New Windows 7 installs and IE: Security risk?

New Windows 7 installs and IE: Security risk?

Summary: When you launch IE in Windows after an initial install, the first page you see is Microsoft's MSN portal. One day, Windows users could open that MSN home page and get slammed with malware hiding in the ads.

SHARE:

Here's a sample home page. Notice the ad on the right.

It's been a long, long time since Judge Jackson came down on Microsoft over its supposedly monopolistic practices, particularly regarding the Internet Explorer browser.

Today, of course, Microsoft has serious competition. Back in Jackson's day, Google was probably still operating out of Susan Wojcicki's garage. But today, of course, Google is a massive competitor to Microsoft and the Chrome browser is picking up market share on a daily basis.

Firefox isn't anything to sneeze at either, and with Safari running on all of the Apple products, there are probably more non-Microsoft browsers installed out there than those from Microsoft.

Even so, Microsoft has something of an advantage, in that IE ships with each new install of Windows 7. To download another browser, you generally have to launch IE (at least once) and go to either the Chrome download page or the download page for Firefox.

Here's my beef

It's here that I have my beef with Microsoft and its here where I predict Microsoft will get stung one day, if it doesn't change its practice.

The issue is what happens when you launch IE in Windows after an initial install. When you launch IE, the very first page you see is Microsoft's MSN portal home page. Users are also invited to configure the IE experience and are shown an IE info page, but the default home page remains that of MSN.

Let me be clear. This isn't about competitiveness. This isn't about Microsoft's advantage. This is about cybersecurity. One day, Windows users will open that MSN home page and get slammed with malware hiding in the ads.

See also on CNET: Malware delivered by Yahoo, Fox, Google ads

As CNET's Elinor Mills reported last year, malware has been "lurking" in ads delivered by ad serving platforms, providing ads to such high profile sites as The Drudge Report and even Yahoo! Even if it hasn't happened yet, it's likely that malware will also be delivered via Microsoft's ad network, feeding ads to MSN.

And that's where our problem lies. Unlike all the other platforms, users of Windows are directed to the MSN site before there are any antivirus programs installed.

In fact, to install Microsoft's own, excellent Microsoft Security Essentials, users have to run a completely unprotected gauntlet through the wilds of MSN, before they can safely reach the confines of the Microsoft.com Web site.

This is where I think Microsoft has gone wrong.

I have no problem with Microsoft selecting their own MSN page as IE's default page. But it should only happen after an antivirus program has been installed.

See also: Personal Computer Security: Using Uncommon Sense

We know Microsoft can detect for the existence of an antivirus program, because the Windows Action Center reports to every Windows user when antivirus doesn't exist.

I call on Microsoft to close this security loophole soon, and close it hard. Set IE to load a blank page, or even load the Microsoft Security Essentials page as the default. But -- whatever you do -- please stop the practice of forcing users to accept unvetted and possibly dangerous ads before their computers are properly protected.

MSN is different from all the other major portals in that it does come from Microsoft, a company with a solid anti-malware strategy in place. I'm certainly more comfortable about the safety of ads fed by Microsoft's ad serving network than I am with ads provided by any other -- simply because of the internal technology available to it. That said, malware has a way of getting through, and making a page with the potential to feed dangerous payloads is risky no matter how you slice it.

None of us wants to see Microsoft back in Washington facing another Judge Jackson. But if something bad does get through, and is distributed by MSN to unsuspecting and unprotected new Windows installations, the blowback could be far worse than anything Judge Jackson could have imposed.

Topics: Browser, Microsoft, Operating Systems, Security, Software, Windows

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

98 comments
Log in or register to join the discussion
  • RE: New Windows 7 installs and IE: Security risk?

    oy gevalt......
    straycat5678
    • UNTRUE

      u do NOT have to open IE to MSN first to download something. You just open EXPLORER and type firefox.com into the directory area and BAM u will be there since EXPLORER is IE. they never changed that.
      domma
      • RE: New Windows 7 installs and IE: Security risk?

        @domma
        I believe I'm an above average windows user, yet I don't know that trick. I bet more than 80% of windows user don't know they can browse with explorer alone and not using IE.
        Martmarty
    • RE: New Windows 7 installs and IE: Security risk?

      malware again? is there no fix at all?

      <strong><a href="http://hlcgroup.net/florida-mortgage-rates">Florida Mortgage Rates</a></strong>
      <strong><a href="http://hlcgroup.net/florida-mortgage-rates">Mortgage FL</a></strong>

      <strong><a href="http://ESPEAKERS.ORG">Speaker Reviews</a></strong>
      miranda.cole88
  • RE: New Windows 7 installs and IE: Security risk?

    (Yawn...) it's nearly tea-time........
    GreenWiz
    • RE: New Windows 7 installs and IE: Security risk?

      @GreenWiz

      No apparently it's click bait time. David obviously needs to make the rent.
      tonymcs@...
  • Yep, that's my life

    Install a MS OS, fire up IE and get hit in the face with a lot of garbage, DL FF or Chrome and NEVER see IE again, except for the Windows Update part.

    I think showing the MSE DL as the IE default on first launch is a very good idea. That is one MS product that I have actually grown to like, except for the odd false positive, but at least they are not Windows system files.
    Economister
    • RE: New Windows 7 installs and IE: Security risk?

      @Economister <br><br>Sorry but despite being a Firefox user (like as I'm writing this), Firefox isn't foolproof. I just cleaned a virus off a friend's XP system and Firefox is all he uses. He had still been operating under an older 3.6.x version. Arbitrary code execution flaws have been a dime a dozen on Firefox and if you're on XP and you run with administrative rights, as 99.999% of lay people do since they don't know any better, you will catch a virus sooner or later. Aside: McAffee was useless in removing the malware, Microsoft Security Essentials however did the trick.<br><br>The best security track record of any browser so far is Chrome, but even that isn't bulletproof. As its popularity increases, so will the attempts to target Chrome users. Years ago both the Mozilla organization and users would say that Firefox was intrinsically more secure. Not really. The one thing Chrome did (for XP users) people is give them something that neither the Mozilla organization (with Firefox) or Microsoft even provided, leveraging the Win32 security APIs to declaw/remove the administrative rights of the browser executable (.EXE) that by default is potentially bringing in malware. Read here for an elaboration:<br><br><a href="http://mastercobbler.blogspot.com/2008/09/its-shiny.html" target="_blank" rel="nofollow"><a href="http://mastercobbler.blogspot.com/2008/09/its-shiny.html" target="_blank" rel="nofollow"><a href="http://mastercobbler.blogspot.com/2008/09/its-shiny.html" target="_blank" rel="nofollow">http://mastercobbler.blogspot.com/2008/09/its-shiny.html</a></a></a> <br><br>The best three things you can do to protect yourself nowadays is:<br><br>1) Don't run with administrative rights. XP users are too ignorant to know any better so Chrome with its use of the Win32 security APIs is the best browser on XP. There are tools to achieve what Chrome is doing under the hood with its use of security APIs, among them:<br><br><a href="http://download.cnet.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol;1" target="_blank" rel="nofollow"><a href="http://download.cnet.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol;1" target="_blank" rel="nofollow"><a href="http://download.cnet.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol;1" target="_blank" rel="nofollow">http://download.cnet.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol;1</a></a></a><br><br>It's a turn key solution, i.e. monkey friendly. If you're more initiated (I've learned most people aren't), there's DropMyRights:<br><br><a href="http://cybercoyote.org/security/drop.shtml" target="_blank" rel="nofollow"><a href="http://cybercoyote.org/security/drop.shtml" target="_blank" rel="nofollow"><a href="http://cybercoyote.org/security/drop.shtml" target="_blank" rel="nofollow">http://cybercoyote.org/security/drop.shtml</a></a></a><br><br>

      Windows 7 & Vista users who have not turned off User Access Control (UAC) needn't bother with these tools.

      2) Use Microsoft Security Essentials. Forget McAffee et al. Outside of very good virus protection, the fact that Microsoft Security Essentials shimies itself into various network services to prevent "NOP sleds" from working is a big deal. Let me translate for the lay people (most) in the room - it means if you're on the same subnet as some machine with a worm, there's a diminished chance your system will be breached. Just because you aren't actively browsing the Net doesn't mean your system in that time can't be breached. That's the critical difference between a worm (push), e.g., Stuxnet, and a virus (pull).<br><br>3) Use Microsoft's Enhanced Mitigation Experience Toolkit (EMET):<br><br><a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04" target="_blank" rel="nofollow"><a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04" target="_blank" rel="nofollow"><a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04" target="_blank" rel="nofollow">http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04</a></a></a><br><br>It severely diminishes the chances of zero day exploits and all manner of arbitrary code execution attacks. Here's a primer/user guide:<br><br><a href="http://mastercobbler.blogspot.com/2010/09/microsofts-enhanced-mitigation.html" target="_blank" rel="nofollow"><a href="http://mastercobbler.blogspot.com/2010/09/microsofts-enhanced-mitigation.html" target="_blank" rel="nofollow"><a href="http://mastercobbler.blogspot.com/2010/09/microsofts-enhanced-mitigation.html" target="_blank" rel="nofollow">http://mastercobbler.blogspot.com/2010/09/microsofts-enhanced-mitigation.html</a></a></a><br><br>-M
      betelgeuse68
      • RE: New Windows 7 installs and IE: Security risk?

        @betelgeuse68 IE9 is pretty solid and has good security!
        jatbains
      • Problem with your Logic.

        @betelgeuse68 <br><br><br><i>"Sorry but despite being a Firefox user (like as I'm writing this), Firefox isn't foolproof. I just cleaned a virus off a friend's XP system and Firefox is all he uses. He had still been operating under an older 3.6.x version. Arbitrary code execution flaws have been a dime a dozen on Firefox and if you're on XP and you run with administrative rights, as 99.999% of lay people do since they don't know any better, you will catch a virus sooner or later. Aside: McAffee was useless in removing the malware, Microsoft Security Essentials however did the trick.</i><br><br>Windows is the problem. Not a problem with Linux, because the OS doesn't allow the penetration. This has been a typical problem at ZDNet for years and they are just starting to correct it by identifying the OS as "Only on Windows".<br><br>You are not differentiating between the application and the OS, which allows the problem. Firefox will get fixed for Windows, because of the Windows problem.<br><br>The same with chrome. If all these reported problems with the apps were true, I would be having infections like crazy or possibly even need to get AV after 8 years.

        Windows isn't everything, and a systemic problem over the years has been the tremendous propaganda campaign to immunize Microsoft and Windows from culpability by blaming the applications, Virus Companies, Users, etc. for problems. It's very seldom that MS actually admits culpability for infections, botnets or security breaches.
        Joe.Smetona
      • Why do you think they pay shills to come on here?

        [i]Windows isn't everything, and a systemic problem over the years has been the tremendous propaganda campaign to immunize Microsoft and Windows from culpability by blaming the applications, Virus Companies, Users, etc. for problems. It's very seldom that MS actually admits culpability for infections, botnets or security breaches.[/i]

        To do precisely that. They have an image to protect and the best way to do it is spend lots of money spreading FUD all around on high-profile tech boards.
        HarryBrown
      • Reply to Harry Brown.

        @HarryBrown

        I don't have any proof of monetary payments, but I would agree with you that it does exist. I wonder how those alleged payments would be deducted under current IRS tax laws. (I used to work for the IRS in N.E. Phila.)

        Maybe under "petty trash"? :)
        Joe.Smetona
      • Conclusion after many, many Windows years.

        @betelgeuse68 /// You see the virus, but have blinders on for the real problem - Windows Itself.

        I have come to the conclusion that Windows, being closed source, where no one can see the code is the problem. When they compile it, they are only providing the binary file, which MS believes is a jumbled mess of characters than no on can figure out. That used to be true tos ome extent 15 or 20 year s ago, but modern technology has fixed that problem. With advanced logging and sniffers, virus and botnet writers can fingure out what Windows is doing and write malware for it.

        That's why Windows has had such a dismal security history. They have the software developers write code that can work, but don't spend extra time making the source code secure. This saves millions of dollars and they have virus companies and zero-day watchdog groups providing feedback to MS. Eventually a critical update is produced which correlates to the "Free" feedback. This is done on an as-needed basis, so any data loss or damage is shouldered by the business or individual user.

        Open Source projects like LInux, Firefox, Open Office and Chorme, can't do that, because the source code or "blueprint" of the program is openly published to everyone, including the good and the bad. It has to stand alone on it's own merits and be secure. That's why you can use Linux without AV and not get infected. The Linux Mint website even says you don't have to use AV in it's literature.
        Joe.Smetona
    • windows update?

      windows update isn't part of IE anymore. You can still go through its menus to it but why would u since it isnt part of it anymore.
      domma
  • RE: New Windows 7 installs and IE: Security risk?

    I agree. MS should not allow IE to have go to a home page until protections are put in place. If MS can make all browsers on Windows do so, it should. Basically, it should default to a local default page with antivirus information and options available to the user to click on.

    Also require a warning message to appear before going to any web site until antivirus is installed. Basically, nag them to death until they resolve the issue (note, this should not be every web page, but every web site). This will let them know that even a web site they may trust (google.com, bing.com, etc.) could be dangerous to them until they get anti-virus installed.

    I also would not allow a registry setting to override this functionality.
    rmark@...
    • RE: New Windows 7 installs and IE: Security risk?

      @rmark@...
      Funny I just dl and installed ff and it went straight to thier website. so why is thatok but not for ms to do it ?
      rparker009
    • Most OEMs pre-install a trial copy of some AV program ...

      @rmark@ ... when you buy a new computer. So, what's the problem?
      M Wagner
      • Reply to MWagner.

        @mwagner@... My wife's sister just bought an Acer from Walmart and I helped her set it up. It was loaded with a ton of trialware. Now, it comes at you in the form of randomly timed pop-ups from all directions - with the option to "remind me later" instead of "uninstall". Eventually, it will become a dual boot, but for now, I removed Mcafee and replaced it with Avira free. There was even a pop-up for Norton backup. It's going to take some time to clean it up. I'd love to know how many kickbacks were paid in the auction to have that junk included in the "new" computer. Working with Windows is like an "unpleasant" trip to crowded circus. In the end, you don't know what clown software is going to pop up in your face.<br><br>It made me realize how much better Linux is in that department. I don't have to remove anything after the install, but a lot of important software is included and fully installed. Firefox, Flash, VLC, Brasero CD/DVD burning, Open Office, etc.
        Joe.Smetona
      • RE: New Windows 7 installs and IE: Security risk?

        Joe.Smetona

        I removed Mcafee and replaced it with Avira free. There was even a pop-up for Norton backup. It's going to take some time to clean it up.
        ----------------------------------------------------

        Uh... no... snarf a copy of CrapCleaner and it will get rid of all the crappy trialware on the machine. And it only takes a few minutes to do so.
        Hallowed are the Ori
      • Reply to Hallowed are the Ori.

        I've used CCleaner for many, many years, even before it became popular. It's extremely good, ( I ran it at least once a day on my work computer. ), but if you really want to get this garbage out, it involves some extra work beyond ccleaner. I couldn't believe how much worthless software was present. I guess it get's worse every year. <br><br>I also used a hex editor to remove the WFP/SFC operation, which speeds up the computer tremendously. Otherwise, it's like driving a car, stopping every 20 feet and running around the car to check the tires. <br>By editing the binary sfc_os.dll, this CPU wasting action can be stopped. (XP, sp2 and sp3).<br><br>**However, doing this will void MS support if that's important to you.<br><br>Windows has to have this feature because it cannot secure system files and .dll's., So, if you are having issues on an insecure network or install a lot of unknown applications, you may want to keep it working.
        Joe.Smetona