December 08, 2010, 10:54 AM — Playing against type (again) Microsoft has announced plans to give its browser the ability to stop certain sites from tracking end users, giving users some control over the sites with which they share and the data sites can collect.
Microsoft is so uncredible a guardian of customers' security and privacy that I'd normally 'uh-huh' and go on to something else. Its timing is great -- immediately after the FTC announced plans to create a "do not track" list designed to let normal people choose whether or not they'd like to be tracked, and by whom.
Unfortunately, the FTC tool will be a long time in coming, even if it overcomes opposition by Republicans in Congress.
And, even after the list or a tool that supports all major browsers is up and running, government budget and development schedules will keep it far enough behind the cutting edge to be useless for anyone but technology laggards and public PCs at the library that can only run last year's malware.
It will also probably not equal this privacy policy proposal.
Microsoft's tracking protection would be built into IE9 and be based on its existing InPrivate Filtering, a function in IE8 that will block some sites but has to be turned on every time the browser is.
The IE9 version would be on or off all the time, at the user's choice, and would remember preferences about particular sites between sessions.
My immediate thought was that Microsoft was doing its de-facto-standards thing (more appropriately in Microsoft's case expressed as Embrace, Extend, Extinguish).
Its usual MO is to develop a Windows-centric API or interoperability technique, then either donates it to a standards body (MS SOAP, W3C SOAP) so it looks like a community developed open standard, or just builds the standard into everything Microsoft sells so it's still not accepted, but is so commonly available that people use it anyway (MAPI, ActiveX, Internet Explorer, Windows, Steve "Monkey Boy"Ballmer).
There's no guarantee the do-not-track feature it won't be more dangerous that not using it, though. Earlier this week researchers revealed how to bypass IE's Protected Mode, which is based on security settings on Windows and which is the basis for security settings for other applications, including ChromeOS. Bypassing Protected Mode, by default, makes those other applications vulnerable, too.
Cluster-fail.
At the same time, Microsoft is pushing along the positive security track it established with Windows Defender, Malicious Software Removal and Microsoft Security Essentials software with a tool that has a silly name but serious goal: to identify and deactivate malware written in JavaScript -- as much of the hottest malware currently is.
The new tool, from Microsoft Research, is called Zozzle.
Zozzle is designed to run on a site and decide if JavaScript is good code or bad code, and has to be trained on unobfuscated JavaScript code -- not code buried in other levels of function and design coding on a Web site.
Zozzle comes with a blacklist of malicious or suspicious Java source, gathered from scans of millions of Web sites by Microsoft's related Nozzle tool. Though updates will almost certainly be available, IT people trying to do it for their own user populations will have to isolate the suspicious code to let Zozzle have a good look, or use another tool that can pull it out of the cover of other Java code.
Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.
