Ha! I’ve been playing around with my copy of Windows Vista and IE 7 for a while and I can conclude: Microsoft has put some serious work into these products, but they failed to make them good. For each usability feature, I can see at least one security hole, and for each security fix, I can see at least another standards-incompliance or usability screwup.

I don’t want to go into details, just five points that I have not been able to research further yet:

• IE 7 phones home. This optional security feature is turned on by default and causes every link you visit to be cleared with a server “out there”. This “out there” is supposed to be WholeSecurity (who run Debian), but it’s a Microsoft server for now. You cannot disable the feature other than by means of a packet filter (and possibly some obscure registry hack). IE 7 is neither CSS1 nor CSS2 compliant, and also fails the ACID test. The tabbed browsing features are completely lame and cannot be configured. For instance, it’s impossible to easily open a link to the same server in another tab, and it’s impossible to prevent it opening another tab when following a link to another server.

• The “User Account Protection” (UAP) is a mode that controls access to resources for administrator accounts. A Vista install will have a single admin account with an empty password (that’s not news, XP did that), and UAP is supposed to make sure that the admin rights are not misused. Unless started, the account can do anything. When started, certain processes require an admin password. Is there anyone else out there who thinks that this is just painfully backwards? I found no way to specify which processes should be run with elevated privileges without adjusting the code to the new API.

• Microsoft introduced a copy-on-write layer (“Virtual Store”) to allow users to make changes to files in the system directory as well as the program files directory. Without admin rights, a user now cannot screw up the system for other users, and the system never actually gets modified. However, as malware usually runs as a background process of an interactive session, I don’t see how Microsoft can sell this feature as a way to combat spyware and trojans.

• The packet filter seems to be the same as with XP and can only be applied to all interfaces, or none. It also cannot be used to filter on anything else than target socket and source IP.

• It seems like an administrator can block certain applications from running (e.g. parents can block certain games). I see no way to block all application and to enable specific ones instead.

So Longhorn seems to be XP with some visual goodies and some interesting usability improvements, but without any technological advantages. You do get some haphazard attempts to close existing security problems, but none of these seem to be well thought through.

I am not surprised. And still looking for a proper browser, since Firefox and Opera tend to annoy the hell out of me.

Site content are copyright © Martin F. Krafft. Please see the imprint.
I shall not be held liable for offending content in pages linking to or linked from site, nor do I endorse their content unless I stated otherwise.