Security the snag in Microsoft's brave new world

As Microsoft showed off Internet Explorer 4.0 and formally launched Exchange Server 5.0 at Spring Internet World '97 in Los Angeles this week, it could hardly ignore major concerns about the security of Web products from itself and others. Security flaws revealed last week in Explorer 3.x underscore a key problem Microsoft and its competitors face: If the Internet lets users venture out into the world, what's to keep the world from coming into users' PCs?

As Microsoft showed off Internet Explorer 4.0 and formally launched Exchange Server 5.0 at Spring Internet World '97 in Los Angeles this week, it could hardly ignore major concerns about the security of Web products from itself and others.

Security flaws revealed last week in Explorer 3.x underscore a key problem Microsoft and its competitors face: If the Internet lets users venture out into the world, what's to keep the world from coming into users' PCs?

Some observers say Explorer 4.0, the linchpin of the Active Desktop, is not likely to solve the problem because it is too closely tied to Window - and, indeed, Microsoft's drive to integrate insecure Web-browser technology directly into the OS may actually be part of the problem.

"The more flexible a system is, the less secure it is," says Joe Wells, an anti-virus consultant at Wells Research.

Functionally, the next Explorer release - which will be available on Monday -will include hierarchical folders, customizable toolbars, enhanced search capabilities, support for multiple mailboxes, and a new version of the Outlook mail client, called Outlook Express. Microsoft has also officially debuted Exchange 5.0's Active Server framework. It allows secure access to email, group calendars, discussions, and other Exchange applications via a Web browser. Version 5.0 will also include key Internet protocols.

This wek also saw demonstrations of Microsoft's Commercial Internet System, formerly known as Normandy, a family of eight server applications designed to provide online commerce, communication and collaboration, Web publishing, and site-services management capabilities.

But Microsoft's quick delivery of features and upgrades contributes to some security problems.

"The pace of innovation and the demands to churn out products at a very high speed in this Internet market mean that things are not always tested as fully as they should be, and the ramifications are not being explored as fully as they should be," says Dwight Davis, editorial director of Windows Watcher newsletter.

The Explorer 3.x hole, for example, let Web-page writers covertly run programs on a remote computer by using .LNK and .URL files. Microsoft officials said the flaw was news to them and quickly released a patch. However, they admitted they were aware of a similar problem, which let hackers run DOS commands on a remote computer, last August - before Explorer 3.01 was released. The problem was fixed after the fact.

These latest flaws come as Microsoft tries to quell growing security concerns about ActiveX.

John Robb, a senior analyst at Forrester Research, in Cambridge, Massachusetts, says he sees some hope in the form of "push" technologies, which will help Microsoft and Netscape promptly distribute upgrades to plug security holes.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]