The History of Internet Explorer by Scott Schnoll
The History of Internet Explorer by Scott Schnoll
by Scott Schnoll
Copyright © 1998-2001 - All Rights Reserved
Internet Explorer is Microsoft’s World Wide Web browser, and the name for a set of Internet-
based technologies that provide browsing, email, collaboration and multimedia features to
millions of people around the world. It’s a four-year old product that has received glowing
reviews from end users and the media, harsh criticism from Microsoft’s competitors and the anti-
Microsoft crowd, and it is one of the cornerstones of an ongoing anti-trust trial that the
Department of Justice has brought against Microsoft. It remains a testament to Microsoft’s
ability to turn it’s product strategy on a dime, it is used by millions upon millions of users
navigate the World Wide Web, and it has emerged the victor in the long-standing browser wars
with Microsoft’s competitor, Netscape Corporation.
To properly understand the security aspects surrounding Internet Explorer, I believe one should
begin with a historical perspective. This is important for two reasons. First, given the many
different released versions of Internet Explorer, you need to determine where you are in the
Internet Explorer product timeline. Only then will you be able to determine what security issues
you’re facing and what you can do about them. Second, and more importantly, Internet Explorer
is here to stay. Microsoft has forever interwoven the Internet Explorer suite of products and set
of technologies into its Windows, Office and BackOffice family product lines. There are over
200 million Windows users, and I don’t think Windows is going to disappear any time soon.
In 1995, Microsoft was busily working on a very important project, code-named “Chicago.” An
extension of that project – code-named “O’Hare” after Chicago’s O’Hare Airport – was being
developed in tandem. Microsoft’s intent was to combine the technologies of both projects into a
single consumer product. Toward the end of these projects, Microsoft decided to take the
O’Hare technologies, and distribute them as part of a separate add-on pack to the Chicago
product. Chicago, now known as Windows 95, proved to be one of the most successful
operating systems to date. O’Hare, now known as Internet Explorer 1.0, first shipped as an
Internet Jumpstart Kit in Microsoft Plus! For Windows 95.
Although Internet Explorer 1.0 integrated nicely with Windows 95, few customers used it,
preferring instead to use the highly popular browser from Netscape Development Corporation, or
other web browsers such as Mosaic, Lynx and Opera. Microsoft remained undeterred.
Microsoft’s market research indicated that their customers wanted to use Windows 95 as a
universal network client; one that could connect to Windows NT, Novell NetWare, Banyan
Vines, and the Internet.
Microsoft made great strides over the next year with version 2.0. This was Microsoft’s first
cross-platform browser, available to both Macintosh and 32-bit Windows users. Version 2
introduced support for a wide variety of emerging Internet technologies, such as Secure Sockets
Layer (SSL), HTTP cookies, RealAudio, Virtual Reality Modeling Language (“VRML”), and
support for Internet newsgroups (NNTP). We’ll discuss these things more in depth in
forthcoming chapters.
In the summer of 1996, Microsoft released version 3.0, which seemingly overnight triggered a
mass exodus from Netscape’s browser to Internet Explorer. The Internet community became
polarized on the issue of which web browser had the most features and the most support for the
latest Internet technologies, as well as which one more closely adhered to RFCs and other
Internet standards. Internet Explorer 3 boasted a wide variety of features, including support for
video and audio multimedia, Java applets, cascading style sheets, and Microsoft’s ActiveX
controls. Ever since the release of version 3, the browser wars have raged on. But the debate
was nearly made moot by one distinguishing aspect – Netscape charged nearly $50 for its web
browser, while Microsoft gave Internet Explorer away for free.
One of the primary reasons behind the success of Microsoft Office, was the fact that it was a
bundled suite of products. Microsoft felt that, by applying this practice to Internet Explorer, they
would be able to duplicate this success. So they introduced additional integrated components
when they released version 3, such as Internet Mail and News 1.0, a Windows Address Book,
and later on, Microsoft NetMeeting and the Windows Media Player. As a result of these new
compelling features, version 3’s popularity skyrocketed. This new and quickly increased
popularity had the unintended side-effect of putting Microsoft and it’s web browser under
intense public scrutiny.
Technologists and pundits began to write about how Microsoft was trying to dominate the
Internet by flooding the market with their web browser and turning the Internet into a Microsoft
proprietary domain. Others were concentrating on other issues, such as browser security. There
was much to be concerned about. On August 22, 1996, a mere nine days after Internet Explorer
3 was released, the first Internet Explorer security problem was reported – The Princeton Word
Macro Virus Loophole.
The Princeton Word Macro Virus Loophole should have been a wake-up call for Microsoft.
Discovered by two well-known Princeton researchers – Edward Felten and Dirk Balfanz – this
security hole enabled a malicious webmaster to download files to an unsuspecting user’s PC
without their knowledge. This could be any file, including a Microsoft Word Macro that could
in turn execute DOS commands. Or worse, a malicious webmaster could transmit a virus, a
Trojan program that could open a “back door” into the target system, or a program designed to
discretely transmit files back to the malicious web site.
The very next day, Microsoft released a patch to close the Princeton Word Macro Virus
Loophole. While Microsoft downplayed the significance of the loophole, the Internet
community was becoming increasingly concerned. Months before reporting this loophole,
Felten reported his discovery of some serious Java vulnerabilities in Netscape Navigator. The
picture was becoming clear – this new territory called the Internet could be a dangerous place.
More and more security bugs started appearing. In December, 1996, Felton reported another
security flaw in Internet Explorer. This flaw allowed malicious websites to “spoof” other web
sites. A spoofed web site is a site that looks real; it can literally be an identical copy of a real
site, except that it isn’t hosted on a web server that belongs to the web site you think you’re
visiting. In other words, while you think you’ve just purchased the latest subscription to Foo
Magazine, you’ve actually just transmitted your credit card number and other personal
information to a fake site.
Month after month, one security problem after another was being steadily reported. There were
numerous vulnerabilities which exposed computer files to malicious web sites; there were other
bugs that inadvertently transmitted encrypted information in plain text to unauthorized sites; and
there was the revelation that Internet Explorer maintained a bit-by-bit record of where users went
online. Between Java bugs, scripting holes, Year 2000 problems, and a growing anti-Microsoft
sentiment, Microsoft was being attacked on all sides, all because of Internet Explorer.
Microsoft’s strategy for Internet Explorer took an interesting turn in late 1997 when Microsoft
claimed that, once installed, Internet Explorer 3.0 could not be completely uninstalled from
Windows 95. This claim was made early on in the still-running antitrust trial against Microsoft,
and hotly disputed by many, including the Department of Justice. Again, Microsoft was
undeterred. In fact, in September 1997 they stepped up their efforts to improve upon version 3
by releasing an all new version – version 4 – one that was completely integrated into Windows
95, Windows NT and, when later released, Windows 98.
Internet Explorer 4 represented a quantum leap over the prior versions of Internet Explorer. In
1990, Microsoft had unveiled its “Information at Your Fingertips” (IAYF) campaign. According
to Microsoft, IAYF means “the right information at the right time for the right purpose.”
Microsoft’s goal was to make finding, browsing and retrieving information easy, with access to
the information location-independent. Internet Explorer 4 was a major milestone in this
campaign. In fact, it was so critical to their vision, that Microsoft completely scrapped earlier
betas and alphas of Internet Explorer in favor of the version that is available today.
Microsoft was targeting three major markets with this latest version. For companies and
organizations, Internet Explorer 4 would make users more productive and evangelize intranets,
while allowing IS departments a granular level of control. For home users, Internet Explorer 4
provided a much richer Internet experience. For programmers and software developers, Internet
Explorer 4 provided a platform for delivering interactive and compelling content.
But it was much more than that. The launch of Internet Explorer 4 meant the end of the already
extremely blurred line between Windows and Internet Explorer. In Windows terminology, the
word “shell” refers to the user interface (“UI”). When Windows 95 debuted, the original
Windows Program Manager shell was replaced with the Windows Explorer shell. Explorer was
a slick, new interface that caught on, and allowed novice users to quickly learn how to use
Windows. When a Windows 95 user installed Internet Explorer 4, their Explorer shell was
replaced with Internet Explorer. On the surface, the user didn’t notice much change. The
changes were there, however, and they were significant. Internet Mail and News was replaced
with Outlook Express, Microsoft Chat was added and Microsoft NetMeeting was upgraded. In
addition, Microsoft introduced a new feature called the “Active Desktop.” This allowed Internet
Explorer 4 users to replace their normal desktop and wallpaper with any web content they
wanted. Instead of icons and a single wallpaper image, Internet Explorer 4 users could, in effect,
create their own custom UI for Windows. It also brought drag-and-drop functionality to the Start
Menu, and added integrated Favorites, a Quick Launch Bar and Address Bars.
Despite this power and flexibility, many users didn’t care for the Active Desktop. Some felt that
this feature was “code bloat,” that is, a feature that no one really wanted, but that Microsoft
added anyway because they thought it was cool. To a certain extent, they were right. A lavishly
customized Active Desktop can add quite a bit of resource overhead to a Windows PC. Many
Windows users were still running with 28.8Bps modem connections, 32MB of RAM or less in
their systems, and, when turned on, the Active Desktop would slow the system to a crawl.
Today’s systems, however, are significantly more powerful that those in 1997, making the
Active Desktop features useful and richly interactive.
Internet Explorer 4 also introduced a slew of new features, such as Channels, Subscriptions,
Dynamic HTML, enhanced multimedia, and webcasting. Security was also beefed up with the
addition of Authenticode 2.0, and Security Zones. Channels, subscriptions and webcasting (aka
“Push” technology) were Microsoft’s efforts to move from a technology company to a content
company. This only fueled the now prevalent fears that Microsoft’s intent was to dominate the
Internet. Some went so far as to claim that, by dumping its web browser into the market for free,
Microsoft would control who got on the Internet, where they went, and what they would see.
The very nature of the Internet made this a technical impossibility, but nonetheless, people
complained.
Despite Microsoft’s best attempts to add features, provide integration, and secure Internet
Explorer, everything they did seemed to backfire. Customers didn’t like Internet Explorer 4’s
heavy footprint or the way Active Desktop performed. Microsoft’s partners didn’t like having to
license and distribute Internet Explorer 4 – unmodified – in order to retain their status as a
Windows licensee. And security experts worldwide, such as Carnegie-Mellon’s Computer
Emergency Response Team (“CERT”), were reporting one serious security hole after another.
The concept of “Internet Time” refers to the frenzied and never-ending pace at which things on
the Internet, or things related to the Internet, occur. It’s a sort of “dog years” analogy for
technology. For example, say your company’s product happens to be a web browser. Software
development cycles can run anywhere from twelve months to several years. But on Internet
Time, the development cycle might now be six months to a year. By Internet Time standards,
Internet Explorer 4 has enjoyed an extremely long life cycle.
It is common for development on the next version of a product to occur simultaneously with the
release or near-release of the current version. This is what happened with Internet Explorer 4.
Version 3 was an ambitious project to begin with. The project – code-named “Athena” – was
scheduled to be released in the Summer of 1996, and it was supposed to include a web browser,
an email client and news reader, a new TCP/IP auto-dialer, and Microsoft NetMeeting.
Athena would also be the primary client in another project – code-named “Normandy.”
Normandy was a product line comprised of various Internet-related technologies, such as
Microsoft Chat Server, Microsoft Personalization Server, Internet News Server, Microsoft
Merchant Server, and others. The “summer Internet package,” as it came to be known, would
later become blended into another project – code-named “Nashville” – which was to be the
successor to Windows 95 UI shell.
Late in the development cycle for Internet Explorer 3, it became apparent that Microsoft would
not be able to deliver Athena as planned in the Summer of 1996. So, Microsoft cut back on their
plans and released Internet Explorer 3, Internet Mail and News 1.0 and Microsoft NetMeeting
1.0. Microsoft then began working on a new project under the code-name of “Nashville.”
Nashville was being billed as an “Internet Update Release.” Microsoft had ambitious plans for
Nashville. It would be a web browser (at the time based on Internet Explorer 3), an email client,
a news reader, a personal web server, data and audio conferencing, and a personal information
manager. More importantly, it would replace the existing Windows shell, making it a
completely integrated product. Their intent was to release a new version of Windows with
Nashville blended in.
Nashville’s goal was to evolve the Windows 95 shell to provide integration between the user’s
PC and the Internet, blurring (and removing), the boundary between Windows 95 and Internet
Explorer. The Nashville team merged elements from the Windows 95 Explorer with features
from Internet Explorer, and created a new shell (which is still called Explorer). Nashville’s goal
was realized in on September 30, 1997, when Microsoft released Internet Explorer 4.
The demand for version 4 was impressive. In the first 24 hours it was available, it was being
downloaded once every six seconds. This amounted to the transmission of a whopping ten
terabytes of data! The demand exceeded everyone’s expectations, including Microsoft’s. But in
a matter of days, security issues began cropping up, and Microsoft began releasing what was to
be a long stream of patches, updates and service packs, resulting in a number of different builds
for version 4.
Resistance is Futile
Microsoft continues to integrate Internet Explorer into its other product lines, including its Office
and BackOffice family of products. Microsoft Outlook 98 – like it’s cousin Outlook Express –
uses Internet Explorer’s HTML parsing and rendering engine. Therefore, if you install Outlook
98 onto a computer without version 4 or higher, Internet Explorer gets installed, as well. Office
2000 extends this practice by including and using Internet Explorer 5 technologies. This
foundational approach makes sense. Why reinvent the wheel (or in this case why re-write the
code) if it already exists? On the other hand, this also means that security issues that affect
Internet Explorer more often than not also affect products which use its codebase. This only
adds to the already mounting challenges of maintaining a safe and secure operating environment.
Internet Explorer 4 continues to be a popular browser. Nearly two years after its release it is still
the most popular version in use today. It is feature-rich, user-friendly and highly configurable.
On March 18, 1999, Microsoft capitalized on version 4’s success with the release of Internet
Explorer 5. Before it was even released, over 2 million copies of the beta version were
downloaded. Version 5 isn’t too much of a departure from version 4. It does add a some very
nice features, but like its predecessors, it, too has security vulnerabilities. In fact, it’s a pretty
safe assumption that all future versions of Internet Explorer – as with any web browser – will be
affected by one or more security issues.
So there you have it. The history thus far of Internet Explorer.