IE 7 Security Update Picture Remains Muddy

Although Microsoft's newest browser, Internet Explorer 7 Beta 2 Preview, has been touted by the Redmond, Wash. developer as more secure, its security status remained muddy on Thursday as confused users wondered whether recent patch updates applied to them.

"Do I need this patch if using IE7b2?" asked a user identified as "Melelina" on the Microsoft-run newsgroup where IE 7 messages are posted. The user was referring to security bulletin MS06-013, the massive patch batch unveiled Tuesday that fixed 10 flaws in earlier editions of IE.

"If Windows/Microsoft Update or Automatic Updates offers it, yes," responded "Robert Dyer, a Microsoft MVP (Most Valuable Professional), a program that recognizes advanced users with special expertise in company products.

Dyer corrected himself moments later, however, and noted that MS06-013 doesn't specify IE 7 as one of the affected editions.

In tests on multiple machines running IE 7 Beta 2 Preview (March 20 edition), TechWeb updated via Microsoft Update, but didn't receive the fixes in MS06-013.Microsoft confirmed that patches for IE, when necessary, are lagging behind the fixes for in-production versions such as IE 5.5 and 6.0.

"Security Updates for IE7 Beta 1 users on XPSP2 and Vista February CTP are not available today, but will be available on Windows Update within the next two weeks," wrote Charles Watanabe, a member of the IE development team, on its official blog.

IE 7 Beta 1 was released to a small number of users in July 2005, while the Vista reference is to the edition of IE 7 bundled with the Community Technology Preview (CTP) released in late February.

A Microsoft spokesman weighed in late Wednesday with more details on IE 7 security updates.

"The last build of IE Beta 2 Preview shipped on March 20. MS06-013 just completed development and testing in the last few days so some of those fixes are not in last month's [IE 7] build," the spokesman said in an e-mail."The next public release of IE 7 Beta 2 will contain all the fixes in MS06-013," he said. He would not specify, however, which of the 10 vulnerabilities outlined in MS06-013 still affect IE 7.

The only confirmation Microsoft's given related to the "createTextRange" vulnerability which appeared three weeks ago, then wreaked some spyware havoc before being patched for other Internet Explorer editions Tuesday. The March 20 build of IE 7 Beta 2 Preview is immune from exploits against the createTextRange flaw.

"It’s important to remember that this build represents a very early stage of development for the product," the spokesperson added. "[It] should not be used in production environments."

According to recent data from Web metrics company NetApplications, the various forms of IE 7, including Beta 2 Preview, are used by less than one-quarter of one percent of Internet surfers.