UPDATED: See end of article. UPDATE #2: See Windows 8 discussion below.
The other day, I was installing Windows 7. This is no surprise, since I've probably installed Windows 7 about a thousand times over the past few years. But this time, I wasn't in my normal work environment, and I didn't have my magic thumb drive filled with my normal tools, like antivirus installers, pre-downloaded service packs, and the like.
I was at a friend's house and all I had was a store-bought copy of Windows 7 Home Premium, which I'd convinced him to finally install after his years in the Vista wilderness.
I like to do a clean install, so rather than worrying about his old files, he spent $69 on a replacement 320GB laptop hard drive (he's not a big file hoarder, so the small drive was fine). We had a fresh drive and a fresh copy of Windows.
So I set about doing the install.
As is usually the case with Windows 7, the install went smoothly. I did a bunch of Windows Updates, and those went smoothly as well. But before I was going to let him go out onto the Internet, I wanted to install antivirus and get him a better browser than IE. He was torn on whether to use Chrome or Firefox, so I planned to install both.
Microsoft offers a pretty reasonable kit of antivirus software in its free Microsoft Security Essentials product. Plus, since I didn't have AV already installed, I didn't want to take my friend's browser off the safety of Microsoft sites until I had antivirus installed and updated.
So, I launched IE to go get MSE. And what did I see on first launch? This:
Yep, IE defaults to MSN. Now, I've known that for years, but I've generally ignored it. I usually install antivirus and Firefox off my magic thumbdrive, so I almost never just launch IE straight out of the box.
But here's IE, as shipped by Microsoft, going to MSN -- which is chock full of ads.
So do you see the security flaw yet?
The flaw is right there, right on the first page that launches, the default page as it's shipped from Microsoft.
Yep, it's the ads on MSN. Now, while ads served by third party ad companies today rarely have malware, they have been known to contain malware, as this InformationWeek article by my Internet Press Guild colleague George Hulme describes. It was years ago, but even with a fully-updated AV, I once got hit with nasty malware on an XP machine, straight from an ad on the DrudgeReport.
There is no guarantee that future ads posted on MSN (or Bing, for that matter) will be malware free. Exploits are discovered every day.
The point is, because Microsoft is defaulting to MSN and MSN is serving up unvetted ads on its home page, users with new Windows installs are being subjected to an unpredictable Web browsing experience before they have a chance to download any antivirus product.
This is a surprisingly big security flaw in Windows.
There's still time to fix this with Windows 8 -- and even still time to change thing with Windows 7.
Update #2: Adrian Kingsley-Hughes reports that Windows 8 will ship with AV, but in a follow-up email discussion about this issue, Adrian told me, "I haven't tested it yet, but I'm told the Win 8 AV has a grace period before switching on to give you a chance to buy AV." If that's the case, and there's still a chance someone can go to the Web before having running AV, the risk might still exist.
All Microsoft has to do is detect whether there's AV installed on a machine. If there isn't AV, redirect IE to the Microsoft Security Essentials page. If that's too scary from a big, bad Justice Department perspective, just simply display a page that recommends installing antivirus before going on the Internet.
But sending unprotected Windows users straight into the wild, wild world of the MSN home page? That's a weirdly obvious Windows security flaw no one ever seems to talk about. And it needs to be fixed.
UPDATE #1: After I published this, my editor asked a question that I think needs to be considered. He asked, "What if Microsoft is monitoring the ads?" I honestly don't know if they are, or not. But the risk still exists. Hackers are constantly looking for exploits, and so it's entirely possible (not probable, but possible) that an ad on a site as large as MSN might be a target. It's also possible that a programming error might not catch an exploit or hack attempt.
Microsoft is filled with very smart people who are quite obviously working extremely hard to fight the malware threat against their own OS. The point of this article is that here's a place that just doesn't have to be a risk -- even if the risk is small. There's just no major upside to pointing unprotected systems to MSN, so even if the hack potential is small, why take that chance?
Let's do our absolute best to keep people safe out there, and avoid unnecessary risks when possible.