Science

Security flaw found in new Internet Explorer web browser

In a blow to Microsoft Corp., a Danish security company on Thursday reported a vulnerability in the software giant's newly released web browser that could let an attacker gain access to documents over the internet.

In a blow to Microsoft Corp., a Danish security company on Thursday reported a vulnerability in the software giant's newly released web browser that could let an attacker gain access to documents over the internet.

"A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information," Secunia said in an advisory on its website.

No repair is yet available for the flaw, which Secunia rated as "less critical" —the second-least-seriouson the company's five-point threat-rating scale.

Microsoft late on Wednesday released Internet Explorer 7, touting its security features as a key element of its first major upgrade in years.

The new version brings Microsoft's browser more in line with competing products such as Opera Software ASA's Opera and Mozilla Corp.'s Firefox. Internet Explorer 7, or IE7, adds features such as tabbed browsing, which lets people open several Web pages without cluttering their desktop with multiple open browser windows.

Microsoft has been heavily testing the new browser, releasing five beta versions over 14 months, and has periodically offered security updates for IE6, first released in 2001.

Still, a lag of more than five years between official releases has cost the company.

Web analysis company WebSideStory estimates that Internet Explorer's U.S. market share is about 86 per cent, while Firefox commands about 11 per cent of the market and smaller offerings account for the rest. Two years ago, IE had about a 93 per cent share.

Dean Hachamovitch, Microsoft's general manager for Internet Explorer, acknowledged the company could have done more sooner, but he said the new version should address users' concerns.

"We did have active development," he said. "The question is whether it was enough."

Product may lure back some users

Matt Rosoff, analyst with independent researchers Directions on Microsoft, said Internet Explorer is important to Microsoft's business because most people believe an operating system should include a way to immediately access the Web.

Still, he said, Microsoft may not have seen much reason to spend a lot of money upgrading sooner since most people continued to use the older version.

Rosoff said the new product includes enough improvements to lure back some users.

But Colin Teubner, an analyst with Forrester Research, said people already using Firefox and rival products might not immediately come back. That's partly because those users have soured on Microsoft, he said, and partly because IE7 doesn't break much new ground.

"A year ago Firefox was head and shoulders above Microsoft's current offering, and I think even with IE7 it's mostly playing catch-up," Teubner said.

But he does recommend that IE6 users upgrade, and he believes Microsoft may surpass competitors with future improvements.

Improved security features

Besides tabbed browsing, Microsoft has improved security to help keep users from falling victim to things like malicious software attacks and phishing scams.

Microsoft products are a near-constant target of internet attackers, and some people have recommended switching browsers because a less high-profile product might be more secure.

The Redmond, Wash., software maker also has added a box in the browser that lets people search the internet without going to a separate web page, much like competitors.

In a last-minute change, people who are upgrading from the previous version of the browser will now have a clearer way to choose whether they want to use Microsoft's search engine or a competing one from companies like Google Inc. or Yahoo Inc.

The change announced Friday was one of several aimed at soothing antitrust worries in Europe, where Microsoft faces a long-running regulatory battle.

IE7 was available as a free download beginning Wednesday evening. Next month, the company also will begin delivering it to Windows XP users who have signed up to receive security fixes automatically.

Hachamovitch said that's because the product makes major security improvements.

Such distribution also will provide a powerful tool in countering competition from rival browsers.

Security updates typically download with little or no user intervention, but with IE7 people will get an extra opportunity to elect not to upgrade. Also, even people using automatic updates will have to agree to let Microsoft check whether their copy of Windows is pirated before they can get IE7.

Microsoft expects that it will take months to gradually release IE7 automatically. The browser also will be an integral part of Microsoft's new operating system, Windows Vista, due out for big businesses in November and for consumers in January.

With files from the Canadian Press