Search box

Sunday, January 2, 2011

The History of Internet Explorer

Internet Explorer is Microsoft’s world wide web browser, and the name for a set of Internet-based technologies that provide browsing, email, collaboration and multimedia features to millions of people around the world.  It’s a four-year old product that has received glowing reviews from end users and the media, harsh criticism from Microsoft’s competitors and the anti-Microsoft crowd, and it is one of the cornerstones of an ongoing anti-trust trial that the Department of Justice has brought against Microsoft.  It remains a testament to Microsoft’s ability to turn it’s product strategy on a dime, it is used by millions upon millions of users navigate the World Wide Web, and it has emerged the victor in the long-standing browser wars with Microsoft’s competitor, Netscape Corporation.
To properly understand the security aspects surrounding Internet Explorer, I believe one should begin with a historical perspective.  This is important for two reasons.  First, given the many different released versions of Internet Explorer, you need to determine where you are in the Internet Explorer product timeline.  Only then will you be able to determine what security issues you’re facing and what you can do about them.  Second, and more importantly, Internet Explorer is here to stay.  Microsoft has forever interwoven the Internet Explorer suite of products and set of technologies into its Windows, Office and BackOffice family product lines.  There are over 200 million Windows users, and I don’t think Windows is going to disappear any time soon.

The Beginning of an Era

In 1995, Microsoft was busily working on a very important project, code-named “Chicago.”  An extension of that project – code-named “O’Hare” after Chicago’s O’Hare Airport – was being developed in tandem.  Microsoft’s intent was to combine the technologies of both projects into a single consumer product.  Toward the end of these projects, Microsoft decided to take the O’Hare technologies, and distribute them as part of a separate add-on pack to the Chicago product.  Chicago, now known as Windows 95, proved to be one of the most successful operating systems to date.  O’Hare, now known as Internet Explorer 1.0, first shipped as an Internet Jumpstart Kit in Microsoft Plus! For Windows 95.
Although Internet Explorer 1.0 integrated nicely with Windows 95, few customers used it, preferring instead to use the highly popular browser from Netscape Development Corporation, or other web browsers such as Mosaic, Lynx and Opera.  Microsoft remained undeterred.  Microsoft’s market research indicated that their customers wanted to use Windows 95 as a universal network client; one that could connect to Windows NT, Novell NetWare, Banyan Vines, and the Internet.
Microsoft made great strides over the next year with version 2.0.  This was Microsoft’s first cross-platform browser, available to both Macintosh and 32-bit Windows users.  Version 2 introduced support for a wide variety of emerging Internet technologies, such as Secure Sockets Layer (SSL), HTTP cookies, RealAudio, Virtual Reality Modeling Language (“VRML”), and support for Internet newsgroups (NNTP).  We’ll discuss these things more in depth in forthcoming chapters.

Full Steam Ahead

In the summer of 1996, Microsoft released version 3.0, which seemingly overnight triggered a mass exodus from Netscape’s browser to Internet Explorer. The Internet community became polarized on the issue of which web browser had the most features and the most support for the latest Internet technologies, as well as which one more closely adhered to RFCs and other Internet standards.  Internet Explorer 3 boasted a wide variety of features, including support for video and audio multimedia, Java applets, cascading style sheets, and Microsoft’s ActiveX controls.  Ever since the release of version 3, the browser wars have raged on.  But the debate was nearly made moot by one distinguishing aspect – Netscape charged nearly $50 for its web browser, while Microsoft gave Internet Explorer away for free.
One of the primary reasons behind the success of Microsoft Office, was the fact that it was a bundled suite of products.  Microsoft felt that, by applying this practice to Internet Explorer, they would be able to duplicate this success.  So they introduced additional integrated components when they released version 3, such as Internet Mail and News 1.0, a Windows Address Book, and later on, Microsoft NetMeeting and the Windows Media Player.  As a result of these new compelling features, version 3’s popularity skyrocketed.  This new and quickly increased popularity had the unintended side-effect of putting Microsoft and it’s web browser under intense public scrutiny.

Trouble Begins to Brew

Technologists and pundits began to write about how Microsoft was trying to dominate the Internet by flooding the market with their web browser and turning the Internet into a Microsoft proprietary domain.  Others were concentrating on other issues, such as browser security.  There was much to be concerned about.  On August 22, 1996, a mere nine days after Internet Explorer 3 was released, the first Internet Explorer security problem was reported – The Princeton Word Macro Virus Loophole.
The Princeton Word Macro Virus Loophole should have been a wake-up call for Microsoft.  Discovered by two well-known Princeton researchers – Edward Felten and Dirk Balfanz – this security hole enabled a malicious webmaster to download files to an unsuspecting user’s PC without their knowledge.  This could be any file, including a Microsoft Word Macro that could in turn execute DOS commands.  Or worse, a malicious webmaster could transmit a virus, a Trojan program that could open a “back door” into the target system, or a program designed to discretely transmit files back to the malicious web site.
The very next day, Microsoft released a patch to close the Princeton Word Macro Virus Loophole.  While Microsoft downplayed the significance of the loophole, the Internet community was becoming increasingly concerned.  Months before reporting this loophole, Felten reported his discovery of some serious Java vulnerabilities in Netscape Navigator.  The picture was becoming clear – this new territory called the Internet could be a dangerous place.
More and more security bugs started appearing.  In December, 1996, Felton reported another security flaw in Internet Explorer.  This flaw allowed malicious websites to “spoof” other web sites.  A spoofed web site is a site that looks real; it can literally be an identical copy of a real site, except that it isn’t hosted on a web server that belongs to the web site you think you’re visiting.  In other words, while you think you’ve just purchased the latest subscription to Foo Magazine, you’ve actually just transmitted your credit card number and other personal information to a fake site.
Month after month, one security problem after another was being steadily reported.  There were numerous vulnerabilities which exposed computer files to malicious web sites; there were other bugs that inadvertently transmitted encrypted information in plain text to unauthorized sites; and there was the revelation that Internet Explorer maintained a bit-by-bit record of where users went online.  Between Java bugs, scripting holes, Year 2000 problems, and a growing anti-Microsoft sentiment, Microsoft was being attacked on all sides, all because of Internet Explorer.

Goodbye Web Browser, Hello Integrated Functionality

Microsoft’s strategy for Internet Explorer took an interesting turn in late 1997 when Microsoft claimed that, once installed, Internet Explorer 3.0 could not be completely uninstalled from Windows 95.  This claim was made early on in the still-running antitrust trial against Microsoft, and hotly disputed by many, including the Department of Justice.  Again, Microsoft was undeterred.  In fact, in September 1997 they stepped up their efforts to improve upon version 3 by releasing an all new version – version 4 – one that was completely integrated into Windows 95, Windows NT and, when later released, Windows 98.
Internet Explorer 4 represented a quantum leap over the prior versions of Internet Explorer.  In 1990, Microsoft had unveiled its “Information at Your Fingertips” (IAYF) campaign.  According to Microsoft, IAYF means “the right information at the right time for the right purpose.”  Microsoft’s goal was to make finding, browsing and retrieving information easy, with access to the information location-independent.  Internet Explorer 4 was a major milestone in this campaign.  In fact, it was so critical to their vision, that Microsoft completely scrapped earlier betas and alphas of Internet Explorer in favor of the version that is available today.
Microsoft was targeting three major markets with this latest version.  For companies and organizations, Internet Explorer 4 would make users more productive and evangelize intranets, while allowing IS departments a granular level of control.  For home users, Internet Explorer 4 provided a much richer Internet experience.  For programmers and software developers, Internet Explorer 4 provided a platform for delivering interactive and compelling content.
But it was much more than that.  The launch of Internet Explorer 4 meant the end of the already extremely blurred line between Windows and Internet Explorer.  In Windows terminology, the word “shell” refers to the user interface (“UI”).  When Windows 95 debuted, the original Windows Program Manager shell was replaced with the Windows Explorer shell.  Explorer was a slick, new interface that caught on, and allowed novice users to quickly learn how to use Windows.  When a Windows 95 user installed Internet Explorer 4, their Explorer shell was replaced with Internet Explorer.  On the surface, the user didn’t notice much change.  The changes were there, however, and they were significant.  Internet Mail and News was replaced with Outlook Express, Microsoft Chat was added and Microsoft NetMeeting was upgraded.  In addition, Microsoft introduced a new feature called the “Active Desktop.”  This allowed Internet Explorer 4 users to replace their normal desktop and wallpaper with any web content they wanted.  Instead of icons and a single wallpaper image, Internet Explorer 4 users could, in effect, create their own custom UI for Windows.  It also brought drag-and-drop functionality to the Start Menu, and added integrated Favorites, a Quick Launch Bar and Address Bars.

Thanks, but No Thanks

Despite this power and flexibility, many users didn’t care for the Active Desktop.  Some felt that this feature was “code bloat,” that is, a feature that no one really wanted, but that Microsoft added anyway because they thought it was cool.  To a certain extent, they were right.  A lavishly customized Active Desktop can add quite a bit of resource overhead to a Windows PC.  Many Windows users were still running with 28.8Bps modem connections, 32MB of RAM or less in their systems, and, when turned on, the Active Desktop would slow the system to a crawl.  Today’s systems, however, are significantly more powerful that those in 1997, making the Active Desktop features useful and richly interactive.
Internet Explorer 4 also introduced a slew of new features, such as Channels, Subscriptions, Dynamic HTML, enhanced multimedia, and webcasting. Security was also beefed up with the addition of Authenticode 2.0, and Security Zones.  Channels, subscriptions and webcasting (aka “Push” technology) were Microsoft’s efforts to move from a technology company to a content company.  This only fueled the now prevalent fears that Microsoft’s intent was to dominate the Internet.  Some went so far as to claim that, by dumping its web browser into the market for free, Microsoft would control who got on the Internet, where they went, and what they would see.  The very nature of the Internet made this a technical impossibility, but nonetheless, people complained.
Despite Microsoft’s best attempts to add features, provide integration, and secure Internet Explorer, everything they did seemed to backfire.  Customers didn’t like Internet Explorer 4’s heavy footprint or the way Active Desktop performed.  Microsoft’s partners didn’t like having to license and distribute Internet Explorer 4 – unmodified – in order to retain their status as a Windows licensee.  And security experts worldwide, such as Carnegie-Mellon’s Computer Emergency Response Team (“CERT”), were reporting one serious security hole after another.

A Very Long Life – In Internet Time

The concept of “Internet Time” refers to the frenzied and never-ending pace at which things on the Internet, or things related to the Internet, occur.  It’s a sort of “dog years” analogy for technology.  For example, say your company’s product happens to be a web browser.  Software development cycles can run anywhere from twelve months to several years.  But on Internet Time, the development cycle might now be six months to a year.  By Internet Time standards, Internet Explorer 4 has enjoyed an extremely long life cycle. 
It is common for development on the next version of a product to occur simultaneously with the release or near-release of the current version.  This is what happened with Internet Explorer 4.  Version 3 was an ambitious project to begin with.  The project – code-named “Athena” – was scheduled to be released in the Summer of 1996, and it was supposed to include a web browser, an email client and news reader, a new TCP/IP auto-dialer, and Microsoft NetMeeting.
Athena would also be the primary client in another project – code-named “Normandy.”  Normandy was a product line comprised of various Internet-related technologies, such as Microsoft Chat Server, Microsoft Personalization Server, Internet News Server, Microsoft Merchant Server, and others.  The “summer Internet package,” as it came to be known, would later become blended into another project – code-named “Nashville” – which was to be the successor to Windows 95 UI shell.
Late in the development cycle for Internet Explorer 3, it became apparent that Microsoft would not be able to deliver Athena as planned in the Summer of 1996.  So, Microsoft cut back on their plans and released Internet Explorer 3, Internet Mail and News 1.0 and Microsoft NetMeeting 1.0.  Microsoft then began working on a new project under the code-name of “Nashville.”  Nashville was being billed as an “Internet Update Release.”  Microsoft had ambitious plans for Nashville.  It would be a web browser (at the time based on Internet Explorer 3), an email client, a news reader, a personal web server, data and audio conferencing, and a personal information manager.  More importantly, it would replace the existing Windows shell, making it a completely integrated product.  Their intent was to release a new version of Windows with Nashville blended in.
Nashville’s goal was to evolve the Windows 95 shell to provide integration between the user’s PC and the Internet, blurring (and removing), the boundary between Windows 95 and Internet Explorer.  The Nashville team merged elements from the Windows 95 Explorer with features from Internet Explorer, and created a new shell (which is still called Explorer).  Nashville’s goal was realized in on September 30, 1997, when Microsoft released Internet Explorer 4.
The demand for version 4 was impressive.  In the first 24 hours it was available, it was being downloaded once every six seconds.  This amounted to the transmission of a whopping ten terabytes of data!  The demand exceeded everyone’s expectations, including Microsoft’s.  But in a matter of days, security issues began cropping up, and Microsoft began releasing what was to be a long stream of patches, updates and service packs, resulting in a number of different builds for version 4.