Internet Explorer 7.0 (IE7) will be distributed through Automatic Update (AU), a service built into Windows XP that Microsoft uses to distribute security fixes as well as other updates to Windows. Unlike critical security updates, which can be configured to be installed silently and without notifying the user, IE7 will be a high-priority update and will require the user's explicit consent to be installed. Microsoft is also providing corporate IT administrators a set of tools that block computers in their organization from receiving the update.

Better Security but Changed Behavior

IE7 is the first update to Microsoft's Web browser since 2001 and includes a number of security improvements, such as anti-phishing filters and new restrictions on ActiveX controls. When IE7 is released through AU, users will be notified through the taskbar that the update is available and asked if they want to install now, install later, or not install at all. Installing the update requires that users' systems pass Microsoft's Windows Genuine Advantage validation. Installing the update preserves the user's toolbars, home page and search settings. (Users can also get the update by going to the Windows Update Web site.)

But IE7 is more than just a security patch—it is a major upgrade that includes user interface changes that may take users some time to adjust to. And changes in how it handles Cascading Style Sheets may cause some pages to appear differently than they did in previous versions.

Automatic Update Controversies

Including IE in AU risks further muddling an already controversial program. Based on past experiences that introducing new or updated code to Windows often creates unexpected problems, many users take an "if it ain't broke, don't fix it" point-of-view, and want only those updates that fix known vulnerabilities. But Microsoft doesn't offer a "patch-only" option for AU. Instead, users must either sign up to install anything Microsoft labels critical or manually review each update to determine whether it is a patch or something more significant. And tools such as Windows Live OneCare will report an urgent problem if AU is not enabled.

Microsoft has exacerbated the uncertainty about AU's role and usefulness by introducing a series of "critical" updates that caused additional problems, or weren't even aimed at fixing security problems. For instance:

• In July 2006, Microsoft admitted it used AU to distribute a beta program, Windows Genuine Advantage (WGA) Notifications, to detect counterfeit or unlicensed copies of Windows; however, the WGA Notification program sent information about the user's computer back to Microsoft without the user's consent, resulting in two lawsuits that claimed the program was spyware
• In May 2006, the company had to reissue a patch because of problems on certain Hewlett-Packard computers and Nvidia graphics cards
• In Feb. 2004, Microsoft distributed a "critical" update to a Windows font to remove a potentially offensive symbol even though the font posed no security risk whatsoever.

Furthermore, although it wasn't distributed via AU, in July 2006 Microsoft had to recall the initial release of Small Business Server 2003 R2 because the wrong versions of some core OS components were accidentally included. Should a similar mistake happen to IE7 or any other update distributed via AU, the ramifications would be much more serious and more users would be likely to turn off AU and miss future security patches.

The features and security improvements in IE7 are explained in "IE7 Updates Security, Features" on page 3 of the Apr. 2006 Update.

The Blocker Toolkit is available at go.microsoft.com/fwlink/?linkid=65788.