Welcome to MSDN Blogs Sign in | Join | Help

IE in Windows XP SP2

Hi, I’m Tony Chor, the Group Program Manager for the Internet Explorer team. As you may know, we’ve been working hard on IE for Windows XP Service Pack 2, and we signed off on it last week. You can get a very detailed description of the changes on MSDN. (This is lovingly referred to internally as the Book of Springboard – Springboard was the codename for XP SP2.) However, I thought I’d give a high level description of the kinds of changes we made and why.

 

First, as with any project, we set our goals and scoped the project; we couldn’t possibly do everything we wanted to in this timeframe. Therefore, across Windows, we focused on security, specifically in preventing users from having their machines taken over by malicious code. There were a bunch of other good things that happened, but security was clearly the focus.

 

Specifically for IE, we had two big buckets. The first were architectural changes to help prevent attackers from getting through the barriers that protect users and their computers. The second were a set of changes to help users make better decisions about what sites and downloads to trust.

 

Architectural Changes

To understand the architectural changes, let me first describe the security model for IE (parts apply to all browsers.) First, IE permits web pages to do different things depending on how much you trust them. IE bases that trust decision on where the page came from. Files from the Internet, for instance, cannot directly access files on your hard drive. Files that are already on your hard drive, by comparison, can. IE divides the world into five zones (shown from least privileged to most privileged) – Restricted, Internet, Intranet, Trusted, and Local Machine Zone (LMZ). Attacks that allow malicious sites to move from zones of lower privilege to one of higher privilege are known as zone elevation attacks.

 

Second, IE puts up walls between domains (like microsoft.com) so that the script and controls from one site cannot access the information on another site. This is important so evil.com cannot get your username and password from mybank.com, for instance. Attacks that break through this barrier are known as cross domain attacks.

 

In XP SP2, we strengthened the barriers between zones and between domains. This makes it much harder for hackers to get access to your computer. Perhaps more significantly, even if an attacker gets through the new barriers and gets into the LMZ, s/he will encounter yet another barrier. We give the user an opportunity to stop the attack by blocking active behaviors in the LMZ and thereby stop the attackers from really utilizing the capabilities of the LMZ.

 

Basically, consider this real world analogy: we have improved the fences and doors that separate your yard from the street and your yard to your house. If someone manages to get through the barriers, s/he will find your valuables locked in a safe inside the house. We have made it harder to break in and less interesting if you do.

 

User Experience Changes

Despite the architectural changes we’ve made, users will still need to make decisions whether to trust a site or a download. To do this, the user needs good, understandable information. For IE in XP SP2, we had two primary design principles around our UI. First, users need accurate information to make trust decisions. Second, users should have more control over their web browsing experience.

 

To help users make better trust decisions, we made it harder for malicious sites to spoof IE’s UI and provided clearer dialogs around key activities like installing software. For instance, some bad guys today cover the IE UI like the address bar or prompt dialogs with a chromeless window (an IE window with no window frame). They then make the UI look like it said something else, like a different URL or “This is totally safe. Install it now!” In XP SP2 IE windows cannot cover IE UI nor is it as easy to create chromeless windows.

 

We give users more control over their browsing experience in a few ways. First, we block most things from coming up without some user action; for instance, pages can no longer automatically start a download unless the user clicks a link or accepts the download via our new Information Bar UI. We also came up with a very original idea – popup blocking. J Sites can now no longer open windows except when the user clicks a link or button to initiate it. Similarly, sites cannot change your home page without a user click as well.

 

To reuse my house analogy, with our user experience changes, we have made it easier for you to identify who is at the door so you can decide whether to open it, and we took the doorknob off the outside of the door, so you can only open it from the inside.

 

There are a whole lot of other changes around reliability, Group Policy support, and a myriad of others, but those are the big themes for our work in Windows XP SP2. IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser. We’re really excited about it, and hope you will be too.

 

For those who don’t have XP SP2 yet, the easiest way to get it is to follow the instructions for turning on Automatic Updates on http://www.microsoft.com/athome/security/protect/default.aspx.

 

For those who are already running XP SP2, tell us what you think!

 

Thanks,

 Tony

 

Published Tuesday, August 10, 2004 9:28 AM by ieblog
Filed under:

Comments

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:37 AM by Ken Cox [MVP - ASP.NET]
Very interesting summary. Thanks for the info and good luck with IE!

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:39 AM by John
"We also came up with a very original idea – popup blocking" ... So know you invented popup blocking?

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:48 AM by Owen
Yes... and it's very original. :)

Microsoft... proving once again that they are innovative after the fact. Heh.

Ok folks, start placing your bets on when the next major exploit will be found. I'm giving it 30 days. :)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:49 AM by Someone who gets sarcasm
Gotta love people who doesn't get it ;)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:49 AM by karsh
I'm running XP SP2 right now, and to use your house metaphor, it's like a nosey neighbor peeking in through all my windows seeing what I'm doing or asking if I want to run a program or visit a site. In short, it's a pain in the ass and should be toned down in some way (if I wanted this many intrusions, I'd install ZoneAlarm); surely there's a way to offer the same level of protection without so many dialog boxes popping up.

I mean it even asked me twice if I wanted to run Mozilla Firefox after I clicked yes. Sheesh.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:50 AM by Rory Parle
" We also came up with a very original idea – popup blocking." - I assume this is a joke.
"IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser." - I assume this isn't a joke, so back this up please.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:59 AM by Brady
We gave it a download test on one of our XP boxes here at work, and it seems stable -- though it is quite invasive. Even after all of this, I still don't trust microsoft... almost for the same reasons we left QuarkXpress for our designers. Now that you've taken hold of the industry, all these updates only come out when critical and absolutely needed -- no improvements otherwise! I see that any other update will take just as long to fix... and that's not good enough anymore when free options are out there much faster and much more reliable.

Because of this, I've removed all IE from our PC's (except this test one) and have installed Firefox and Opera for the user to pick and choose.

I know that you say the regular consumer doesn't care about things like standards and improved browsing -- but your business clients do... and those that pay a lot of money for websites for their company do.

If a non-profit can provide security as well as improved browser experience for free, then they have my business.

I will try the update on one of the XP's without IE, and see if it causes any problems to open Mozilla or Opera builds. If I find MS is trying to block their launch, I'll be an extremely unhappy client.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 10:15 AM by Simon Willison
I haven't played with SP 2 yet so I'm not qualified to comment, but since that never seems to stop anyone around here...

My biggest concern about all of this is that users simply don't read. If something pops up while they're trying to accomplish a task, they'll hit 'OK' without reading the dialog box. For this reason, I'm highly skeptical of any security measure that relies on prompting users to continue - because anecdotal experience shows that it won't make any difference.

I'd love to know what kind of user-psychology driven decisions were made during the design of SP 2. It would certainly make an interesting blog entry.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 10:26 AM by Alex Barnett
If you are just about to be one of those that adds another 'I can't believe Microsoft is to have invented the popup blocker' comment, then don't.

He was j-o-k-i-n-g !

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 10:50 AM by Turnip
OK, firstly, yeah it's great that you guys think you have got security worked out, but shouldn't it be secure on first release, rather than the second service pack?

And this:

"IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser."

I would call it bull-somethingorother but this comment would be deleted.

Firstly, Microsoft hardly have a good track record when it comes to security, and secondly, tell me about the critical exploits available to the hacker in other browsers? Hmmmmm? I thought so.

Other browser manufacturers are far more committed to security than Microsoft. They program their browsers so that the security exploits don't happen in the first place. And when they do, there is an excellent response time in getting the problem sorted.

Yes, I'm talking about Mozilla.

Example:

Bug 251382 (http://bugzilla.mozilla.org/show_bug.cgi?id=251381) is reported at 2004-07-14 08:10. It is a major security issue. Fixed? 2004-08-03. See http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2

Another major security issue:

Bug 250180 (http://bugzilla.mozilla.org/show_bug.cgi?id=250180) is reported at 2004-07-07 06:46. Its a major security issue about the shell protocol handler. FIXED THE SAME DAY. See http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.1

I rest my case.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 10:54 AM by Starman
I've installed SP2 on two machines at work (Dell GX270) and the whole process was very smooth. All my software is still working great (Opera 7.54, Firefox 0.09+, Mozilla 1.8a2, FeedDemon, Homesite+, Slimbrowser, Maxthon, etc). It is good to finally have a built in popup blocker in IE and the Add On Manager is a good (and needed) feature too. The only software that created a warning dialog that I had to respond to was WS FTP LE. One click at it was working as good as before.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 10:59 AM by Starman
Turnip, this serious spoofing vunerability hasn't been fixed in Mozilla for FIVE years: http://secunia.com/advisories/12188/

Quote
description:
A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.

The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

The Mozilla user interface is built using XUL files.

A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.

This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.

NOTE: This issue appears to be the same as Mozilla Bug 244965.
end quote

Proof of concept: http://www.nd.edu/~jsmith30/xul/test/spoof.html (if using Mozilla or Firefox)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:17 AM by travis
Starman, maybe its been fixed in 0.9.3 b/c the "exploit" is quite obvious to me. My menubar and location bar appeared as they should directly above the fake ones.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:21 AM by Owen
Starman,
Omigod! I can't believe you are talking about the limited number of Mozilla bugs when IE has had them for YEARS! I can't even count the number of SSL exploits in IE! And one of the recent exploits to Mozilla was due to the underlying architecture of Windows being inherently insecure; the bug did not affect other systems.

They followed Windows development guidelines and POOF... insecure! Why?!! Because Windows has an inherently insecure way of handling system calls. That bundled with a browser that's built into the system makes IE Windows worst security nightmare!

Oh and by the way, they patched those exploits already. One of them was patched the same day it was found. In fact, they work to patch all security holes as soon as possible. Is this the same with Microsoft? HELL NO!

Many a time a security expert has notified Microsoft of errors in their browser only to have Microsoft ignore them time and again. When do they fix it? When millions of machines start going down!

Mozilla fixes it before it even happens and usually in a period of 24 hours.

You are dreaming if you think IE can even compare on security with Mozilla. But don't worry... we've sent Microsoft a wakeup call. :)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:50 AM by fedUP
Glad to see these changes...but I'll only consider IE to be secure once it's separated from the OS (completely! as in, I can remove it from my computer and my computer will still do everything else other than browsing with IE)...I don't *want* a browser tucked into the OS - I just want an OS...

...and once I see the future fixes (and there *will* be future fixes) being turned around in a Mozilla-like timeframe...it just shouldn't take Microsoft being pushed to the "edge of the cliff" to make it get up and do what should have been done from the beginning.

If these 2 things happen, I might even *choose* to download and install a future IE :)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:50 AM by Tony Chor
For the record, I was joking about our "innovation" around popup blocking. I know we're late to this party, although I do think our implementation is very good.

With respect to whether IE in XP SP2 is more secure than other browsers, it is truly my belief that at this point in time, we are. It's certainly likely that someone, some day will find a critical vulnerability in XP SP2; I would not be so arrogant to believe otherwise. But today, we don't have any known open critical vulnerabilities. In any case, it's definitely the most secure browser we've ever built and has innovations that our competitors deem worthy of copying (e.g. the cloning of our Information Bar in Firefox.)

Should we have been more secure from the beginning? Sure, it's easy to say that now. When IE was first developed, compatibility and user experience were more important; whether this was the right choice is somewhat academic and unimportant now. We are absolute dead serious about security now. It's permeated everything we do, and we're willing to impinge on the user experience and app compat if needed. Our work in XP SP2 is the first real demonstration of this new mindset.

Anyway, it's good to see people are reading this blog... :)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:50 AM by Robert Scoble
Just saw this article on Neowin: "Firefox has more security holes than Internet Explorer?"
http://www.neowin.net/comments.php?id=23124&category=main&zx=2542c9d0deeb1f09140206854

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:58 AM by fedUP
Tony, I don't think looking at past decisions is "academic and unimportant now."

Microsoft has taken what used to be credibility and good will with its customers and has run them both into deep sh*t...

...this SP2 spectacle is a great start, and I applaud you, but Microsoft has gone so far for so long, that every one of your business customers is looking at you with an intensity unparalled in the past...your *future* decisionmaking processes better be better than those in the past...so it is anything but "academic and unimportant now" to see what was a long series of mistakes, and to do better with your customers, FOR your customers, in the future.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 12:12 PM by Owen
Yep, 10 but not all severe. Microsofts were ALL severe. And naturally you are going to find more security holes in a product where everyone can look at the source. That's half the point; getting everyone to look at the code and find those holes so they can be shored up early on... instead of hiding your flaws in proprietary code that no one can look at only to find out that there were perhaps hundreds of exploits and flaws.

More eyes on it makes for a better product.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 12:20 PM by François Battail
Hi Tony, good to read this, so now users of Windows XP SP2 may be confident for sometime on Internet Explorer, OK but I'm using Windows 2000 at work ... (and I don't use Internet Explorer) so what's the roadmap? And what's planned next: web standards? Truly? Really?

# The IE weblog makes me laugh <Anne's Weblog about Markup & Style>

Tuesday, August 10, 2004 4:01 PM by TrackBack
The IE weblog makes me laugh <Anne's Weblog about Markup & Style>

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 1:12 PM by Turnip
"and has innovations that our competitors deem worthy of copying (e.g. the cloning of our Information Bar in Firefox.)"

I find this funny coming from a Microsoft employee. Microsoft has only ever been about taking other people's ideas. And if other people's ideas aren't up for the taking, Microsoft buys them out.

Example:

http://joelonsoftware.com/items/2004/07/19.html

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:02 PM by Lenin
This is all enormous conspiracy of capitalists to scare workers from internet.

According to the comments I read on this blog, Microsoft is filled with really stupid and lazy people who somehow pull off one of the most brilliant and well-executed conspiracies to dupe the world.

In the meantime, a small set of hobbyists, in their spare time, with no concern for app compat or even people who they deem too stupid to understand how good their work is, are going to save the world.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:02 PM by Roland Siegert
Tony,
Thank you for the hard work you've done with SP2!

It's a big relief that everyone can recommend IE again regarding security and privacy. Sure it will take a while until people and media will fully trust IE again, but even hardcore Mozilla users will have to admit that you have done a fantastic job with SP2.

As a company that builds research tools solely based on Internet Explorer (www.contentsaver.com), we're very happy that the platform we rely on now is finally secure and updated again. We're looking forward to future IE improvements like the superbly designed and implemented pop-up blocker in SP2. Our users and all IE users in general will love it!

Thank you and congratulations!
Roland

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:06 PM by lou josephs
However for those using Win 2k, your out of luck. Keep downloading patches, and for critical stuff IE ain't going to be your browser.
Yeah I have another box on XP and yes I will be adding SP 2 for it.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:12 PM by Owen
Oooh... small set of hobbyists? Hmmm... from latest accounts from analysts from within and outside the open source movement, the number of people working on popular open source projects at any time usually is 3-5 times that of Microsoft developers.

So unless Microsoft has people who can do the work of 3-5 people, their product is always going to be crap.

Oh but they are geniuses you say? So... so are alot of developers. It's why they go into this field because everything else is boring as hell!

Let's remind you that the number one web server on the market right now is STILL Apache (with 70% of the market). Is it unsecure and unstable because it's done by hobbyists? Hell no. In fact Microsofts IIS is known to be one of the buggiest and unsecure web servers out there.

Hmmm... leading me to believe that yes, maybe you are right. Maybe their developers ARE all lazy and stupid. After all, a multi billion dollar company like Microsoft (with unlimited resources) cannot even beat a web server created by HOBBYISTS??

Hang your heads in shame Microsoft. Beaten by a bunch of silly hobbyists :)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:16 PM by Greg K Nicholson
Thoughts from Joe Firefox-User:
"I don't use IE, so IE security updates, such as SP2, don't apply to me. I won't bother installing them."
This is why web browsers should not be integrated with the operating system.

Also, does this thing show PNGs properly yet?

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:17 PM by Howard Marsh
Owen,
Since my WIN2K machine doesn't get a patch to IE, I'm going to leave it up in hopes it becomes a zombie and starts DDOSing Microsoft. :)

It's also funny that whenever they get hit by DDOS attacks, that they have to rely on Linux; the second large DDOS attacks hit Microsoft, they tell Akamai to act as a gateway and all of Akamais machines run Linux.

Yet another example of how 'hobbyists' make a better product. Hell, one could say that it's the hobbyists that are pulling Microsoft butt out of the fire time and time again. Which reminds me, when did they switch all their hotmail servers off of Linux?

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:20 PM by Owen
Howard,
Oh, you mean like this:
http://uptime.netcraft.com/up/graph/?host=a0000000000000000000000001.ms.a.microsoft.com

or this:
http://uptime.netcraft.com/up/graph/?host=a0000000000000000000000002.ms.a.microsoft.com

or this:
http://uptime.netcraft.com/up/graph/?host=a000000000000000001.ms.a.microsoft.com

Oh the list goes on and on how these Microsoft relys so heavily on these tools by hobbyists. Damn them! Heh.

# Hobbyists

Tuesday, August 10, 2004 2:25 PM by David Ellingsworth
Wasn't the world wide web a hobby project by Sir Tim Berners Lee. After all, he gave that away for free. Damn hobbyists... always out thinking Microsoft. :)

# Nyvinninger for Windows

Tuesday, August 10, 2004 5:25 PM by andedammen
"We also came up with a very original idea – popup blocking." Tihi. IE-bloggen gir ikke bare en kikk inn...

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:31 PM by Devon
Call me a cynic, but I don't think that "popup blocking" remark was intended as a joke until it had to be defended. The context conveys it was serious, and many folks who don't know anything about alternative browsers will take that seriously (which could actually be misconstrued as a form of false advertising).

Altho, I admit it cracked me up better than a 7.9 earthquake.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:34 PM by Turnip
It's also funny how Microsoft see these hobbyists as their biggest competitors.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:38 PM by gerben
I installed SP2 already, no real problems encountered yet. Apart from my firewall (kerio) and my antivirus (kaspersky) not being recognized by security center. But judging by the 'firewall' you haven't got a clue about security. You just don't get it. This is not a firewall. This is intrusion detection. Which seems to work ok, apart from an open ident port (113). But there is no control of outgoing connections. Furthermore, applications can control the firewall and change exception rules. So once a trojan is inside, it can do virtually anything. It can switch off the firewall. But more sneakily, it can change the exception rules. So it can easily turn my computer into a zombie spam server, for example. With windows blissfully unaware of ANYTHING.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:40 PM by neuro
This has to be one of the most insulting posts I've read in a long time, and I hope it's not indicative of the general attidue within Microsoft. Writing off open source developers as "hobbyists" (I wouldn't call the engineering staff of the Netscape lineage "hobbyists"), claiming invention over pop-up blocking (if that comment was made in jest or with tongue in cheek, then the author really needs to learn how to emote better using only text) ... I think it's time Microsoft learnt some humility. Or don't they remember how many staff they had to pull off Longhorn to get this service pack out of the door with some measure of security built into it ...

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 2:59 PM by Robin
Thanks Tony for the update. Like François I'm interested as to what the direction of the IE team is going to be now. Any enlightenment forthcoming/

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 3:01 PM by Jesus Christ
"If you are just about to be one of those that adds another 'I can't believe Microsoft is to have invented the popup blocker' comment, then don't.

He was j-o-k-i-n-g ! "

And it was a completely lame, retarded, distasteful, and inappropriate joke for anyone to make within Microsoft.

These posts continue to be pathetic and show know signs of any understanding.

That's the point. IE has gotten so bad it's not funny. Tony should be apologizing, humbly asking for our business, not making assinine jokes.

And I and many others don't give a sh!t about SP2... We won't run it for many months on XP and many of us still run 2000. We don't like you rolling necessary fixes into an OS "fix."

Get some humility, IE team, or all of your efforts will still be reviled.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 3:01 PM by Jim
> Call me a cynic, but I don't think that "popup blocking" remark was intended as a joke until it had to be defended.

If you look carefully, there is an errant 'J' after that statement. Check the source code. What Tony/this weblog's software has done is include a letter J, and pick the Wingdings font to try and convert it into a smiley. That's an utterly stupid hack that often doesn't work.

What Tony/this weblog's software _should_ have done is use the actual smiley character, U+263A, which lets browsers pick a smiley from any available font, and isn't the letter J at all.

So the entire tone of the sentence has changed because they couldn't write correct HTML. So people flame Tony for blatantly lying. Meanwhile, those people that actually saw the smiley see people flaming Tony for trying to make a lighthearted joke.

You see why writing correct HTML and having browsers interpret it correctly is important?

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 3:10 PM by Owen
Jim,
Heh. Preaching to the choir Jim. I think we'd all like the IE developers to support W3C standards for pretty much everything. But will it happen? Dountful. I'll believe it when I see SVG in IE.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 3:28 PM by Robin
Good catch Jim.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 3:48 PM by Carol
Service packs and security releases will come and go, but it’s the thought process that needs to change. The font-face fiasco is a symptom of a much larger problem. Learn how intelligent developers make wise choices to ensure interoperability:
http://bugzilla.mozilla.org/show_bug.cgi?id=194560

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 3:50 PM by Nala Regeork
Glad the SP is done and released I love it and who really cares who invented popup blockers (thats infantile) I am still analyzing all the changes and improvements (yup improvements) but, I will say this is definately the best SP Microsoft has released. Too bad for the crakware, hackware, rubbishware that won't work for a while (or perhaps forever in some case I hope so) they are no loss and some is software I have protested against people installing. Everything I have and use is working just fine and I can feel a little more confortable using IE again thats a bonus!

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 4:38 PM by lynn eriksen
Off Topic - Tony I read today on ZDnet.

http://zdnet.com.com/2100-1104_2-5304259.html

Since you cannot respond - atleast consider this:

Considering the long wait between XP (2001), and Longhorn (I don't want to admit it - 2007), is it truly reasonable to wait 6 years for a new browser, and then have to wait another 4 to start relying on the features from the Longhorn install base (assuming IE is Longhorn only). That's 10 YEARS.

1) Is this a truly reasonable proposition for ASP.net developers?
2) Would this be a reasonable proposition for any other Microsoft product?
3) Why are development products such as Whidbey and Longhorn made public, but IE development is closed. (Not withstanding this blog - which is great).
4) Why do any comments made by MS regarding IE like in the article above consider only the 'clients' point of view and not the devleopers?

I could go on and on and on. I'm guessing that IE on Longhorn will rely much on the major security enhancements and new infracstructure (Avalon) to achieve most upgrades in rendering. I know that porting backwards would be very difficult. That's understandable. However, if you don't port backwards to XP (I can understand backporting to ONLY XP - thats reasonable) - your not helping us at all. Considering XAML apps and their web friendly nature - helping web devlopers is probably not in your best longterm interest anyway. How easy would it be for us to jump to XAML in practice - but not in deployment.

Why should I type another line. It's like voting. It doesn't matter.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 5:02 PM by domovoi
"And one of the recent exploits to Mozilla was due to the underlying architecture of Windows being inherently insecure; the bug did not affect other systems."
So you're saying the URI RFC is inherently insecure? That's probably true (more like, it's not concerned with security), but it's still not an excuse for Mozilla to just pass unknown URI's to a different context.

"Microsoft has only ever been about taking other people's ideas. And if other people's ideas aren't up for the taking, Microsoft buys them out. (Example of Lookout posted)"
Pretty much all software companies these days take ideas from their competitors. As for Lookout, obviously the idea _was_ up for the taking if the owners agreed to the buyout. One of the co-owners is now part of the company.

"but I'll only consider IE to be secure once it's separated from the OS (completely! as in, I can remove it from my computer and my computer will still do everything else other than browsing with IE)..."
First of all, I assume you're expert enough about IE to know what separating it from the OS would mean? But please explain to me how that will increase its security. Honestly curious, I don't consider myself an expert.

Second of all, it'd be impossible to remove it now without breaking thousands of apps which rely on IE for html rendering. Unless those fine people at Mozilla can write their own version of mshtml.dll (that would actually be neat).

# Today's controversy is brought to you by the letter J

Tuesday, August 10, 2004 8:05 PM by JonGalloway.ToString()

# Today's controversy is brought to you by the letter J

Tuesday, August 10, 2004 8:05 PM by JonGalloway.ToString()

# Internet Explorer in Windows XP SP2

Tuesday, August 10, 2004 8:23 PM by OdeToCode News

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 5:27 PM by Owen
Domovoi,
You know... I would TOTALLY be up for a Mozilla version of mshtml. That's a fantastic idea. It'd keep me on Windows a bit longer, that's for sure.

# Understanding Windows XP Service Pack 2

Tuesday, August 10, 2004 8:37 PM by Q Daily News
If you're hankering to understand the changes introduced by Windows XP Service Pack 2, you might want to take a look at the TechNet document dissecting the update, and also spend some time reading Tony Chor's higher-level description. (Chor is...

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 6:16 PM by Owen
Domovoi,
Allow me to explain how separating IE from the OS increases security:

1. IE (or at least the render engine) is used by a variety of programs.
2. IE is built into the system.
3. IE has unrestricted system access
4. IE is just about everyones main interface with the web/internet

Do you see the insecurity yet? But wait... I'm not done. When you add ActiveX into the mix, a Microsoft standard that allows IE greater access to your system, you are playing with fire.

But to be more precise, allow me to quote this online article (amongst 20 that are saying the exact same thing):

"....That exploit -- Adodb.stream -- has not been viewed as particularly dangerous, since it only works when the file containing the code is present on the user's hard disk. The problem comes in the fact that the Help file initially opened is assumed to be safe since it is a local file and so has minimal security restrictions.

By using the unknown exploits, code is installed within the help file window, all security efforts are bypassed, and the Adodb.stream exploit is then used to download files on the Internet direct to the hard disk.

What this means in reality is that if you click on a malicious link in an email or on the Internet, a malicious user can very quickly have complete control of your PC. And there is no patch available... "

Microsoft DID issue a patch but it did little good as all it took was changing 5 characters in the code to get it working better than before.

The latest version of IE has certainly accumulated an impressive record of holes: 153 since 18 April 2001. Now even spyware creators are making use of these flaws! It's gotten to the point that Microsoft cannot patch them as fast as they come in and when they patch them, they create all new holes to walk through.

In fact, the zero day vulnerability was a MYTH until IE proved it feasible!

# IE blog joke/flamebait, and get XP SP2 via BitTorrent

Tuesday, August 10, 2004 9:28 PM by redemption in a blog
Tony Chor, the Group Program Manager for the IE team, writes: We also came up with a very original idea popup blocking. The idea was so ridiculous I knew it had to be a joke. And it was, when...

# Microsoft Internet Explorer Blog

Tuesday, August 10, 2004 9:32 PM by Pito's Blog
The Internet Explorer team at Microsoft has a blog. It's not too active yet. Still it's an example of why I like blogs so much. I mean: how else and where else could I get up to the minute information about what's going on with a product that affects me a lot? It's great!...

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 7:22 PM by Randy Charles Morin
That popup blocking thing is just funny. I think I put popup blocking in Juice about 1 1/2 year ago and in the Opencola browser more than 2 years ago. And there was a few blocker blockers even before then.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:18 PM by Tom
Reading this weblog has rendered me into a state of hysteria.

It just gets better when they claim that popup blocking is an original idea. And don't tell me that that was a joke. Everything else in that paragraph was very serious. (or maybe it wasn't, I mean, who ever thought IE doesn't allow "sites [to] change your home page without a user click?")

The idea of a virus that installs real browsers on computers(, etc.) is a damn good idea.

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 9:42 PM by snowknight
"In any case, it's definitely the most secure browser we've ever built and has innovations that our competitors deem worthy of copying (e.g. the cloning of our Information Bar in Firefox.) "

Oops... I had forgotten about that. I take back what I said about "useful innovation" in one of the older blog entries. You guys are indeed innovating once again.

Wait a minute. That’s only in the nightly builds. I guess you guys are keeping an eye on the firefox development too, right? :)

# re: IE in Windows XP SP2

Tuesday, August 10, 2004 11:35 PM by ie
Any changes to html/css parser?

# Ladies sing the blues

Wednesday, August 11, 2004 3:35 AM by R Mutt from Hulver's site
Nudes vs. Prudes: westerners demand Baltic resorts cover up. [:(]<br>
"Trying to play God with your bowels": 60 second time limit in ladies' toilets. [:o]<br>
Windows SP 2: IE changes in brief, All changes [BX :(]<br>
Lost Virgina Woolf essay... for the Good Housekeeping magazine...

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 1:49 AM by Ecl
> Off Topic - Tony I read today on ZDnet.
>
> http://zdnet.com.com/2100-1104_2-5304259.html
>
> Why should I type another line. It's like voting. It doesn't matter.
> lynn eriksen

Exactly, all we seem to do here will end up in longhorn and maybe xp, the rest of us don't matter to MS anymore. We've paid way too much for windows 95, windows 98 and windows 2000 that a free secure IE costs too much for mister $billions.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 2:05 AM by Simon Roe
Quote:
"And it was a completely lame, retarded, distasteful, and inappropriate joke for anyone to make within Microsoft.

These posts continue to be pathetic and show know signs of any understanding.

That's the point. IE has gotten so bad it's not funny. Tony should be apologizing, humbly asking for our business, not making assinine jokes. "

I think Microsoft should be more tongue in cheek about things like their pop-up blocking!

Did anyone see the Skoda adverts (shown in England over the past 2 years or so)?

One example was someone working in a factory with the job of putting a Skoda badge on the front of a car...and refusing to do it because he thought it was an insult to the car.

Until Microsoft comes up with similar advertising, they will always be stuck with this image of producing bad software. (oh and until they stop producing bad software as well!)

Who else is up for “my wife uses Mozilla” or “my other browser is GPL” bumper stickers?!

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 3:34 AM by Peter Reaper (click my name!)
Microsoft is playing catchup with security, and they are still WAY behind. If you want a browser that IS secure and truly innovative, and that doesn't do sneaky things behind your back ("index.dat" anyone?), then try (or at least LOOK at) Mozilla Firefox: www.GetFirefox.com ;-)

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 3:47 AM by Turnip
>Who else is up for “my wife uses Mozilla” or “my other browser is GPL” bumper stickers?!

Hell yes :)

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 3:57 AM by StuartD
Quote:
"IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser"

Oh, please. A browser which is embedded deep into the operating system is infinitely more vulnerable than a browser which runs as a normal program in a normal user context. That's a no-brainer, surely.

How long do you think it will be before a new 'critical exploit' is discovered? Also, how many exploits are *still unpatched* but not categorised as 'critical'?

I see you used the phrase 'pretty much any other browser'. I take it you must mean 'more secure than IE4, IE5, IE5.5 and IE6 SP1' because Mozilla browsers (e.g. Firefox) have inherently better security than IE and offer users a much greater level of protection and control over their privacy.

Stuart

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 4:48 AM by András
Heh. What about Windows 2000 users? What about Windows 98 users? It's just a joke. IE doesn't support the HTML, XHTML, CSS standards quite enough.

Is this without security holes, all "critical" security holes are closed? It's a joke again, because threre are a lot of really critical hole, that Microsoft hide, and says they're not critical.

It's a nice step, but nothing really useful.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 4:53 AM by parena
"We also came up with a very original idea – popup blocking"

I got pointed to this bit of nonsense by someone else. First reaction: "What the heck?" Second reaction: "What the heck?"

Please, don't post this nonsense. Other browsers have had this for a while already. It's nothing new and any decent browser should have it. ... hmmm, decent browser: no wonder IE didn't have it yet :D :D :D

And I agree on the security stuff: IE will not be more secure than any other browser, ever. Unless you make it unable to go on the net, that'll help.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 5:46 AM by Sassan
I want tab browing in IE and also defult popup blocker.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 5:50 AM by Sunlight
> Oh, please. A browser which is embedded deep into the operating system is infinitely more vulnerable than a browser which runs as a normal program in a normal user context.

Did I miss something here? IE runs as the local user, not "embedded deep into the operating system". Select something other than explorer.exe for your shell, run no programs that use IE's services, and IE will never load. Exploits on IE's side are mostly serious because you insist on running as local Administrator, not as a limited user account. No IE exploit is ever going to result in a local privilege elevation.

There's nothing 'inherent' in Firefox or Opera that make them more secure than IE. Once Firefox reaches a critical mass, the hackers will go to work on them, just as they have for Linux.

SP2 is really nice, and I wouldn't go back. The security updates are more than welcome. If you elect to use Firefox/Opera, that's your choice; for the rest of us, I think some praise for closing these holes is in order.

Now, for an encore, how about CSS?

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 6:22 AM by StuartD
> > Oh, please. A browser which is embedded deep into the
> > operating system is infinitely more vulnerable than a browser
> > which runs as a normal program in a normal user context.

> Did I miss something here? IE runs as the local user, not
> "embedded deep into the operating system".

Yes you did. IE runs if you use Windows Help & Support, Windows Media Player, and Outlook, Outlook Express among others - and all of these have had critical vulnerabilities because of IE.

> run no programs that use IE's services, and IE will never load.

Easy for you, less so for Jane User. Or don't ordinary users count?

> Select something other than explorer.exe for your shell

Ah, I see. And this is easier than using a secure browser, is it?

> Exploits on IE's side are mostly serious because you insist
> on running as local Administrator, not as a limited user
> account.

Well, I don't. But then I don't use IE, for the same reason.

> No IE exploit is ever going to result in a local privilege
> elevation.

Brave words!

> There's nothing 'inherent' in Firefox or Opera
> that make them more secure than IE

There is - they do not support ActiveX.

> Once Firefox reaches a critical mass, the hackers
> will go to work on them, just as they have for Linux.

Bring it on.

> Now, for an encore, how about CSS?

Dream on. If you wanted MSCSS on the other hand..

# Mozilla Moves ActiveX

Wednesday, August 11, 2004 7:46 AM by Owen
Well Mozilla is moving towards replacing ActiveX altogether by being the first to implement the W3C's Xforms standard into their browser

http://www.mozilla.org/press/mozilla-2004-08-10.html

Of course, all Microsofties may say that ActiveX does far more than that... and it does. But XForms replaces only what it NEEDS to do as far as the browser is concerned. It's a little thing that we people outside of Microsoft call security... but I don't expect Microsofties to get it.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 7:48 AM by fedUP
responding to Domovoi:

No, I'm not an expert, but for me the issue is equally about *choice*. Right now I get IE shoved down my throat if I buy Windows (and if you're in the market for a "consumer" computer, you're going to find a hell of a lot of Windows machines offered). I cannot remove IE, if I choose to, I cannot go to the Windows Update site except with IE, as a consumer I cannot protect myself from IE: I'm stuck with ActiveX, whether or not I like it, etc.

On the other hand, I *CHOOSE* to use Firefox, to use Mozilla, to use Opera, etc. and having the *CHOICE* is what *real* competition is all about! At least 2 non-Microsoft entities have been able to write capable, feature-rich browsers that *DO NOT* toy with the entire computer.

Are they perfect? No. Do they also have security issues? Yes...but generally speaking, these 2 entities (with FAR less resources than Microsoft) manage to close holes within an astoundingly short period of time, and do a much better job of advertising their security issues and fixes to the *general* public than does Microsoft.

As far as breaking thousands of apps that rely on IE, well not to sound uncaring, but...that's not my problem. I am able to do my online banking entirely with Firefox, because my bank has coded its secure site correctly - it's not just tied in with the proprietary financial self-interest of large corporations such as Microsoft...it seems just plain shortsighted, from a purely business point-of-view, to code *ONLY* for IE, because nothing on this Earth lasts forever, not even IE - for every app that relies on IE, there *will* come a day when its reliance on any single browsing platform (be it IE or otherwise) will come back to bite it in the...(well, you get the idea) - that's the beauty of *STANDARDS* (a somewhat foreign concept to the folks at Microsoft)

For more info on IE *in*security from someone who obviously knows more than I do, see Owen's comments responding to you.

I should say, in the interest of fairness, that I *like* how IE displays pages, and I wish I could trust it more than I do...but it's just too difficult to deal with from so many different points of view...it's sad...

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 8:18 AM by Aleksandar
"IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser."

Amazingly arrogant :(, to the point of unbelievable.

You people (IE team) keep saying this, that it`s becoming really annoying. The sentence above should have read "...heck of a lot more secure then any other version of IE". That is all you can claim.

Other than that, congrats on new version. It's good to see that IE is back in development, no matter what it is.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 8:32 AM by Sunlight
> Yes you did. IE runs if you use Windows Help & Support, Windows Media Player, and Outlook, Outlook Express among others - and all of these have had critical vulnerabilities because of IE.

IE provides a HTML rendering and browsing environment to these applications. If you replaced IE in these applications with, say, Gecko, you merely exchange one set of vulnerabilities for another. If you want to rage against the trend for using HTML in applications, this is not the place; if you wanted to argue that IE was inherently bad, you failed.

> Ah, I see. And this is easier than using a secure browser, is it?

Your point was that IE was not running under the logged-in user's context. I don't recommend replacing your shell; I merely pointed out that you were wrong in that respect.

> Brave words!

Think about it before you reply next time. How do you get a local privilege elevation without a) a vulnerability in a service or b) a bug in the OS security subsystem, not an application?

> There is - they do not support ActiveX.

ActiveX is not inherently insecure, any more than DHTML or Java is, and I don't see you recommending we switch to Lynx. Some ActiveX controls have vulnerabilities; there have existed vulnerabilities in IE's implementation of the ActiveX interfaces - but in and of itself, ActiveX is orthogonal to security. It's not necessarily the best solution to the problem, but IE supporting ActiveX doesn't make it insecure.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 8:35 AM by Turnip
>SP2 is really nice, and I wouldn't go back. The security updates
>are more than welcome. If you elect to use Firefox/Opera,
>that's your choice; for the rest of us, I think some praise for
>closing these holes is in order.

Why should we praise them for closing the security holes? They should've never been there in the first place. Ok, I know, it's practically impossible to have a totally secure program, so it comes down to judgement about whether they made a proper effort with security in the first place, but most people think not.

And it seems that Tony Chor agrees:

"Should we have been more secure from the beginning? Sure, it's easy to say that now. When IE was first developed, compatibility and user experience were more important"

I'll just let that quote speak for it's self.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 10:08 AM by Owen
Sunlight,
Gecko is better because it doesn't use activeX, has more developer eyes on the code at all times so it is more likely exploits will be found and patched quicker and isn't called by EVER single Microsoft App.

Active X is inherently more insecure because it adds a layer to the browser that gives greater access to the machine itself and applications on the machine. And Javascript and Java have this potential too but because they are open standards, they can be controlled more easily that a closed standard that isn't use or supported by the W3C.

The problem is this... Microsoft doesn't like to stick to industry standards; they like to create their own (or their own little versions) and then try to muscle everyone into using their versions. Since Microsoft is known for it's security (or lack thereof) no one adopts their standards. If all Microsoft products were so great, how come C# is so low on the Tiobe Programming index (and sinking fast too I might add).

The fact is that Microsoft started off as a desktop company and will always be a desktop company. They your desktop to run everything, have everything built into the system and have everything interact. That's just one giant recipe for disaster. They have the right idea, but VERY VERY poor implementation.

Just last month Microsoft Money crashed and people couldn't access their bank accounts from their systems for 4 days! That and the fact that IE was sharing financial information with unknown sources should make everyone scared about how Microsoft handles security.

And contrary to popular belief, they have still yet to patch download.ject exploit... and won't be able to without causing half the programs that run on Windows to break; it works through a shell call.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 10:36 AM by Michael
I hope it is striking to Microsoft that so many smart people with smart arguments discount their efforts, strategies, and products. Even with the natural dogpile that looms when Company #1 makes an announcement, there is much that has been articulated here that demands a meaningful response. I gather the meaningful response is an OS and a couple of years away.

At my office I'm seen as some sort of sorcerer just for pointing people toward Firefox. When people find that IE alternatives exist, in my experience they simply leave IE and feel great relief that their life has been made easier.

I'm not putting IE in the trash folder - dumb acceptance of users can mean dumb acceptance by web designers - but it's a web-page or two away from total worthlessness to my life and productivity.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 11:33 AM by Chun
Great browser - excellent improvements in SP2. I'm typing this on Firefox, but IE is now (finally) a safe browser to browse with. Perhaps, can Microsoft use the Gecko engine, though? It's a bit frustrating when pages don't load properly on Internet Explorer.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 11:33 AM by ian ward
i use the Microsoft.XMLHTTP object extensively in client-side scripting. is this control unsigned? is there any particular reason that it is unsafe and disabled by default?

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 11:40 AM by Owen
Heh. I think you just answered your own question with 'disabled by default'. :)

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 11:41 AM by Daniel Howards
Chun,
Um... hate to tell you this but the download.ject exploit still isn't patched; in fact it can't be patched without causing 50% of Microsoft apps to fail.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 11:43 AM by Daniel Howards
Oops... I'm sorry. I mean the SCOB exploit. Get those two confused because they were used in conjunction with each other in the latest series of attacks to grab financial information and credit card info off of home users systems.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 12:24 PM by Stuart
Hi Sunlight

> > I said:
> > IE runs if you use Windows Help & Support,
> > Windows Media Player, and Outlook, Outlook Express

> You said:
> IE provides a HTML rendering and browsing environment to
> these applications. If you replaced IE in these applications
> with, say, Gecko, you merely exchange one set of
> vulnerabilities for another.

But that's not the case - these applications use the IE webbrowser control to script (possibly instantiate?) ActiveX objects. That is not 'HTML rendering'. If all IE did was render HTML there would be far fewer problems, don't you think?.

These two vulnerabilities, for example, are old IE vulnerabilities which were (and probably are still) used to propogate viruses through Outlook/OE without user interaction:

http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx
http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx

Best wishes,

Stuart

# IE now complains about my local start page.

Wednesday, August 11, 2004 12:28 PM by Brian Sexton
The SP2 version of Internet Explorer 6 blocks my local start page JavaScript and a secondary page I have embedded via an OBJECT element, so my menus are broken and I can't see all of my own content every time I load the page.

It might be nice if I could permanently authorize these pages without authorizing all potentially threatening local content. Until then, Internet Explorer now annoys me 100% of the time I start it before I even get past my start page.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 1:39 PM by Jeremy Brayton
Sure IE has issues but does it do you or the IE team any good to express your problems with rage or hostility? No.

I guess the word civil in civilization no longer has any merit or meaning in America?

I have problems with the IE browser and I will admit it. I don't like the incompatibility with standards and much of the things already harped about here. Will the IE team accept my response if I yell about it, or will they be more open if I simply talk about it in a calm manner? I think if I were on the other side of the fence I would choose door #2.


You also have to understand the way things work in a company like Microsoft. Mozilla's only function is to work on it's browser. They don't deal with things like OS security, or deal with the OS on a deep level. This keeps their coders focused on one thing and one thing only: one product.

Microsoft on the other hand is working dilegantly on Longhorn. The majority of their programmers are hard at work making that the best Windows platform yet (and it will be comparibly). This means that while you have say 50 or so people working on the SAME VERSION of Mozilla you have x number of people at Microsoft working on the NEXT VERSION of IE. You compare apples and oranges if you try to compare the 2 camps this way.

Now let's get personal a minute. Say you have a company that is hard at work on version 2 of their product. You find out that you need a ton of security fixes pronto for version 1 of the product. Your coders have been doing so much work on version 2 that it's a learning curve to try and rethink how to update version 1. You don't have the resources to have a version 1 team AND a version 2 team so what do you do? You pull your coders off of version 2 to work on version 1 but you realize that there's a lot of work to go into making version 1 the best it can be. You do as much as you can knowing there could be more done and you move on in hopes that possibly version 1.5 or 2 will blow the pants off version 1.

I'll give you another analogy. Should you be pissed at the private who is following orders or the General who gave the order to burn the village? The majority of people posting to this blog and using it from the IE team are privates in Microsoft's army. There are generals who have given them orders and they are the ones you should be frustrated with, if you really think being angry does any good to anyone.

IE Team: Keep up the good work guys. Get some sleep, you deserve it.

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 2:01 PM by R
A bit further up the page Mr Scoble wrote:
"Just saw this article on Neowin: "Firefox has more security holes than Internet Explorer?"
http://www.neowin.net/comments.php?id=23124&category=main&zx=2542c9d0deeb1f09140206854"

I just had to respond ;) I hope Robert that you took the time to read the responses, particularly down as far as the one that pointed out that in terms of criticality IE was much worse. It must have taken a lot of effort to find that 4 month period because taken over a 12 month period IE does not fair so well - in fact if IE were not a Microsoft product the company producing it might well have gone bust (isn't that what happens after years of neglecting a product - for small companies anyway).

Slightly OT:
I was tempted to hint that if Microsoft released the IE source code under a reasonable open license that a lot of the missing features would be added very very quickly - but having thought about it a little more I came to the conclusion that if Microsoft has trouble finding people brave enough to face the IE source then nobody is going to volunteer their own time to do it. I don't mean to cause offense to the new IE team, I think you've got a great opportunity lined up for you here but ignoring older Windows OS' and concentrating on a product 2 years in the future will not do you any favours.

While I believe a lot of the reactions here are a little severe you MUST be able to understand *why* people are reacting the way they do. If you are honest with yourselves as developers how long does it *REALLY* take to add proper support for PNG? Yes I know it's very optimized but does that really make it impossible? If Microsoft has sense, and there is some reason to believe there is a little in there somewhere, J, :), it will release 6.5 before or just after Christmas this year which is when I reckon the loss of desktops using IE will become really noticeable (unless that's the plan - let it die without losing face).

;)

# re: IE in Windows XP SP2

Wednesday, August 11, 2004 2:33 PM by Ted
There are several Trojans named SCOB, including one that is more commonly called Download.Ject. See the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549">CAN-2004-059 advisory</a> for details.

See Secunia for more details on <a href="http://secunia.com/virus_information/10628/">variations</a> and on the original <a href="http://secunia.com/advisories/11793/">zero-day exploit</a>.

Microsoft is reporting that Download.Ject / CAN-2004-059 is fixed by the <a href="http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx">MS04-025 security update</a>.

If you think Download.Ject isn't fixed by MS04-25, can you give a link that backs you up?

# re: IE in Windows XP SP2

Thursday, August 12, 2004 1:06 AM by hurafe
I use Firefox and I'm happy.

# re: IE in Windows XP SP2

Thursday, August 12, 2004 3:47 AM by Hsn
Mozilla Rulez ...

# Popup Blocker?

Thursday, August 12, 2004 4:13 AM by Firefox User
Yes, very original. Like other Microsoft inventions.

# Tony Chor on IE for SP2

Thursday, August 12, 2004 7:22 AM by Gen Kanai weblog
Tony Chor is the Group Program Manager for Internet Explorer. I'd imagine he has a team of at least 20-30...

# re: IE in Windows XP SP2

Thursday, August 12, 2004 5:27 AM by Retrospect
We also came up with a very original idea – popup blocking. <-- haahah look at me I'm so funny!!!

Bet you could have fixed a couple of important (X)HTML/CSS issues in the same time you wrote this article...

# Microsoft's "Very Original Idea"

Thursday, August 12, 2004 10:18 AM by MySpareBrain
Was just looking at a web site that Sammiches recommended on the basis of a quite cool strikeout feature for links you've visited, when I can across this blog by Tony Chur, Group Program Manager for IE team, which contains...

# re: IE in Windows XP SP2

Thursday, August 12, 2004 7:42 AM by bob
unbelievable as this may sound, for many of the ie blog comment trolls, a lot of people who use computers don't read ./ everyday, haven't got the time or inclination to learn what css or xhtml is. They want to browse the internet. And these aren't just gran + grandpas, these are lawyers, doctors, professors, people who aren't technical, but are equally and m