March 20, 1997 5:30 PM PST
MS to upgrade browser security
- Related Stories
FrontPage bug latest security holeMarch 18, 1997
Developers: Bugs aheadMarch 17, 1997
IE patch isn't stitched tightMarch 12, 1997
Microsoft delays IE 4.0 betaMarch 12, 1997
IE 4.0 being double-checkedMarch 10, 1997
Third bug strikes IE 3.0March 7, 1997
Microsoft scrambles to plug IE holeMarch 4, 1997
Earlier this week, the company released Internet Explorer 3.02 to a limited number of beta testers. The browser contains fixes for the three security holes discovered earlier this month by university students. Microsoft also posted early last week a separate patch that fixes the existing 3.0 and 3.01 versions.
It was an unusual move for Microsoft to release a minor "point release" of Explorer 3.0 when it's so close to the scheduled start of beta testing for Explorer 4.0, a major new version of the browser that features greater integration with Windows 95 and NT and "push" capabilities. A "platform preview" of Explorer 4.0 is supposed to begin testing by the end of this month.
But in the meantime, Microsoft wanted to make it easier for new Explorer users to download the browser without having to install a security patch separately. The company also wanted to make it easier for Net access providers, such as AT&T and MCI, to distribute the fixed version of Explorer to their subscribers, according to Dave Fester, lead product manager for Microsoft.
Fester would not say exactly when version 3.02 would be released to the general public nor would he predict whether this would be the last version of the 3.x series of browsers.
"We will do the best we can given the snapshot of current issues," said Fester. "Is it the last release [of Explorer 3.x]? That all depends on what the industry and the Internet have to say."
The Explorer security holes all could have allow skilled hackers to manipulate and delete files from a user's computer without permission. Microsoft says that no real-life users were affected by the glitches.
In addition to the security fixes, Explorer 3.02 contains a feature called auto-proxy. The feature makes it easier for companies to designate new proxy servers for Explorer users rather than having to manually set up a server name on each browser.
Since the first security bug was discovered by students from the Worcester Polytechnic Institute in early March, programmers have been busily trying to uncover more security holes in the browser. Recently, a number of Web sites have posted information on security issues, some of which affect Netscape Communications' Navigator as well as Explorer.
Today, Microsoft representatives said that there is a remote possibility that a password could be intercepted over the Net using an SMB (server message block protocol) server. But, said Mike Nash, director of marketing for Windows NT Server, users behind corporate firewalls or proxy servers would not be at risk. Most consumers are not at risk because their Internet service providers use proxy servers, Nash said.