By Ina Fried and Paul Festa
Wednesday, February 16 2005 09:32 AM
URL: http://www.zdnetasia.com/news/software/0,39044164,39217900,00.htm

Reversing a longstanding Microsoft policy, Bill Gates said Tuesday that the company will ship an update to its browser separately from the next major version of Windows.

A beta, or test, version of Internet Explorer 7 will debut this summer, Microsoft's chairman and chief software architect said in a keynote address at the RSA Conference 2005 here. The company had said that it would not ship a new IE version before the next major update to Windows, code-named Longhorn, arrives next year.

In announcing the plan, Gates acknowledged something that many outside the company had been arguing for some time--that the browser itself has become a security risk.

"Browsing is definitely a point of vulnerability," Gates said.

The new browser version will work on machines running on Windows XP Service Pack 2, a security-focused update to the operating system that the company launched last summer, Gates said.

Mike Nash, an executive in Microsoft's security business and technology unit, said in an interview that Microsoft has not determined how or when the final version of IE 7 will ship, but that it is planned ahead of Longhorn.

Nash said it has not been decided whether IE 7 will come with a different Windows update, such as a security revamp.

"We'll be updating Windows on a regular basis," he said. "How the browser gets packaged--whether it's with a service pack--has not been nailed down. There is going to be a Service Pack 3 (of Windows XP). That's not a surprise. How that relates to (IE 7's release), we haven't figured out yet."

As recently as August, Microsoft said that no new stand-alone version was planned before Longhorn, and the company reiterated back then that its plan was to make new IE features available with major Windows releases. "At this time, there are no plans to release a new stand-alone version of IE," a Microsoft representative said.

In November, Microsoft opened the door slightly to improving IE before Longhorn, though it indicated that improvements might come through add-ons to the browser, rather than through an updated version of IE.

Analysts attributed Microsoft's change of heart to the progress of the Mozilla Foundation's Firefox browser, which has made incremental but steady market share gains against IE in recent months. In a survey conducted late last year, Firefox nudged IE below the 90 percent mark for the first time since the height of the browser wars in the 1990s.

"I think it's a response to both the delay of Longhorn and the challenge of Firefox," said NPD Group analyst Ross Rubin, who added that Firefox was probably the sharper spur. "Were there no Firefox, they'd have more leeway to sit on it until Longhorn."

Bart Decrem, a founding member of the Mozilla Foundation, former head of its marketing and business development and current volunteer, said that Microsoft clearly was responding to the group's work.

"I can't think of a better validation of the success of Firefox," said Decrem. "The success of Firefox is forcing Microsoft to improve IE. The only surprise is that it took them this long to make that announcement."

Nash would not say whether Microsoft hopes to stem defections or gain back share lost to Firefox.

Bitten by bugs
Microsoft's decision to announce plans for IE 7 at a security conference was no coincidence. IE 6's security reputation has suffered over the years, dogged by a long string of security bugs, phishing schemes and patches.

The company sought to allay security concerns last year by issuing the SP2 update for Windows XP, which included a number of changes to browser security. But critics complained that the update would benefit only those people who either already owned XP or who had paid for an operating system upgrade, leaving about half the Windows world out in the cold.

Microsoft on Tuesday acknowledged that those complaints about XP exclusivity lingered, particularly among enterprise users of Windows 2000.

"Right now, we're focused on XP SP2," Dean Hachamovitch, who heads Microsoft's IE team, wrote in the company's IE blog, in a posting dated Tuesday. "We're actively listening to our major Windows 2000 customers about what they want and comparing that to the engineering and logistical complexity of that work. That's all I can say on that topic."

But IE 6 has earned enmity among developers, and not only for its security lapses. Web authors have long complained about Microsoft's spotty implementation of various Web standards including Cascading Style Sheets (CSS), the Portable Network Graphics (PNG) image format, Extensible Hypertext Markup Language (XHTML) and Extensible Markup Language (XML).

As the company reversed itself on issuing a standalone IE, Web authors wondered aloud whether version 7 would fix those bugs along with the security holes.

"Any released information stating your commitment to modern coding practices--meaning XHTML, CSS, XML, not to mention full PNG support?" asked Web designer Brady Frey in response to Hachamovitch's blog posting. "Aside from security, this has been the reason why we've dropped IE's usage company wide--I have the choice of building one Internet application for all users, or one for IE users. We don't want to waste money doing both anymore."

Microsoft's Nash declined to shed any light on the question of features in the IE update, restricting his comments to planned security enhancements such as better defenses against phishing scams and improved spyware protection.

"Right now, the focus is security," Nash said. "There may be other things that are in there, but the goal is on security."

Nash said the shift in IE release plans was a response to customer pressure. Demand for the antiphishing features, Nash said, came not only from individual customers but also from companies that deal with a lot of personal information over the Internet--businesses like financial institutions and Web retailers.

"They had a lot of influence as well," Nash said.

The company plans to target phishing scams in two main ways. First, the new browser will look for techniques commonly used by such scams, such as having Web links that don't match the text of the hyperlink, as well as links that point to numeric Web addresses. Microsoft also plans the equivalent of a blacklist, which would identify and call out URLs associated with known scams.

Apart from promising a test version by summer, Microsoft remained coy about its plans for releasing the final standalone IE 7.

"Yes, we have a date in mind," Hachamovitch wrote in the IE blog. "I'll talk about the date after we get feedback from customers and partners. We're going to release a beta and listen, then refresh the beta and listen some more. We'll ship when the product is ready."