Microsoft Corp urged Windows users on Monday to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.
The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.
The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft’s website: http://bit.ly/Kv497S
Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.
When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or "zero-day" vulnerability, in Internet Explorer.
Full security advisory is here and only IE 7, 8, and 9 on Windows XP, Windows Vista and Windows 7 are known to be at risk. Internet Explorer 10 is apparently not a problem.
Frankly, EMET isn’t a magic shield and it’s a tool that only geeks can love. The bottom line from the above article:
Dave Marcus, director of advanced research and threat intelligence with Intel Corp’s McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.
"For consumers it might be easier to simply click on Chrome," Marcus said.
Business users will have their own problems with it too.
Late last Friday, the European Competition Commission revealed that they are assessing a new Microsoft offer to resolve their browser competition complaint. Instead of Microsoft’s earlier plan to ship no Web browser at all with Windows 7 in the EU, Microsoft has offered to provide EU users of Windows XP and Vista as well as Windows 7 with a "ballot screen" with download links for the 5 most popular alternative browsers.
There are more details in the attachments to the Microsoft press release describing the proposal, but the basic idea is to provide current and easy download and installation links for the Web illiterate who can’t manage to find them on their own. Congratulations to Microsoft for trying to sidestep the black hole of actually shipping third party code. The EU seems to have a much more positive view of this proposal than the "no browser" plan, so Microsoft may actually get away with it.
In case you wondering, Microsoft’s "no browser in EU versions of Windows 7" plan is still the plan of record until the European Commission accepts this new offer.
Getting far less press, but also significant was that Microsoft is also offering more interoperability information for its software including Windows, Windows Server, Office, Exchange, and SharePoint. That is spelled out in the attachments to the press release too and takes two forms:
The latter is apparently intended to address the second part of Opera’s original EU browser complaint that Internet Explorer was noncompliant with Web standards. It will be interesting to see whether this part of Microsoft’s offer will satisfy the Eurocrats, but I would bet that documentation of noncompliance will not be enough.
I also wonder whether "trustbusters" in the USA and elsewhere outside Europe might not also want to jump on the bandwagon and ask for the same terms as whatever settlement is reached in Europe.
Ina Fried at CNET today revealed that there will be no Web browser in any version of Windows 7 that Microsoft provides in European Union countries:
Reacting to antitrust concerns expressed by European regulators, Microsoft plans to offer a version in Europe that has the browser removed. Computer makers would then have the option to add the browser back in, ship another browser or ship multiple browsers, according to a confidential memo that was sent to PC makers and seen by CNET News.
The browser-less versions, dubbed Windows 7 "E", will be distributed in all members of the European Economic Area as well as Croatia and Switzerland. In addition, Microsoft will strip the browser from the Europe-only "N" versions of Windows 7, which also removes the Windows Media Player from the operating system and is the result of another move by Europe’s antitrust authorities.
Microsoft’s transfer of the Web browser responsibility to the OEMs presumably is the one sure way for them to dodge the continued wrath of the EU bureaucrats although probably not the fines so beloved of the Brussels functionaries. Since OEMs could already add additional browsers to their preloads, it is not too big a leap and hopefully not more onerous that compliance with all the other multitudinous EU bureaucratic requirements. But what about retail box copies?
It’s a little more complicated for consumers who buy a retail copy of Windows 7. Because the operating system lacks a browser, there’s not a direct way to go to Microsoft’s Web site to download one. Microsoft aims to make it as easy as possible for folks in Europe to get the browser, though, and plans to offer it via CD, FTP and retail channels, according to a person a familiar with the situation.
How about side-by-side slots in the retail display and a sign that says, "Buy Windows 7 and Get Internet Explorer 8 Free!"? More seriously, the retail box problem could be a way for the bureaucratic camel to get its nose back into Microsoft’s tent in the guise of "protecting the consumer experience." Still it is probably better for Microsoft than trying to coordinate the shipment of multiple other browser vendors’ code inside Windows 7 distributions with the implicit threat of EU Competition Commissioner Neelie Kroes ringing up her cash register every time Microsoft does not release the latest update of Browser "X" immediately.
There is more detail on the Microsoft rationale from Microsoft’s Dave Heiner (Vice President and Deputy General Counsel) and the gist is that Microsoft wants to ship Windows 7 at the same time in the EU as in the rest of the world and since time was running short, made their own decision about how to ameliorate the browser complaints while the bureaucrats continue to mull it over:
Our decision to only offer IE separately from Windows 7 in Europe cannot, of course, preclude the possibility of alternative approaches emerging through Commission processes. Other alternatives have been raised in the Commission proceedings, including possible inclusion in Windows 7 of alternative browsers or a “ballot screen” that would prompt users to choose from a specific set of Web browsers. Important details of these approaches would need to be worked out in coordination with the Commission, since they would have a significant impact on computer manufacturers and Web browser vendors, whose interests may differ. Given the complexity and competing interests, we don’t believe it would be best for us to adopt such an approach unilaterally.
I wouldn’t bet against further EU fine tuning, but waiting for them is standing still so Microsoft seems to have made the best of a bad situation.
Update (June 12, 2009): The EU Competition Commission has now responded to Microsoft’s plan and forgive me while I pat myself on the back for predicting that they would be particularly grumpy over the retail box sales situation:
As for retail sales, which amount to less than 5% of total sales, the Commission had suggested to Microsoft that consumers be provided with a choice of web browsers. Instead Microsoft has apparently decided to supply retail consumers with a version of Windows without a web browser at all. Rather than more choice, Microsoft seems to have chosen to provide less.
They were apparently more positive (in a hedging bureaucratic way) over OEM installations on new PCs, but aside from being obviously chagrined over Microsoft’s preemptory action keep beating the drum of the "anticompetitive effects of Microsoft’s long-standing conduct" so we can be certain that some whopping fines are on the way regardless.
Microsoft today released Internet Explorer 8 (IE8):
Today Microsoft Corp. announced the availability of Windows Internet Explorer 8, the new Web browser that offers the best solution for how people use the Web today. It can be downloaded in 25 languages at http://www.microsoft.com/ie8 starting at noon EDT on March 19. Internet Explorer 8 is easier to use, faster and offers leading-edge security features in direct response to people’s increasing concerns about online safety.
I have largely abandoned Internet Explorer in favor of Firefox and Chrome except for checking my websites to see how they render in IE because it still holds 70% of the browser market. The primary problem with IE7 was that it was a lumbering behemoth and the early reviews indicate that while IE8 is better, it is still not competitive:
But, in my tests, IE8 wasn’t as fast as Firefox, or two other notable browsers — the Windows version of Apple’s (AAPL) new Safari 4 and Google’s (GOOG) Chrome. IE8 loaded a variety of pages I tested more slowly than any of the other browsers, and it grew sluggish when juggling a large number of Web pages opened simultaneously in tabs.
Firefox also has a vibrant community of 3rd party add-ons which Internet Explorer lacks.
As for the Web site rendering, I am sure that there will be complaints about IE8 standards compliance, but the biggest immediate problem will likely be the Web sites coded to take advantage of past Internet Explorer peculiarities. To ease the withdrawal pains Microsoft has implemented a "IE7 compatibility mode" in IE8 which is triggered in various ways:
Try explaining that to your aged relatives. In the end, IE8 standards mode is just another browser that Web developers have to code and test for and it will happen eventually with hope springing eternal that it isn’t too much different than supporting Firefox.
So what’s the net? Internet Explorer 8 is a better browser than IE7 which is good news, but it isn’t a world beater.