Following a decision to release a standalone version of IE7, browser development at Microsoft has come fast and furious. BetaNews this week sat down with Gary Schare, Director of IE Product Management, to discuss the changes coming in IE7, Firefox's growth, and how Microsoft will bring RSS to the mainstream.

When BetaNews last spoke to Schare in late 2004, he explained why Microsoft had no plans to add features like tabbed browsing directly into Internet Explorer or update its CSS support. After much feedback, things changed in early 2005. With a standalone IE7 now feature-complete, Schare delves into the reasoning and gives us a look at what to expect when the browser is released later this year.

BetaNews: Let's start with the basics. Exactly one year ago at the RSA Conference, you announced the plan to restart IE development and release a beta version for testers before the end of summer. Can you recap the reasoning behind this switch and give us some insight as to the goals of IE7?

Gary Schare: We really didn't announce a restart of IE development, we announced an extension of the development to bring the work that we were doing in IE7 for Windows Vista down to Windows XP users. It's not like we were starting from a standing start a year ago. We simply broadened the reach to bring a lot of the innovations -- both the end user experience and the security innovations that we were doing for IE in Windows Vista -- to the Windows XP installed base.

BetaNews: Originally IE 7 was supposed to come as part of the larger package of Windows Vista. Did the growth of alternative browsers such as Firefox and Opera affect the decision to move forward with Internet Explorer 7 on its own?

Gary Schare: The primary driver behind expanding the reach of IE7 to Windows XP was security. That was the core of the message that we delivered last year at RSA and remains true to this day. The nature of the attacks you're seeing on the Internet, along with the nature of just how things have evolved and the worries that our customers have, made it a very easy decision to bring that technology to Windows XP for security reasons.

In addition, when we talked to customers, they said they really would like to see a lot more than just security. There are a number of new feature areas that were showing up in alternative browsers -- ones built on the IE platform like Maxthon and Avant Browser, as well as the alternatives such as Netscape, Firefox and Opera -- that people said they would really love to see in addition to better security.

BN: How big is the IE development team at Microsoft now? We're seeing new faces post on the IE Blog almost daily.

GS: We've been growing the team. That's part of the natural growth cycle that development teams at Microsoft go through, typically as they ramp up for major releases. We can't release specific numbers, because frankly a lot of the contribution to the Internet Explorer effort comes from people who don't report into the IE ward. These are build managers and test managers on Windows Vista, and people that do other kinds of infrastructure around the company.

Some of the code that goes into IE itself comes from the Networking team in Windows. It's impossible to pin a number on it, but we certainly have been growing it because as we ramp up to two major releases -- both IE7 for Windows XP and IE7 in Windows Vista -- it takes a fair number of people to pull that all together.

BN: Once we're past the IE7 release time, would the team then shrink in size?

GS: In this case we plan to continue aggressive development of Internet Explorer. There are a number of things we wanted to do in IE7 that we didn't quite get to, and there are new innovative things that people have been dreaming up, which we plan to come out with in future releases. We don't have specific milestones in place just yet, but we definitely plan to keep investing quite heavily.

BN: When BetaNews last spoke to you in November 2004, you said another standalone release of IE was not necessary because of the community of add-ons available (like those for tabbed browsing). Now, IE7 is building in a lot of new native functionality within the browser. Why the change?

GS: The additional functionality is only one half of the equation; the other half is security. The kind of changes required to protect our customers were things we had to change at the core IE platform. Thus, a lot of changes we made -- rewriting entire sections of the code, changing the way ActiveX works with ActiveX Opt-In, and changing the way the security settings worked -- required changes to the core of IE itself.

In addition, the features are things our customers have asked for. There are certain customers that love using the IE add-ons and will keep doing that. And there are many other customers who say we want to use IE, but we want to see some additional features like tabs, better printing, page zooming, integrated RSS, and so forth.

BN: How much more secure is IE7 than IE6?

GS: It's impossible to quantitatively measure that, but when you look across the areas of investment we've made, they're very, very substantial. For example, let's look at the anti-phishing work. We hadn't really done anything significant to help users fend off phishing attacks in IE6. There was a little bit of anti-spoofing work done there, which has been helpful, but now we're really giving users the kind of trust information they need to know whether they're on their actual bank site, or a fraudulent site that's pretending to be their bank.

ActiveX Opt-in, another big area of focus. We've done a lot of work in IE over the years to improve the security of ActiveX, and did some great work for IE6 in Windows XP SP2 with the information bar and the redesigned Authenticode dialog. Yet there was still more work we could do, and we found a large surface area of potential attack with ActiveX controls that are preinstalled within Windows. With ActiveX Opt-in, we're disabling most of those by default and letting the user decide if they need to use them to access a particular site or application. Those are two examples and there are many more.

BN: What about customers not able to upgrade to IE7? Will there be enhancements to the security of IE6 to keep those customers as safe as possible since they may not fulfill the requirements to run IE7?

GS: One of the hallmarks of using Microsoft software is taking advantage of the security support lifecycle. We will continue to support versions of Internet Explorer for up to 10 years, and we have a whole Web site dedicated to defining which versions are supported for how long. In fact, just today we released a security update for Internet Explorer 5.01.

There's two pieces of news there: one is we're continuing to support that version, which is somewhere in the range of 6 or 7 years old. Number two, we're finally at the point where we can say "Here's something that doesn't even affect IE6." I think it's the first time in two years that we've issued an IE security patch where IE6 was untouched, because we've finally caught up with the new security enhancements and backlog of security bug reports. Now we're working on some very old bugs, which are a little less severe and don't affect much of the installed base.

BN: ActiveX seems to be IE's Achilles heel in a sense. You're making changes to the technology in IE7; how will this affect end-user interaction and corporate users?

GS: ActiveX is a very powerful platform. While ActiveX itself is unique to Internet Explorer, the technology of extending a browser with native code is not. You have the Netscape plug-in model that runs in Netscape browsers and Firefox browsers, and is the moral equivalent of ActiveX from a code perspective. The difference is that we did a lot of work in ActiveX to ensure that users only install the controls they really intend to, eliminating the drive-by download vectors of the past. A lot of that work came in IE6 XP SP2.

The second area of concern is the architecture of ActiveX and Internet Explorer, which allows any Active X control installed in Windows to be exposed to the browser if it's marked safe for scripting. We took a look there and said "Well that can enable some powerful applications to be written using these common components that ship in Windows." But malicious hackers were using that to go after users.

Quite often when you see an IE patch coming out, it's not actually a patch to IE code. It's a patch to kill the ActiveX control that's no longer needed, which we've determined has a vulnerability in it. ActiveX Opt-in is designed to reduce that surface area of attack by turning off most of those controls by default and letting users only turn them on if they need them. The feature makes it not interesting for the hackers to go after this legacy code that shouldn't be exposed to the Internet in the first place.

At the same time, the power of ActiveX still benefits users. The mainstream controls like Flash, Acrobat, RealPlayer, QuickTime and Windows Media Player -- ones that you as the user need to have a rich experience -- will continue to work.

BN: Is Microsoft considering replacing ActiveX with another technology due to such security problems?
BetaNews: Is Microsoft considering replacing ActiveX with another technology due to such security problems?

Gary Schare: In the early days, we admit, we focused more on the power and stability than on the security. We have since upped the investment on the security side of it and feel we've really caught up quite a bit where now users can benefit from ActiveX and not have to worry about the security issues.

At the same time, there are alternative technologies that we're investing in and bringing out to developers, such as the Windows Presentation Framework and the Windows Communication Framework. We'll be pushing those quite aggressively in March at the Mix 06 conference. We expect a lot of developers to utilize those rich client platforms for building Web-based applications, but we certainly don't expect ActiveX to go away in any way, shape or form.

BN: When we last spoke, you cautioned that Firefox was riding on the early adopter wave and would have trouble reaching critical mass. You also cited SP2's 100 million download number dwarfing Firefox's 10 million. Now, Firefox has amassed 150 million downloads and continues to evolve. Has Firefox turned into a formidable competitor to IE and has its success surprised Microsoft?

GS: Certainly Firefox has made its mark out there; there are a number of users who run it. I think the latest stat I've seen across the mainstream is roughly 10 percent, which means 85 or 90% of people are still using Internet Explorer. So our primary focus is how do we deliver better software for our customers so that they don't feel the need to switch.

In general, competition is a good thing, and we respect the work that the Firefox guys have done. It was interesting to read their assessment on their public blogs when we released IE7, and the respect that they showed for us. I think there's been a lot of mutual respect for innovation, and good design ideas. They pointed out a number of things we did in IE7 that they thought would be great to have in Firefox in the future. We think competition is good and it makes us feel good that they're watching what we're doing and offering some positive comments.

BN: The browser landscape has changed a lot in the past two years. Security threats, RSS and AJAX, for example. Where does Microsoft see the market headed and is IE7 a pioneer in this area or a follower? On the outside, it seems like many of the new IE7 features have long been offered in alternate browsers. Is Microsoft playing catch up or are you breaking new ground?

GS: I think you can make a fair case that we're doing a little of both. There were clearly some areas that the early adopters had been using in alternative products for a while. Tabs is probably the primary one. And we fielded a number of questions and even complaints from customers saying "When are you going to give us tabbed browsing in IE." Now we've done that; IE7 has a very, very good tab implementation. There are many users out there who are still using IE6 and have never tried tabbed browsing, and we think when they get exposed to it in IE7 they'll think it's very cool.

There are a number of areas where we have done some innovation. RSS is a key one, both in terms of the user experience we're providing for discovering RSS feeds, reading and subscribing to them in the browser, but even more so in the platform. We've built the first RSS platform that any developer can take advantage of, so when you subscribe to a feed in IE7, that feed data will be available to any application that wants to look at it. This opens up a whole new host of RSS reading applications, as well as applications that in the past would have nothing to do with RSS, but now can take advantage of it because of the platform.

BN: The Windows RSS Platform is seemingly one of the biggest focuses of IE7, and will enable XP to take advantage of the technology. Where do you see RSS heading and why has it become such an important feature in the operating system and Web browser?

GS: If you use an RSS reader, generally you wind up finding a site that has an RSS feed in your Web browser and then you switch over to your RSS reader. And of course, once you're reading the feed there, you're going to link back into your Web browser to actually read a full article. The browser is a natural place for integration between feed discovery and feed reading.

But we don't believe the browser is the only place to consume these feeds, which is why building this RSS platform is so critical. Any developer can come up with all kinds of new ways for users to interact with the feed data. For example, ways to filter, sort and search through the feeds, and bring the data into other applications for things like calendaring and digital images.

BN: IE7 changed a lot from Beta 1 to the Beta 2 Preview. Can we expect to see changes this big before the final release, or are things pretty feature complete at this point?

GS: You've seen the majority of the changes between Beta 1 and the Beta 2 Preview. From here on out the number of changes will be small, and most of them will not be visible to the end user. From our perspective the features are done -- we just may have to change the way some of the features work either for compatibility reasons or due to feedback we get from early testing with customers.

The general feature set you should consider complete, so now is the time for developers to run IE7 against their applications and Web sites and make sure they work well. And if they don't, developers can either report the issue to us, or make some changes in their products. There are certainly some changes in the CSS platform and security that will force some level of change.

BN: Can you give us any idea as to a final release date for IE7?

GS: We think it will be in the same timeframe as Vista. Whether it will be before, on the same day, or just after is unclear at this point. But we expect to have a full public Beta 2 release in the first half of '06 and the final release in the second half of '06. We'll have similar dates for a more public beta of Windows Vista and the final launch.

The version of IE7 in Windows Vista is slightly different; it's a superset of the XP version, but only by a couple of features. One is a feature called Protected Mode, which takes advantage of the new user account controls in Windows Vista to run the Internet Explorer process in a much lower privilege than even a limited user. That offers a great level of protection from future vulnerabilities and malicious attacks. The second feature is parental control -- putting parents in control of the Web sites their kids visit and providing a much safer online experience.

BN: And last but not least: When we last talked, you were using Maxthon as your daily browser. Have you switched to IE7?

GS: Yes, I have. I've been using IE7 since before the first beta last summer and install new builds almost every day so I get to check the progress. We've definitely come a long way. I'll tell you, early on going from Maxthon to IE7 Beta 1 was a difficult switch, because a lot of the features I really liked were not there yet. But now I'm running the IE7 Beta 2 Preview and having a great experience.