Posted by: kurtsh | July 27, 2006

INFO: Internet Explorer 7.0 to be a High Priority Update

Internet Explorer 7.0 will be published at it’s release at the end of this calendar year as a High Priority update.  This  means that any machine with Automatic Update on it will receive Internet Explorer 7.0 on it, just as it would a published Critical Update.
Before everyone goes nuts, let me go through what the rationale is for this and explain the "big picture’.
Our official messaging is as such: 
"The new security features in Internet Explorer 7 (including “defense in depth” measures such as ActiveX Opt-In and Phishing Filter) provide really important security benefits, and Microsoft will recommend that all customers install the update as soon as possible.  Automatic Updates is being used to distribute Internet Explorer 7 because it is Microsoft’s primary means for helping unmanaged users become more secure and up-to-date.  (Note that Microsoft will continue to release security updates to fix identified security vulnerabilities for Internet Explorer 6.)"
The underlining is my doing in the above paragraph.  There’s a few things you can kind of read into in the implications of the above paragraph that isn’t made explicitly clear in the above paragraph and that is that:
1)  IE 7.0 is hardened.  In other words, version 7.0 is designed from the ground up using Microsoft’s new rigorous security principles in mind – the same ones that were applied to Windows Server 2003 & Windows XP SP2.  Microsoft knows that this build is by it’s own inherent nature going to be REVOLUTIONARILY more secure than IE 6.02.
2)  IE 6.02 has issues that have no current resolution.  While it’s probably not a surprise, the last couple lines are very telling, essentially stating that if any new security flaws arise, the user’s primary method of remediating them is to UPGRADE to IE7.0 – not that there will be a patch available in the immediate future.  They are careful to state that there’s going to be continued work to remedy security flaws in IE 6.02, but remember – patches are the implied "secondary means" by which someone can protect themselves.
There has only been two times in the history of our company when I can recall Microsoft pushing such a massive and complicated software component to end-users, and that was Windows XP SP2 – which protected a LOT of users from security threats through:
– Data Execution Protection (A new feature of SP2 that prevented many worms, viruses, and intrusive elements from running outside of the boundaries of Window’s control)
– Windows Firewall (A protective filter that prevented other systems from infecting workstations with viruses through the network)
– Intel/AMD No-Execute Support (A hardware/CPU feature that got enabled using SP2 that prevented renegade software from executing dangerous actions without the permissions of the user)
…and now, we’re doing it again.  This time with Internet Explorer 7.0.
We’ve been trying very hard to make sure our customers are happy.
– We’ve made Virtual PC free for workstations along with Virtual Server for servers
– We’ve given Enterprise’s 4 free licenses of WinXP to run on Virtual PC-enabled systems
– We’ve provided unlimited OS virtualization for Windows Server 2003 Datacenter owners
– We’ve been churning out all kinds of free tools for "Genuine Windows Users"
… but still we’re really pushing out IE 7.0 to everyone.
Trust me when I say, just like Windows XP SP2, this upgrade to IE 7.0 must be a pretty important thing for everyone.  That being said:
1) IE7 will not install without user consent: As part of the delivery, AU will notify users once the update is ready to install and will present a welcome screen summarizing key features and offering users options of “Install,” Don’t Install,” and “Ask Me Later.” Installation will not occur unless a user who is a local administrator chooses “Install.”  A draft of the welcome screen is include below.
2) There will be a Free Blocker Toolkit available for mid-large customers. Organizations relying on AU for patch management in some or all of their environments may wish to delay IE7 deployment (for example, to allow additional time for intranet site compatibility testing or user training).  In those situations, customers may choose to deploy a non-expiring Blocker Toolkit (similar to the one used for Windows XP SP2) prior to IE 7 RTM.  The Blocker Toolkit will be available on July 26th in the Microsoft Download Center at The Blocker Toolkit includes both a Group Policy template and a script that set a registry key to prevent Automatic Updates and the Windows Update and Microsoft Update sites from offering Internet Explorer 7 as a high-priority update. 
For more details visit,
Important IT Links:


%d bloggers like this: