Security Bites Podcast: Firefox 2 beats IE 7

Unless you’ve been living under a rock, you know that Mozilla unleashed Firefox 2 this week. Although the new browser is not a giant leap on from version 1.5, it does beat Microsoft’s Internet Explorer 7 in several aspects, including security, CNET News.com’s Joris Evers and CNET.com’s Robert Vamosi say on this week’s Security Bites podcast.

The release of the new Firefox was the starting gun for bug hunters to find security flaws in the applications. Microsoft said claims that the first IE 7 vulnerability had been found were incorrect–the flaw lies in Outlook Express instead. However, the software giant did confirm a spoofing flaw. Mozilla, meanwhile, is rebutting bug claims in Firefox 2.

The new browsers have raised some privacy questions among bloggers. Some suggest that the antiphishing filter in Firefox is a front for a data-gathering operation by Google. But no data is sent to Google, unless you opt in to do so. The phishing shield in IE 7, however, does send every Web address you enter into the browser to Microsoft.

Here’s the perfect stocking stuffer: tin foil wallets. Radio tags in passports and credit cards are causing privacy concerns. The solution: Wrap your passport and your credit cards in aluminum foil.

Microsoft Confirms IE7 Address Bar Flaw

Microsoft confirmed a vulnerability Thursday in the address bar of Internet Explorer 7. First reported by security firm Secunia on Wednesday, the issue occurs in popup windows. It is possible to display a somewhat spoofed address bar, the company said.

Due to this issue, a specially crafted URL with special characters may hide portions of the address. This could open the user up to attacks, including performing actions that it may not be aware of. Secunia has rated the issue as “less critical,” its second lowest rating.

No attacks using this flaw are currently known, Microsoft said. It also recommended users make use of the Microsoft Phishing Filter that is included within IE7.

“The Microsoft Phishing Filter online service is designed to allow us to update it fairly quickly with information as sites are reported and confirmed by us,” Christopher Budd of the Microsoft Security Response Center Blog said.

“We do have this issue under investigation and as always, once we complete our investigation we’ll take appropriate steps to protect our customers,” he continued.

However, Budd downplayed the flaw, saying Microsoft’s research showed the full URL can still be displayed by clicking in the browser windows or address bar, or scrolling within the address bar.

[originating url]

America’s Next Top Web Browser

browsers

The last few weeks have been packed with browser action and the two market leaders, Internet Explorer and Firefox, have launched major new versions. So to round out our recent browser coverage, we present the Web Browser Faceoff – looking at how all the main browsers compare with each other in terms of features and innovation. We are basically looking for what is unique, interesting – and missing – in each browser.

Right now Microsoft still holds onto its huge market lead, but Firefox is gaining more ground every month. Probably more importantly, there are other major innovators in the browser space – such as the social browser Flock (a Read/WriteWeb sponsor) and the perennial innovator Opera. The Mac browser Safari of course has many passionate supporters, while new kid Maxthon is one to watch.

Regardless of who will prevail in the ‘browser 2.0 wars’, the users will win. While fighting each other, the browser makers innovate and simplify. They increase our productivity by integrating into the browser web concepts such as search, RSS, OPML, microformats and more. The core browsers are getting slimmer and faster, while extensions that cover a wide range of services are being developed by external parties.

Internet Explorer 7.0

Internet Explorer 7.0 is a major release from Microsoft, after nearly 5 years of silence. We just recently profiled this browser and concluded that it is solid – and even an exciting release, at least compared to its predecessor. Clearly Microsoft felt great pressure from Firefox to come up with the upgrade.

This release is mostly good. There are major improvements like Tabbed Browsing, beefed up security, support for RSS, built in search engines and better interfaces for bookmarks and history. Oddly, there are still some leftovers from IE6 – the major one being the in-page search box, which is nearly impossible to use.

Pros: Big improvement over IE6, nice user interface, very good RSS support.
Cons: Leftovers from previous release, performance is not great, not fully compliant with standards.
Faceoff bottom line: Solid release, which is going to help Microsoft maintain the market leadership in the near future

Firefox

Firefox just launched its 2.0 release. We covered the launch extensively with a Firefox 2.0 product review, an interview with Mozilla exec Chris Beard and a Firefox marketing discussion post. Firefox 2.0 impresses with its speed, stability and coolness. Mozilla has managed to create both a thriving community and strong extension ecosystem, that drives both improvements and market share. Firefox also has many great productivity features – like search engine integration, in-page search, simple RSS integration and tabs. It excels in overall usability, security and accessibility.

Pros: Great performance and feature set.
Cons: No built-in RSS reader, no hugely innovative features (like Flock) – so arguably not distinct enough from IE7.
Faceoff bottom line: We think that Firefox is going to continue narrowing IE’s lead, but await with interest the next major version!

Safari

No browser faceoff would be complete without Safari, the browser for MacOS. Like all things Apple, Safari has cool features – but it still feels like a ‘web 1.0’ browser. The most impressive feature is RSS integration. For each page that contains an RSS feed, Safari presents a handy search bar which allows the user to find entries by date, category and many other criteria. It also has built-in spelling – a feature that was just recently added to Firefox. The bookmarks and history are nice, but unexciting. Tabs are not enabled by default and there are no integrations with web services.

Pros: Simple, relatively fast, good RSS support.
Cons: Lacks web service integrations and productivity features.
Faceoff bottom line: It’s a clean and simple web 1.0 browser, but needs a major feature boost in order to be a contender even on the Mac.

Opera

Opera 9.0 is an interesting browser. It has a lot of good features, nice add-on infrastructure and a strong community. In terms of basic features it is not far off from Firefox. It is also fast and responsive, which makes us wonder why it is not used by more people. The answer, we think, is due to a couple of things. First the default skin and some UI elements are bit contrived. They look like a blend of future and past – and overall there is a lack of harmony.

The marketing of the browser has not been as strong, at least for desktop – since this browser has been focusing primarily on the mobile space lately. On a positive note, there is fairly complete RSS integration – including a built-in RSS reader. The URL toolbar and home buttons are done in a very clever and convenient way. Tabs are done well (and as a R/WW commenter noted recently, Opera had tabs even before Firefox). One other interesting thing about Opera are the desktop widgets. We found them to be cool, but somewhat unrelated to the browser since they run on the desktop.

Pros: Rich feature set, RSS integration, fast
Cons: Lacks coolness factor of Firefox, not as well known – but maybe an unfair comparison since Firefox is open source
Faceoff bottom line: We can see why fans like this browser, but a bigger future depends on spicing it up and poring in the marketing dollars.

Flock

Flock is the newest and perhaps the most exciting browser on the market today. This Firefox-based browser has taken the concept of browsing to the next level by radically integrating support for web services. For example, stock browser feature bookmarks have been replaced in Flock by integration with del.icio.us. Flock also features support for online photo sharing sites like Flickr and Photobucket.

Flock comes with a built-in Blog editor, which supports many blogging services including WordPress, Blogger and MovableType. There is also a built-in RSS reader, which is one of the best RSS readers on the market in our opinion. The innovation goes beyond the service integration, since Flock also includes interesting new UI elements like TopBar – which is an improved search box and scratch area for storing web snippets.

Pros: del.icio.us and Flickr integrations, built in blog editor, RSS reader, cool UI
Cons: Cloned Firefox code base, making it more work to make compatible add-ons.
Faceoff bottom line: Great productivity browser for web 2.0

Maxthon

We thought it would be worthwhile to profile the China-based Maxthon browser, which had over 55 million downloads by May 2006 – at which point it received an investment from Charles River Ventures. This browser is based on the IE engine and it claims to be 100% compatible with it. The first thing we noted is that the install was super fast, just a few seconds.

The Maxthon browser comes with many pre-installed plugins, mostly for integrating with web 2.0 services like del.icio.us, Digg and Technorati. The look and feel resembles Internet Explorer 6, with the addition of tabs and a sidebar for plugins. The UI is not great and we noticed a few hickups, but the integration with web 2.0 services is very impressive – at least from a purely features point of view. Consistency is achieved by placing all integrations into the sidebar and adding a vertical control for toggling between them. Besides these plugins there are many other features – perhaps too many, which could also be the cause of slow page loads.

Pros: Impressive integration with the latest web 2.0 services.
Cons: Too many features, lacks coolness factor, slow.
Faceoff bottom line: Need to apply Occam’s Razor (i.e. make it simpler), but definitely could be a contender because of solid service integration.

Summary

In one of his recent posts on ZDNet, Richard published statistics on the current browser market share. According to his post, IE still maintains a strong lead but Firefox is gaining ground – particularly in US. Looking at the browsers reviewed in this post, we can be certain that a lot more innovation will come over the next few years. Each of these browsers brings a unique, interesting approach – which will fuel the competition between them.

Whatever happens, we as users are certain to see better browsers that are focused on productivity and web services. Even though IE and Firefox are far ahead today, we see that other browser like Flock and Maxthon are ramping up support for the latest web 2.0 services – making themselves stand out and attracting early adopters.

Faceoff bottom line: This round of browser competition is going to be at least as interesting as the Netscape vs. IE ten years ago. And hopefully less one-sided!

Internet Explorer 7 vulnerability discovered

Internet Explorer 7 vulnerabilityAccording to security firm Secunia, the just-released Internet Explorer 7 contains a “Redirection Information Disclosure” vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been known and unpatched in IE6 since April. It’s one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you’ve been aware of for six months. If you’re running Internet Explorer and want to see the exploit in action, Secunia has set up a demo page.

[originating url]

Microsoft hopes 7 is lucky number for IE

Some 18 months after Bill Gates pledged to revamp Internet Explorer, Microsoft is ready with the final version of Internet Explorer 7. The new Web browser, which has been in testing for months, is now available for download from Microsoft’s Web site.

On the feature side, Microsoft is playing catch-up in many areas. It has added support for Web standards, RSS Web feeds and tabbed browsing. The new browser also offers protection against phishing sites–malicious Web sites designed to trick users into handing over their personal information.

After months of ceding market share to Firefox, Microsoft has gained back a bit, according to the most recent statistics from OneStat. IE now has 85.9 percent of the market, an increase of 2.8 percentage points since July. Firefox has 11.5 percent of the market, down 1.4 percentage points compared with July. The Mozilla Foundation is getting closer to the launch of its own revamp, Firefox 2, which has hit the “release candidate” stage.

Chris Beard, vice president of products for Mozilla, said that Mozilla expects to release the final version 2 of Firefox late this month or early next month. As for IE 7, he said that his organization sees a lot in IE 7 that other modern browsers have had for a while. “We’re continuing on our path of how can we continue to improve upon the experience,” Beard said.


Microsoft is encouraging even Firefox users to install the IE update, promising them that it won’t make IE the default browser–or even ask them if they want to switch. “There are advantages to having it there, even if you are not a daily user,” said Gary Schare, Microsoft’s director of IE product management.

Earlier, on Wednesday, Yahoo made available its own custom version of IE 7, which sports Yahoo as the default search engine, Yahoo home pages and a Yahoo toolbar.

Arrival schedule
Those who have been beta testing IE7 will begin receiving the final version via automatic updates this week. Microsoft plans to push down IE7 via automatic update to IE6 users starting next month, though they will get to decide whether they want to install it.

Microsoft has also offered a tool for businesses that lets them indefinitely block users from getting automatically updated to IE7. Schare declined to say how many businesses have downloaded the tool.

Although Microsoft will begin making the browser available through Automatic Update next month, it could take many more weeks to get the application to all PCs in the United States. The software maker is staggering the release, in part to make sure it can handle the support calls. It will make free phone support available, as it has done since the Beta 2 version of IE 7 was introduced in April.

The software maker has primarily been touting the security enhancements that come as part of the new browser. However, Schare said anecdotally, the most popular feature among beta testers has been improved printing of Web pages.

Schare said Microsoft started focusing on trying to make the browser more secure when it updated IE as part of Windows XP Service Pack 2.

“That certainly helped a lot–clearly not enough,” Schare said. “We’re not done. We’ve already started thinking about the next one.”

Schare said the company is in the planning stages for another update, which is likely some 18 months out. Among the features Microsoft will consider adding are things that it wanted to include this time around, but opted against. Among the features in that camp are a download manager and improved searching within the current Web page.

It will also likely need more security improvements, though it is hard to say at this point what those changes will need to be. With SP2, the focus was on malicious software, while IE 7 is largely focused on social threats.

“We don’t yet know what the next one is,” Schare said.

It remains to be seen whether that update will come as part of an update to Windows Vista or on its own. “It may line up,” Schare said. “It may not. We’re willing to have it not line up.”

Rivals are not standing still either. The new version of Mozilla adds, among other things, its own anti-phishing abilities, which were co-developed with Google. Beard said Firefox is looking to improve further its lead on patching holes. Already, he said, Mozilla’s patches are released in “days, not weeks or months,” Beard said. “With (version) two, we’re looking to make that hours or minutes.”

Yahoo beats Microsoft to punch with IE update

Microsoft’s new Internet Explorer browser is now available–from Yahoo.

Although Microsoft has yet to release the final version of IE 7, its rival has posted a Yahoo-optimized version of the Web browser. The browser is essentially the IE 7 browser with a number of tweaks, such as Yahoo home pages, Yahoo as the default search engine and a Yahoo toolbar.

A Microsoft representative declined to comment on the fact that IE 7 is available from Yahoo before it is available from the software giant. Microsoft has touted Yahoo’s work as an example of the way other companies can customize the new browser.

The software maker has said it will make IE 7 available in the coming days for download, with automatic updates slated to go to IE 6 users next month. It has launched several publicly available test versions of the new browser.

Microsoft’s first major overhaul of the browser in years, IE 7 adds features such as tabbed browsing, built-in RSS reader and improved printing. The company has included a number of security enhancements as well, including an antiphishing filter.

How to Block IE 7 from Automatically Installing on Your Computer Via WinUpdate

The final version of IE 7.0 will be available anytime this month on Microsoft IE Website. Like other Microsoft Security Updates and Patches, IE 7.0 will also be distributed via Automatic Updates for Windows XP SP2 and Windows Server 2003 SP1 users.

If you have disabled Automatic Updates on your Windows system, you will be prompted to download and install IE 7 when you perform a manual scan for updates using the Express install option on the Windows Update or Microsoft Update sites.

Microsoft has provided a simple registry key to block automatic delivery of Internet Explorer 7 on your computer. Just download and install the following registry file.

Download DoNotAllow IE7 Registry Setting

For large corporates that may want to prevent their employees from installing IE7, Microsoft has provided a free IE7 Blocker Toolkit that contains a Group Policy Administrative Template (.ADM file) to allow administrators to centrally execute the action across systems in their environment.

Download IE7 Blocker