application. Those are two examples and there are many more.
BN: What about customers not able to upgrade to IE7? Will there be enhancements to the security of IE6 to keep those customers as safe as possible since they may not fulfill the requirements to run IE7?
GS: One of the hallmarks of using Microsoft software is taking advantage of the security support lifecycle. We will continue to support versions of Internet Explorer for up to 10 years, and we have a whole Web site dedicated to defining which versions are supported for how long. In fact, just today we released a security update for Internet Explorer 5.01.
There's two pieces of news there: one is we're continuing to support that version, which is somewhere in the range of 6 or 7 years old. Number two, we're finally at the point where we can say "Here's something that doesn't even affect IE6." I think it's the first time in two years that we've issued an IE security patch where IE6 was untouched, because we've finally caught up with the new security enhancements and backlog of security bug reports. Now we're working on some very old bugs, which are a little less severe and don't affect much of the installed base.
BN: ActiveX seems to be IE's Achilles heel in a sense. You're making changes to the technology in IE7; how will this affect end-user interaction and corporate users?
GS: ActiveX is a very powerful platform. While ActiveX itself is unique to Internet Explorer, the technology of extending a browser with native code is not. You have the Netscape plug-in model that runs in Netscape browsers and Firefox browsers, and is the moral equivalent of ActiveX from a code perspective. The difference is that we did a lot of work in ActiveX to ensure that users only install the controls they really intend to, eliminating the drive-by download vectors of the past. A lot of that work came in IE6 XP SP2.
The second area of concern is the architecture of ActiveX and Internet Explorer, which allows any Active X control installed in Windows to be exposed to the browser if it's marked safe for scripting. We took a look there and said "Well that can enable some powerful applications to be written using these common components that ship in Windows." But malicious hackers were using that to go after users.
Quite often when you see an IE patch coming out, it's not actually a patch to IE code. It's a patch to kill the ActiveX control that's no longer needed, which we've determined has a vulnerability in it. ActiveX Opt-in is designed to reduce that surface area of attack by turning off most of those controls by default and letting users only turn them on if they need them. The feature makes it not interesting for the hackers to go after this legacy code that shouldn't be exposed to the Internet in the first place.
At the same time, the power of ActiveX still benefits users. The mainstream controls like Flash, Acrobat, RealPlayer, QuickTime and Windows Media Player -- ones that you as the user need to have a rich experience -- will continue to work.
BN: Is Microsoft considering replacing ActiveX with another technology due to such security problems?