During an interview with Martin Gregory, Microsoft's Internet Explorer product manager last week, PC Week asked what it would take for the company to admit that there was a security issue with the product. What if you get three security breaches in a month, would that do it? But Microsoft personnel are well trained when it comes to evading leading questions and Gregory politely chuckled, saying: "We've already got a fix and it's in the lab."
So there we were a week later and with a grand total of three IE 3.0 security issues in quick succession and Gregory still would not admit IE had problems.
The third IE bug is similar to the first in two ways (see story left).
It was discovered by a group of students who obviously haven't got enough work to do, and it exploits IE's now undeniable weakness that allows hackers to roam around hard drives. Christien Rioux, one of the students who found the hole, took great pride in confirming that .isp files act as an open door to a remote computer's drive (sound familiar?).
That in mind, I tried a different tack. "Martin, if you were in charge of staff who surfed the Internet with a product that had been shown to have three potentially serious issues allowing access to your company's hard drive, would you continue to recommend that product for use in your company or would you pause and reconsider for a moment?" He replied: "I would go onto the Internet and download the fix." Of course, Gregory is faithfully sticking to the Microsoft marketing bible, which states: "Thou shalt not admit thy product is dodgy."
So here's an update: Germany: the Chaos Computer Club shows on TV how easy it is to break through IE 3.0 and potentially hack into financial accounts. Andrew Lees, director of desktop and Internet at Microsoft, said: "Anyone can build a destructive ActiveX control." Cybersnot: students find a bug that allows users to use .LNKs and .URLs to gain access to a remote computer's hard drive. Microsoft issues a fix days later, but won't call it a bug.
Maryland: more students discover a variation in the .LNK and .URL files that once again allow users to hack into a computer, potentially erasing files. Microsoft again maittains that it's "not a bug".
PC Week asked Matthew Landower of the Computer Film Company in London what he'd do if he found out his company's browser had sprung a leak.
He said: "This sort of thing is obviously worrying and is precisely one of the reasons why we don't use IE 3.0. Microsoft will not be open with problems, security or otherwise. But, if I found out there were all these security issues I'd certainly look to a safer alternative and I certainly wouldn't carry on using the problem one." Oz Aksugur, an IT manager at the CDP advertising agency, said: "Obviously the issues would need to be serious, but I would certainly think twice about using it if there was an alternative?"
Shortly after PC Week got a call from Microsoft's Lees - Gregory's boss.
Asked the same question that was put to Gregory, Lees (eventually) replied: "No, I would not pause to reconsider using IE3.0 to browse the Web. IE is no less secure than any other browser." And there you have it.
The ghost is still in the machine
Campaigners want US authorities to break-up Instagram, WhatsApp and Messenger into separate companies
The perception of the industry as "a white man in a hard hat" is limiting new applicants, says Hayaatun Sillem
Almost two years late - and just as AMD is readying 7nm Zen 2 for early 2019