IE 10 is more secure, so here's a Microsoft tool to prevent you updating by mistake

Filed Under: Featured, Internet Explorer

An alert writer over at the The Register has spotted a funny thing.

Microsoft just released a free tool to stop you upgrading to Internet Explorer 10 on Windows 7 and Server 2008 R2:

"Big deal," you say. "There is no IE 10 for Windows 7, so it doesn't sound like much of a tool to me."

Except, as The Reg points out, the availability of the tool is a sort of omen: it surely means that IE 10 for Windows 7 must be nearly ready to drop for real.

Ironically, then, Microsoft is making sure that as soon as IE 10 is ready, you're already ready to avoid it.

Sounds rather odd, but sysadmins in any but the smallest organisations tend towards trepidation over Internet Explorer updates, in case some legacy business application should go pear-shaped.

And there's the real irony: that Microsoft should need to produce a one-off anti-update tool to help you sidestep a forthcoming automatic update, as a way of discouraging you from turning off automatic updates altogether.

A sort-of "lesser of two evils" solution for change control conservatives.

Microsoft has been there before, with IE 6 staying on the shelves so far past its use-by data that the company came up with, an entire website devoted to weaning people off from IE6 with an unrepentant clarion call of, "Friends don’t let friends use Internet Explorer 6."

The technique for suppressing IE 10 is pretty straightforward. Here's an excerpt from the batch-language version:

set REGBlockKey=HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0
set REGBlockValue=DoNotAllowIE10

REG ADD "%REGBlockKey%" /v %REGBlockValue% /t REG_DWORD /d 1 /f

Even with this magic registry value set, you can manually install IE 10 (or manually force an update with WSUS) if you want to override the block.

When you're ready to let Windows Update push out IE 10 entirely automatically, you just remove the DoNotAllowIE10 registry value:

set REGBlockKey=HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0
set REGBlockValue=DoNotAllowIE10

REG DELETE "%REGBlockKey%" /v %REGBlockValue% /f

If you want someone's word other than Redmond's that IE 10 is more secure that earlier browsers, consider the prizes on offer at this year's PWN2OWN competition for browser hacking.

IE 10 is worth $100,000 for a successful exploit; IE 9 will only fetch you $75,000:

So when will IE 10 drop onto unblocked Windows 7 PCs?

Sadly, we can't tell you that. For users not afraid of upgrading their browser, the sooner the better!

, , , ,

You might like

15 Responses to IE 10 is more secure, so here's a Microsoft tool to prevent you updating by mistake

  1. JimboC_Security · 941 days ago

    While it is a good thing that this tool is available for IE 10 I agree with Paul it is primarily intended to be used by sysdmins to block the installation of IE 10 since it may not be compatible with in-house business applications.

    As for security, Microsoft has discussed this at length in the following blogs posts and also in the following PDF that mentions the mitigations of the 64 bit version of IE 10 as well as Enhanced Protected Mode (although it mostly focuses on IE 10 for Windows 8):

    • yuhong · 941 days ago

      Yep, these update blockers has been there for pretty much every previous IE upgrade since IE7. FYI, MS supports all versions of IE down to what was shipped with the OS for the OS support lifecycle.

  2. JimboC_Security · 941 days ago

    I have used IE 10 Release Preview on Windows 7 64 bit since November and it is an excellent browser.

    Enhanced Protected Mode works fine for everyday use. Adobe Flash Player works in this mode too. It also means that the 32 bit version of IE 10 is not available for use anymore. If you open IE 10 from the Program Files(x86) folder, it actually opens the 64 bit IE 10. If you want to use the 32 bit version, turn off Enhanced Protected Mode. Thus you can now have a 64 bit IE as your default browser.

    The benefits of a 64 bit browser are discussed in the following blog post (it is an older post, but it is still relevant):

    I look forward to upgrading to the final version of IE 10 even though I have not had a single issue over the 3 months. It has been so trouble free that I forget that this is still a preview version of IE 10.

    If you have been using IE 9, I see no reason not to upgrade to IE 10 when it becomes available; it is more standards compliant and is slightly faster. It never hurts to have the latest version of any browser.

    Thank you.

    • Glenn · 941 days ago

      I upgraded to IE 10 prerelease in Nov and have had no problems with it. In fact, lock ups and problems almost completely went away. Can't wait for the final version. PS - I am only a home user, but it is much better than the IE 9 enhanced I was using.

      • Bill · 941 days ago

        I have also been using IE10 pre-release with no major issues. There are however some small annoying issues. Fidelity's site displays font differently than most others. Also, on some occasions when I print an adobe pdf from a page the printing is garbled. Finally, I am still unhappy about the location of the page tabs and the inability to put them where I would like them. Other than that I am a happy camper.

  3. Thomas · 941 days ago

    I disable Microsoft auto updates immediately upon purchase of new computer. I prefer to view updates before installing. This practice forces more time and thoughtfulness upon a user but I see thinking first as a positive.

  4. Jon · 941 days ago

    IE is not allowed here. period.

  5. MikeP_UK · 941 days ago

    Best way to avoid these and other unwanted Microsoft 'Updates' to to not use automatic updates. Use the setting to tell you when updates are available, run the MS update website in Custom mode, then check what it has on offer and deselect those you know you don't want. Simple. That's what I have done ever since MS introduced automatic updates as I knew they would have no idea what I wanted or needed on my PCs. So I can filter out all the MS junk without it ever reaching my systems.
    Just as secure, perhaps more so as every update has been carefully considered and only installed if it improves security or adds wanted functionality. Those items that don't add useful functionality are not installed, things like the Bing search bar.

  6. Curt S · 941 days ago

    I use all three major browsers, and I find them all to be excellent in their own right. IE and Chrome are fastest, Firefox is most easily customized, IE is the most secure. If anything, the differences between Chrome and IE have become negligible.
    Firefox is more resource-intensive, so it only runs great on very capable computers.
    As for the haters (of any stripe), don't you have better things to do? (Jon?)

  7. Bob · 941 days ago

    "a one-off anti-update tool to help you sidestep a forthcoming automatic update" - this is nothing new, we have seen this for previous releases of Internet Explorer. Some of us have "been there, done that" - nothing new here!

    • Paul Ducklin · 941 days ago

      What's new here is that the upgrade is to IE 10, which by all accounts introduces some of the biggest browser security improvements in any IE version number change. Yet it's only coming to Windows 7 now. Seems that it was quicker and easier for MS to port to the ARM platform (and its new-fangled ARM port of Windows 8) than to Windows 7.

      The real deal is here no so much the bolcker tool itself, but what the blocker tool appears to be announcing: not just that IE 10 for Windows 7 is coming, but that it's nigh.

  8. Andy · 940 days ago

    I have found that IE 10 in Win 8 does not work at all on some of the website I visit. Compatibly mode does not fix the problem although changing the browser mode to Internet Explorer 9 does fix the problem. However this is not a practical solution for day to day use.

    As far as I am aware down grading to IE 9 on Win 8 is not an option so I have had to switch to Chrome until the IE10 issues I have are resolved.

    I will definitely be blocking IE 10 on Win 7 until the issues are sorted.

    • JimboC_Security · 939 days ago

      Hi Andy,

      That’s true but I would say that it is the fault of the website in question not being compliant with IE 10. If it works with Chrome it should work with IE 10 unless the site is specifically tailoring what it displays to suit the browser. I am not a web developer but isn’t that supposed to be bad practice? I had read that it is better to detect a browser by the features they support rather than then their version numbers. I would say mention the incompatibility to the websites owners.

      I also don’t see the problem about pressing F12 to display the Developer Tools in IE 10 and changing the browser mode to IE 9 and then browsing that particular site as normal, it’s very quick. I remember when IE 9 came out, this workaround needed to be used a lot more back then.

      If you are unhappy with IE 10 in Windows 8 and want to remove it completely, please feel free to do so. The following tutorial explains the necessary steps:

      I hope this helps. Thank you.

  9. John · 928 days ago

    The blocker is mainly for IT dept who know it will break stuff. Most users should find IE10 as compatible as IE9 with only a couple glithces here and there. I will be interested to see if Microsoft turns on the Tracking Protection by default for IE10 in Win7 as it has with Win8. So far when I have tested out IE10 on my Win7 machine the protection was off. Google in my opinion has some good things for security going with its sandboxing and built in Flash player. Making updates much more fluid. I don't care for Chrome's UI so I don't use it. Firefox seems to be the biggest loser in web browsers these days. Losing way more users to Chrome then IE seems to be losing to Chrome. Firefox at one time was my kind of browser. Today, I don't even have it installed anymore. I expect to move right into IE10 as soon as its released to Win7.

  10. thazall · 808 days ago

    O P E R A

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog