Vista and IE7 Security Found Wanting

The adequacy of the security and privacy features of IE7 in Vista remain open to question. according to a report at The Register on Tuesday.

Windows has been responsible for "turning the Internet into the toxic sh*thole of malware that it is today," Thomas Green wrote. But he noted, "IE7, at least on Vista, is no longer such a dangerous web browser. It may still be the buggiest, the most easily exploited, and the most often exploited browser in internet history, and probably will be forever, but it has become safer to use, despite its many shortcomings. This is because MS has finally addressed IEis single worst and most persistent security blunder: its deep integration with the guts of the system."

In Vista, IE7 has been better sandboxed. It runs as a low-integrity process which can only write to other low integrity disk locations, like its own cache. IE7, in Vista, cannot write elsewhere even if the user has administrative privileges. Or so Microsoft claims. The author did some testing and found that IE did write URLs to the registry and didnit ask for permission. This was cited this as a possible security risk.

In terms of history and cookie management, Mr. Green reported that this data is not securely deleted: "They remain on your HDD until they happen to be overwritten. Firefox will let you delete all that stuff automatically each time you exit; IE wonit: you have to do it manually."

Overall, IE7 is an improvement and a decent compromise between security and usability. The bottom line, however, was that security conscious users are encouraged to continue using Mozilla for browsing and only use IE7 for Windows updates.