Security experts voice IE7 push concerns

Microsoft's decision to push IE7 to customers via Automatic Updates has been criticised by some security experts and rivals

Microsoft's plan to push Internet Explorer 7 out via Automatic Updates has alarmed some security experts.

IE 7 will be delivered in the fourth quarter of this year as a "high priority" update via Automatic Updates in Windows XP, Gary Schare, Microsoft's director of IE product management, said on Tuesday.

Automatic Updates is a Windows feature typically used for security updates, but Microsoft has also used it to push its WGA Notifications tool.

Experts warned on Thursday that Microsoft's continued use of the Automatic Updates channel to push out both security updates and product packages could backfire.

"It's going to undermine people's confidence in the channel to deliver security updates," said Peter Wood, chief of operations for penetration testing company First Base Technologies. "Forcing this update down people's throats will undermine confidence and security standards," Wood told ZDNet UK.

"Microsoft is shipping the whole of what will undoubtedly be an extremely bloated product. People will just get annoyed and eventually turn off Auto Updates," said Wood.

Forcing people to return to manual rather than automatic updates would be disastrous from a security perspective and could set security levels back three years, according to Wood. It could lead to a growth in the number of compromised machines and in the number of botnets.

"If people turn off Auto Updates, they'll be too busy to update manually, especially those within SMEs," said Wood.

Wood also said that the Automatic Update facility changed people's system configurations in a "dramatic way", which was also a security concern.

"For SMEs who do backups and virus updates overnight, Automatic Updates aborts that completely, as it logs out during backup sessions," said Wood. "SMEs running client-based antivirus and backup require people to be logged in to run the updates, but that won't work if the machine has been rebooted by Auto Updates."

Wood recommended businesses turn to alternative browsers such as Firefox and Opera.

"Firefox is not intimately engaged with the operating system, which makes me feel safer. It's not perfect, but then no browser is. IE7 itself is bound to introduce new flaws," said Wood.

Richard Starnes, president of the Information Systems Security Association (ISSA), said that the update procedure could be subject to hacking, just as other update procedures are.

"Hackers take the downloads and reverse engineer them, find flaws in the update programming, and check the patching involved to find out any issues in the operating system. That's the scenario in any kind of update," said Starnes.

However, Starnes said that businesses were not being forced to move to IE7, and that he did not believe this was an anti-competitive move by Microsoft.

"It doesn't matter whether I think it's anti-competitive, it's whether the Justice Department thinks it is," said Starnes. "I don't believe it is anti-competitive, because companies can choose whether to put in update features or not," Starnes added.

Browser rival Opera said the Microsoft's tactics in pushing out IE7 was "classic behaviour" from the company.

"We've seen this before from Microsoft. Whether it is anti-competitive, I'll leave that to legal minds to decide," said Thomas Ford, public relations manager for desktop Opera software.

Ford said that IE7 would probably be more secure than IE6, but that people who wanted to feel secure now rather than wait for the IE7 release later this year should switch to an alternative browser.

"If you choose to wait for IE7 that could be a good thing, but if you want to be safe now you can download Opera 9 or Firefox," said Ford.

Microsoft is planning to make a special tool available that will block automatic delivery of the new browser version, according to Schare. The tool is meant for business users who might not be ready for an IE update. Microsoft encountered criticism when it pushed out Service Pack 2 for Windows XP.

Andy Buss, senior security analyst at Canalys said the IE7 update was "a long time overdue" from a security perspective as it would address security issues in IE6, specifically by introducing anti-phishing technology. Buss added that the update would be a "good thing provided organisations can choose when and how to move to it".