Internet Explorer 7 shipped on 18 October. The release has been long-anticipated; the specific security improvements are substantive; the deployment trajectory will be visible across the next several years.
This is a longer post because the structural significance is larger than any single product release.
What is in IE 7
The release includes substantial changes from IE 6. Specific security-relevant elements:
Tabbed browsing. The most-requested user-interface improvement; not a security feature but a quality-of-life shift that brings IE feature-parity with Firefox.
Phishing filter. Built-in checking of visited URLs against a Microsoft-maintained phishing-pattern database. Specific suspicious URLs produce a warning page; specific known phishing URLs are blocked. The protection is partial but meaningful.
Improved certificate handling. More conservative response to certificate problems. Self-signed certificates produce a warning page; expired certificates produce a warning page; specific certificate-chain problems are surfaced rather than silently accepted.
ActiveX restrictions. Tighter defaults for when ActiveX content runs. Specific user-prompts for unsafe operations; specific cross-zone restrictions; specific ActiveX-installation limits.
International domain name handling. Specific protection against IDN-spoofing attacks (paypal.com versus pаypal.com with a Cyrillic а). The display logic surfaces specific suspicious domain names.
Improved cross-zone restrictions. Specific scenarios that previously allowed cross-zone leakage are addressed. The security-zone model is more rigorously enforced.
Better default privacy controls. More conservative cookie defaults; better tracking-prevention infrastructure; specific user controls for clearing browsing history.
Vista's protected mode. On Windows Vista, IE 7 runs in a low-privilege mode that limits what compromised IE processes can do to the host. Vista has not yet shipped; the protection is anticipatory; the structural improvement is real.
The cumulative effect is the largest single improvement in IE's security posture across multiple releases. The specific deployment trajectory matters; the cumulative effect will be visible across years.
What is not in IE 7
Some specific improvements not in this release:
Process-isolation across tabs. Each tab still runs in the same process; a problem in one tab can affect others. Future versions may address this.
Sandboxing on Windows XP. The Vista-specific protected mode does not exist on Windows XP. The cumulative protection difference between Windows XP and Vista IE 7 is meaningful.
Comprehensive XSS protection. Specific XSS-detection features exist; comprehensive XSS protection requires application-side discipline. The browser-level protection is bounded.
Specific older-content restrictions. Some specific legacy IE features (BHOs, certain ActiveX controls, specific older cross-zone behaviours) are retained for compatibility. The cumulative attack surface from legacy content is bounded but real.
These are predictable limitations rather than failures. Future IE versions will continue the trajectory.
What this means for operators
For organisations running Windows infrastructure:
Deployment planning matters. IE 7 is a substantial change from IE 6; specific application compatibility issues will surface. Specific testing before deployment identifies problems; specific staged rollout produces bounded impact.
Group-policy infrastructure for IE 7 configuration. Specific Group Policy settings for the new IE 7 features support enterprise deployment. The configuration discipline matters.
Specific application compatibility. Internal web applications written for IE 6's specific behaviours may need updating. Specific applications using ActiveX may need re-testing under IE 7's tighter defaults.
User communication. The user-experience changes (tabbed browsing, phishing filter, certificate warnings) need explaining. The cumulative communication discipline reduces support load.
For organisations running Windows XP specifically:
Manual deployment opportunity. IE 7 will be offered through Windows Update over the coming months. Specific organisations may want to control timing rather than allowing automatic deployment.
Compatibility testing for line-of-business applications. Specific IE-only internal applications need IE 7 verification.
Ongoing IE 6 security risk. Specific organisations choosing to defer IE 7 deployment continue to run IE 6 with its known and emerging security issues. The cumulative risk grows over time.
For organisations running Windows Vista (when it ships):
IE 7 is the default browser. Specific Vista deployments will include IE 7 by default; the protected-mode features will be available; the cumulative deployment will benefit from the structural improvements.
For end users:
Update through Windows Update. Most users will see IE 7 offered automatically. Accepting is the right choice for most users; specific reasons to defer are bounded.
Continued Firefox use is reasonable. The specific cumulative reasons to use Firefox have not gone away; the IE 7 improvements address some specific concerns but not all. Running both browsers continues to be operationally rational.
What this means structurally
Three observations.
The browser-security competition is producing better outcomes for users. Each browser is responding to the other; specific improvements appear faster than they would in a single-browser environment. The competition is healthy.
Microsoft has delivered on substantial commitments. IE 7 was promised in mid-2005; the release matches the promise; the specific security improvements match the published expectations. The cumulative trajectory of the Trustworthy Computing initiative continues to deliver.
The cumulative IE 6 long-tail problem grows. Specific organisations will continue running IE 6 for years; specific applications require IE 6; specific operators will defer migration. The cumulative IE 6 deployment will produce ongoing security exposure for years.
The net trajectory is positive but with bounded improvement. IE 7 addresses substantial issues; the IE 6 deployment will continue to be a structural problem; the cumulative shift is incremental rather than transformative.
What I am paying attention to
Three things over the next 12 months.
Specific IE 7 vulnerabilities. 95% probability of meaningful issues. Every browser has vulnerabilities; specific IE 7 issues will emerge; the cumulative response cadence will be informative.
Cumulative deployment rate. 80% probability of substantial deployment by mid-2007. Specific corporate adoption is slower than consumer adoption; the cumulative percentage of Internet users on IE 7 by mid-2007 will be a useful metric.
Specific competitive response from Mozilla. 75% probability of meaningful response. Firefox 2 has just shipped; subsequent releases will continue the competitive pressure on IE.
What I am doing
For my own use: IE 7 installed on test machines; Firefox remains my primary browser. The specific security improvements are real; the cumulative familiarity with Firefox is substantial.
For Gala Coral: IE 7 deployment is being planned for early 2007. Specific application-compatibility testing is in progress; specific user communication is being prepared.
For client work where I have advisory roles: standard advice — plan deployment, test compatibility, communicate with users. The general patterns are similar across organisations.
A small reflection on the trajectory
The browser-security trajectory has been one of the more positive structural shifts of recent years. The cumulative Firefox emergence produced competitive pressure on Microsoft; the cumulative IE 7 development produces meaningful improvement; the cumulative effect on user security is positive.
For my own continued writing: more on the browser landscape as the trajectory develops. Specific subsequent releases will continue informing the structural assessment.
More in time.