Internet Explorer 7 Is Still Not Safe Enough

Illustration: Mark Matcho
Microsoft's Internet Explorer 7 offers significant security improvements over its deservedly criticized predecessor. But the new IE still does not do enough to protect users.

Microsoft has, in IE 7, locked down some of the problem areas in IE 6. The browser will permit a Web site to nag you only once about installing an ActiveX control, for instance. (Some users will approve an installation simply to get rid of the pop-up windows.)

But malicious scripting attacks remain a big problem. Some miscreant Web sites use scripting code (such as JavaScript) to exploit security holes. This can allow them to perform drive-by installations of spyware or Trojan horse programs. IE 7 has a host of features designed to thwart exploits, including showing a pop-up warning that lets the user know when a site is trying to use scripting. But the new features don't go far enough.

Firefox's NoScript plug-in (a free download at NoScript.net) provides an elegant solution to the problem of malicious scripting. Once installed, NoScript prevents scripting from working at any Web site you visit until you approve it for that particular site. Being able to control scripting on a site-by-site basis with a single mouse click gives you a powerful security advantage.

But instead of the surgical script controls of NoScript, IE 7 still uses the same mud-covered sledgehammer that IE 6 did. Like NoScript, IE lets you block scripting for all sites in the Internet Zone, after which you can enable scripting for a particular site, but getting to the necessary dialog box takes at least six mouse clicks, and you must then enter the site's URL into the Trusted Sites list. It's a hassle most users won't deal with.

Microsoft touts IE 7's Phishing Filter as a significant new security feature, but a recent test of IE 7's filters by researchers at Carnegie Mellon University found that the Phishing Filter caught, at best, 68 percent of the phishing URLs that the researchers threw at the browser. (You can read more about the study's findings "Phinding Phish: An Evaluation of Anti-Phishing Toolbars.") Your best bet: Install an antiphishing toolbar as a safety net. In the CMU tests, SpoofGuard identified 91 percent of phishing sites. EarthLink's free toolbar placed second, with 83 percent accuracy.

None of this means that you shouldn't upgrade to IE 7. The new browser is more secure than IE 6--and given how tightly it's integrated into Windows, that extra protection is critical.

Subscribe to the Daily Downloads Newsletter

Comments