How I'll Judge IE7 Security

IE7 will be more secure against attacks because it has a smaller attack surface than IE6 and because the remaining attack surface was extensively re engineered to be more secure. When you look at HD Mooreís month of browser bugs, he was able to find a significant number of crashing bugs in IE6 by attacking extensions like ActiveX controls. IE7 reduced the attack surface by disabling most ActiveX controls on the system and therefore none of the crashes worked against IE7 by default.

Every day of that month counts as an example of how IE7 is more secure than IE6 was and we continue to see bugs that affect IE6 that donít affect IE7.

Reducing attack surface is always a good security strategy but the security research community will double-down their efforts on our remaining attack surface and on non-default configurations. That means that there will be security bugs and we will build fixes for those bugs. MSXML is an ActiveX control thatís installed and used by many applications and as you saw earlier today, we just released a security update for versions 4 and 6 of that control. This update doesnít apply to Windows Vista or Windows XP by default because the vulnerable versions of MSXML were never installed with Windows or IE. So if you donít have them installed, youíre not exposed to the attack. If youíre not sure, donít worry as Windows Update will install the correct update for you if needed. IEBlog : How I'll Judge IE7 Security

Linked by shanmuga Tuesday, 14th November 2006 11:06PM