[ISN] IE 7.0 Leaves Windows 2000 Users Out in the Cold

InfoSec News isn at c4i.org
Wed Feb 16 10:07:19 EST 2005


By Ryan Naraine 
February 15, 2005 

SAN FRANCISCO - After months of hemming and hawing on plans for a
standalone Internet Explorer upgrade before Longhorn, Microsoft Corp.  
now plans to push out a browser refresh by July or August this year.

But the news that IE 7.0 will be available only to Windows XP SP2
(Service Pack 2) customers isn't likely to sit well with security
experts who argue that the threat from the Firefox browser is at the
center of Microsoft's aggressive anti-spyware and anti-virus plans.

The percentage of Web surfers using Firefox has risen steadily since
June, but Microsoft officials are sidestepping the issue altogether.

"When you run a business and you worry only about what your
competitors are doing, that's not a long-term business proposition.  
You really need to be listening to your customers and that's what
we're doing," said Gytis Barzdukas, director of product management in
Microsoft's security business technology unit.

"Yes, Firefox has come out with technologies that customers are
evaluating. But, at our end, we can't worry too much about that.  
Customers have told us they want us to take a leadership position in
security and they want us to make sure we secure the browsing
experience," Barzdukas said in an interview with eWEEK.com.

Like Microsoft Chairman Bill Gates, who announced the new version of
IE at the RSA Conference here, Barzdukas stressed that IE 7.0 will
build on and expand the progress made with SP2 and put in place
defenses against malware, spyware and phishing attacks.

Asked to explain the rationale for limiting IE 7.0 to XP SP2 users
when the majority of businesses are still running Windows 2000,
Barzdukas left the door open slightly.

"Windows XP SP2 is the scope of the project at the moment. That's what
we feel comfortable committing to. We haven't closed the door on
potentially providing it to other platforms," he said.

However, Barzdukas argued that it was much easier for a company to
consider migration to a new operating system than testing and
deploying significant product upgrades.

"When you do a certain amount of engineering, it gets to a tipping
point. Customers have to decide whether to spend a lot of resources
making sure their existing applications work properly. Or, they can
decide that it's much more feasible to move to a new operating
system," he said.

"When we do all this engineering work, the architecture is changed
significantly. In some cases, it's more expedient for customers to
just move to a new operating system where the enhancements are easier
to deploy," Barzdukas said.

Last year, when Microsoft rolled out XP SP2 and declined to offer the
security enhancements to Windows 2000 users, analysts grumbled that
the Redmond, Wash.-based software giant was using security as a carrot
to get businesses to upgrade.

"Will customers be migrating [to XP] because they're trying to get the
security benefits? Or are they spending money because Microsoft isn't
shoring up Windows 2000 adequately? That's a legitimate question to
ask," security analyst Michael Silver said at the time.

Those criticisms are bound to resurface this time around as details of
the security goodies in IE 7.0 start to dribble out.

On the Internet Explorer blog, Dean Hachamovitch, head of the IE team,
said the company would compare Windows 2000 customers' needs with the
"engineering and logistical complexity" of back-porting the
enhancements. "That's all I can say on that topic," he said.

It's not yet clear if IE 7.0 will include nonsecurity enhancements
that Web developers have been demanding. Those include fixed
positioning in CSS (Cascading Style Sheets) and improved support for
PNG (Portable Network Graphic).

"We're not yet prepared to go into details about what will or won't be
included in IE 7.0," Barzdukas said.

The company has been using its Channel 9 Wiki to solicit feature ideas
and feedback from IE users.

More information about the ISN mailing list