September, 2006

Hi folks, my name is Geoff and I am a Program Manager with the IE team focusing on security updates. On Tuesday, Windows released a security update for a vulnerability in the Windows component VML (vector markup language) that can result in remote code execution running on an affected system. Although this is not an IE vulnerability, we feel it is important to mention here, as IE can be used as an attack vector for the exploit. The VML team and MSRC have investigated the issue, produced a fix, and...

As we’ve worked on the new Phishing Filter in IE7, we knew the key measure would be how effective it is in protecting customers. In addition to our internal tests, we wanted to find some external measure of our progress to date as well as pointing to ways we could improve. We didn’t know of a publicly available study covering the area, only some internal and media product reviews. (We’ve blogged a few times about the new Phishing Filter in IE7; in addition to these technical details we published...

Add-ons for the IE platform are more than just toolbars, custom browsers and find-on-page add-ons . The edges of what you can do with the platform are virtually unlimited. Earlier this year at Mix06 , Greg Reinacker and Walter VonKoch demo’d a tool for synchronizing the RSS platform state with your NewsGator online account. On Monday, Nick Harris (no relation) at NewsGator announced that the tool, renamed “NewsGator Desktop Sync” is available for general beta. From his post: “Desktop Sync...

Hey all, Here’s the link to the transcript for the September Expert chat: http://www.microsoft.com/windowsxp/expertzone/chats/transcripts/06_0914_ez_ie.mspx . We will be holding another chat in November for those of you who couldn’t make this one. Information about our upcoming chats can be found at: http://www.microsoft.com/windowsxp/expertzone/chats/default.mspx Cheers, Uche Enuha Program Manager

In April 2005, we blogged about the new Internet Explorer 7 User Agent string sent to websites by the browser to identify itself. Since our original blog posting, we have also posted two new articles on the topic to MSDN: Understanding User-Agent Strings , and Best Practices for detecting the Internet Explorer version . A quick recap: On Windows XP SP2, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) On Windows 2003 Server, IE7 will send the following...

This is just a follow up to my recent post about dialog sizing in IE7 . Based on your feedback regarding the minimum dialog height restrictions, my team re-evaluated our position and changed the minimum height from 150 to 100 pixels. We think this change: Reduces application compatibility issues where dialogs were coded to the IE6 minimum height Is more consistent with other browsers’ minimum height providing more consistency for content developers Again, we appreciate your constructive...

A researcher posted a vulnerability against IE6 yesterday that uses random input to create a heap overflow in a Direct Animation object. Our team is testing a security update right now to fix this overflow, but in the meantime you can keep your systems safe from this vulnerability by disabling ActiveX controls in the internet zone. If you’re a desktop administrator responsible for a set of desktops, you can publish a more tactical fix by disabling the control. If you have the ability to set registry...

Greetings! I’m Raghava Kashyapa, Program Manager for the Microsoft Phishing Filter technology in IE7. As you might already know - it is important to use the latest versions of IE7 to get the benefits of all the changes we have made over the past year since the release of the first public beta. We made improvements to the client based on feedback and want to ensure users use these new and improved builds of the browser. The impact of these improvements means that older IE7 beta versions prior to...

While working on IE7 application compatibility, we’ve seen many cases of interesting and strange invalid file URIs. I believe a substantial amount of responsibility for the confusion over file URIs lies with the deprecated urlmon.dll function CreateURLMoniker. This function is used by Windows application developers mainly to convert a string URI into an object that can be used to obtain the data represented by the URI. CreateURLMoniker does a couple of horrible things to file URIs that if misused...

This morning we re-released three versions of our August 2006 cumulative security update (MS06-042). As I had written about before , the original release of MS06-042 introduced a new security vulnerability for IE 6.0 SP1 users which we addressed in a subsequent re-release. However, with the increased scrutiny this release received, a security researcher responsibly disclosed to us that a similar vulnerability was also discovered in IE5.01 on Windows 2000, IE 6.0 SP1 (in a different location), and...

One of the reasons we went to Blackhat last month was to show how the Security Development Lifecycle (SDL) has changed the way that Microsoft builds products. I talked about how we’re reducing attack surface with features like ActiveX opt-in, improving code quality and building-in Defense in Depth with Protected Mode . I didn’t get a chance to cover the new RSS feed support but I think the RSS team’s work is a great example for anyone building a new client to handle RSS feeds and a case study in...

Just wanted to remind everyone that the IE team will be having our Expert Zone chat on Thursday September 14 th at 10.00AM PDT (5.00PM GMT). We’ll also post the transcript shortly after the chat for those of you who can’t make it. Cheers, Uche Enuha Program Manager

As a scripting junkie at heart, I set out to write an extension in script for IE7: inline search – searching the document for text while I type. Before you get too excited, this does not replace the Find functionality in IE7. It’s just me getting excited about scripting. After investigating the different places I could extend IE with script, I decided to implement inline search as a context menu . All I had to do was create an HTML or JavaScript file with my script in it and add keys to the registry...

We've just completed a redesign and refresh of the IE Developer Center on MSDN. The goal is to make it easier to find IE related developer content and even includes an updated photo of me with the neon blue 'e' behind me that you can find in the lobby of our building on the Redmond campus! We've worked to make some of the essential links such as reference material easier to find and we will be promoting different content on the front page regularly making it well worth visiting on a regular basis...