Microsoft has become quick and good at seizing any opportunity to push attention away from itself and blame others, even if those others aren’t truly to blame.

Their latest attempt? Perhaps you’ve seen the latest Microsoft security bulletin, which describes a patch that is supposedly necessary to fix a “security risk” where viruses could get downloaded (typically from Web pages) and automatically launched. One section from the bulletin answers the question of what the patch does:

This patch updates Internet Explorer 5.1 to version 5.1.3 (build 3905) and prevents the Mac OS from automatically launching MacBinary and BinHex files.

Note the emphasis about preventing Mac OS from decoding downloaded files. The truth is, Internet Explorer for OS X (not OS X itself) was given a “feature” where encoded files (such as MacBinary and BinHex) are automatically launched after they are decoded. If a virus were inside one of these encoded packages and downloaded, the user wouldn’t have an opportunity to choose not to launch the application after it is downloaded. Apple’s bulletin is more accurate:

The default setting for Internet Explorer in Mac OS X 10.1 is to automatically decode and open (“execute” or “launch”) the downloaded file. While this automation is a convenience, this behavior could be exploited by a malicious Web site.

Forget for a moment that most of the time, when a user clicks a file to download, they know that they’re downloading something and should know what they’re downloading. I’ll pretend for a second that there are some Macintosh users who aren’t enlightened enough to not click a file to download unless they know what it is.

Having said that, what we have here is a case where Microsoft released their new browser for OS X, came up with this “auto-launch” feature (possibly to create something similar to the “Run from location” setting when a file is downloaded in IE for Windows), later realized (or, more likely, pretended to “realize”) that was a security problem, blamed OS X, and released a patch to fix it. If Microsoft wanted to add this feature properly, they would have provided separate options to enable/disable auto-decoding and auto-launching and default the auto-launch to off. Better yet, why not give the user the choice when they download the file to either save it or go ahead and run it, just like IE for Windows.

Copyright © 2001 Lee Bennett, lbennett@atpm.com.