In the comments to my previous post about a factually challenged bit of IE7 bashing over at Microsoft Watch, Michael Foote points out a new article on the same topic at eWeek, where West Coast News Editor John Pallatto is beating on the same broken drum. He alleges that users are being “involuntarily upgraded” to the new browser and are being cut off from access to the Internet.
He’s completely wrong, of course, for the same reasons I pointed out (with glorious full-color illustrations) in my critique of the Microsoft Watch post. (Based on his and Joe’s experience, it sounds like the Ziff Davis IT department decided to push out these updates through Windows Software Update Services. If that’s true, John, you should go yell at your IT guy, not at Microsoft.)
But I practically fell off my chair when I read this:
Microsoft Watch also reported on how changes to ActiveX controls actually increased security vulnerabilities in IE 7.
Uh, John? Go read that article you linked to again. It says exactly the opposite of what you wrote. In this case, at least, Joe Wilcox was exactly right:
With Internet Explorer 7, Microsoft made some hefty changes to ActiveX controls, turning off a bunch by default and flipping on the security warning switch for many others. If timing means anything, the ActiveX changes are possibly quite important. … [Based on a reported sharp increase in ActiveX vulnerabilities in 2006] Microsoft was right to turn off many ActiveX controls [in IE7].
I have no idea what’s going on at Ziff Davis these days, but it appears that all technically knowledgeable editors have left the building.
Oh, and please note that there is no connection between Ziff Davis and ZDNet. Thank goodness.
Ed Bott 
This and the recent apparent purging of the by line for posts on Microsft Watch which were originally authored by Mary Foley lead me to think that Ziff Davis has left their previous trusted source position. Robert McLaws blogged about the re-attribution of those posts on his blog here:
http://www.windows-now.com/blogs/robert/archive/2007/01/21/im-done-with-ziff-davis-eweek-and-microsoft-watch.aspx
The linked report is interesting: “This rise of vulnerabilities in ActiveX controls can be attributed to a variety of reasons. These include an increasing number of vendors shipping insecure ActiveX controls and the availability of a variety of security testing tools and ActiveX fuzzers that allow researchers and attackers to rapidly find vulnerabilities with relative ease. The rise of vulnerabilities might also be due to the prospects of finding critical vulnerabilities that facilitate remote unauthorized access in the context of the client application.” So if I read this correctly, they see the problem as being more that some ActiveX controls are badly authored and are themselves being attacked.
After reading Joe’s first article that Ed talks about previously, I commented on that post and Joe actually replied to that comment that the perception of being forced is why he quoted the all the administrators that were having a problem. He then today released another post “Will IE Perception Hurt Vista” citing the same sources and saying practically the same thing. I’ve replied in comment to him again with some it below. I just don’t get the perception thing…….
From my comments on MS-Watch:
Their is no perception that you have to download it, none whatsoever. The only reason to feel like you should download it is that you don’t read or aren’t completely informed on the download. Nowhere in update documentation does it say that if you don’t download IE 7 your computer will explode or never run again.
“Please, there are many more people who administer windows networks that actually understand the process and know how to manage a rollout or just the simple task of setting group policies for automatic updates. There are also many average users that know how to read the installation prompts without being a zombie. You can’t blame the messenger if the recipient can’t take the time to read or say no before kicking the tires by getting more information. “
Isn’t the issue that the writers are trying to point out (and not very successfully, apparently) that a major new version of an internet browser isn’t something that should EEVEN BE OFFERED to inexperienced users seeking security or “critical” updates to the VERSIONS THEY ALREADY USE?
DLF,
That’s not what they’re saying. But if it were, I would argue, as does Microsoft, that security improvements are in fact the number-one category in IE7. The beta-testing process was very, very long and public, and the rollout of the new version has been very slow and controlled. Something like 42% of my traffic now comes from IE7, and I have received zero complaints about it.
The other point is that it’s not listed as a Critical Update. It’s listed in Optional Software Updates.
Its my turn to complain about poor reporting, but my complaint is with InformationWeek and a Symantec spokesman. See http://securitygarden.blogspot.com/2007/01/sensationalism-irresponsible-journalism.html
and repeated at http://www.tomcoyote.org/security/sensationalism-irresponsible-journalism-or-microsoft-bashing/60/