New Windows 7 installs and IE: Security risk?

When you launch IE in Windows after an initial install, the first page you see is Microsoft's MSN portal. One day, Windows users could open that MSN home page and get slammed with malware hiding in the ads.
Written by David Gewirtz, Senior Contributing Editor

Here's a sample home page. Notice the ad on the right.

It's been a long, long time since Judge Jackson came down on Microsoft over its supposedly monopolistic practices, particularly regarding the Internet Explorer browser.

Today, of course, Microsoft has serious competition. Back in Jackson's day, Google was probably still operating out of Susan Wojcicki's garage. But today, of course, Google is a massive competitor to Microsoft and the Chrome browser is picking up market share on a daily basis.

Firefox isn't anything to sneeze at either, and with Safari running on all of the Apple products, there are probably more non-Microsoft browsers installed out there than those from Microsoft.

Even so, Microsoft has something of an advantage, in that IE ships with each new install of Windows 7. To download another browser, you generally have to launch IE (at least once) and go to either the Chrome download page or the download page for Firefox.

Here's my beef

It's here that I have my beef with Microsoft and its here where I predict Microsoft will get stung one day, if it doesn't change its practice.

The issue is what happens when you launch IE in Windows after an initial install. When you launch IE, the very first page you see is Microsoft's MSN portal home page. Users are also invited to configure the IE experience and are shown an IE info page, but the default home page remains that of MSN.

Let me be clear. This isn't about competitiveness. This isn't about Microsoft's advantage. This is about cybersecurity. One day, Windows users will open that MSN home page and get slammed with malware hiding in the ads.

See also on CNET: Malware delivered by Yahoo, Fox, Google ads

As CNET's Elinor Mills reported last year, malware has been "lurking" in ads delivered by ad serving platforms, providing ads to such high profile sites as The Drudge Report and even Yahoo! Even if it hasn't happened yet, it's likely that malware will also be delivered via Microsoft's ad network, feeding ads to MSN.

And that's where our problem lies. Unlike all the other platforms, users of Windows are directed to the MSN site before there are any antivirus programs installed.

In fact, to install Microsoft's own, excellent Microsoft Security Essentials, users have to run a completely unprotected gauntlet through the wilds of MSN, before they can safely reach the confines of the Microsoft.com Web site.

This is where I think Microsoft has gone wrong.

I have no problem with Microsoft selecting their own MSN page as IE's default page. But it should only happen after an antivirus program has been installed.

See also: Personal Computer Security: Using Uncommon Sense

We know Microsoft can detect for the existence of an antivirus program, because the Windows Action Center reports to every Windows user when antivirus doesn't exist.

I call on Microsoft to close this security loophole soon, and close it hard. Set IE to load a blank page, or even load the Microsoft Security Essentials page as the default. But -- whatever you do -- please stop the practice of forcing users to accept unvetted and possibly dangerous ads before their computers are properly protected.

MSN is different from all the other major portals in that it does come from Microsoft, a company with a solid anti-malware strategy in place. I'm certainly more comfortable about the safety of ads fed by Microsoft's ad serving network than I am with ads provided by any other -- simply because of the internal technology available to it. That said, malware has a way of getting through, and making a page with the potential to feed dangerous payloads is risky no matter how you slice it.

None of us wants to see Microsoft back in Washington facing another Judge Jackson. But if something bad does get through, and is distributed by MSN to unsuspecting and unprotected new Windows installations, the blowback could be far worse than anything Judge Jackson could have imposed.

Editorial standards