Mike's general stuff ~ Random

Recent article subjects: [Firewalls] [Linux] [Hardware]

So, why can't the rest of us have an Internet Explorer upgrade?

I guess this question has been nagging at me lately, what with the semi-recent news, for example, Microsoft's decision reversal that IE6 SP1 would be the last standalone browser release, and its decision to make Internet Explorer 7.

Microsoft's official reasoning for the original "No new standalone releases after IE6 SP1" decision (which can be read here, but no longer here.), was that old versions of Windows (Windows 9x, NT4, and Windows 2000) were too old to have the kind of enhancements necessary to make Internet Explorer "secure" again.  Microsoft then went on to release Windows XP Service Pack 2, which upgraded Internet Explorer to version 6 SP2.  IE6 SP2 included a pop-up blocker, a slightly-rehashed download dialog for executables, a download system that keys on MIME types rather than file extensions, a plug-ins management UI, and a change to the Windows UI, so that a warning prompt would show if a downloaded, unsigned executable was about to be run.

So, let's tackle the pop-up blocker first.  Firefox and Opera both seem to manage to include a pop-up blocker, without a similar operating system requirement.  Hrm, I guess that can't be that difficult then.

Alright, the re-hashed download dialog for executables.  Considering that all modern web browsers analyse downloads based on MIME type, would a different UI for when an executable is downloaded really be that difficult?

The download system that keys on MIME types is really to protect IE from the problems it was having before, with respect to mangled/maliciously-named files opening security holes.  All modern web browsers handle downloads in a similar manner, so I guess that isn't something that older versions of Windows can't manage.

Regarding the change to the Windows UI, that throws a warning prompt if a user tries to execute a downloaded, unsigned executable - considering that Windows 2000 certainly shows in a file's properties whether the file is signed, is it not possible to throw in an extra check to look for a valid signature before running the executable?  Also considering that virus scanners can intervene in the execution of a program, can't Windows do that too?

So what's the real reason for leaving users of older versions of Windows out in the cold?  It seems to me that the most likely reason is that Microsoft want to drop as much support for anything that might run on an older version of Windows as soon as possible.  Simply dropping OS support isn't enough, because as soon as MS release something that can run on that older version, it has to be tested and maintained.  It is just curious that Office 12 is currently expected to run on Windows 2000, which Microsoft have claimed since Office 2000, that it "requires Internet Explorer", won't that complicate matters somewhat with regard to it's security model?

mikeymike.org.uk