IEBlog

My Favorite IE Add-on: Mouse Gestures by Ralph Hare

ieblog — Fri, 13 Nov 2009 22:45:00 GMT

I spend a lot of time dealing with problems users encounter when using Internet Explorer. As a result, when I write about add-ons, I’m usually talking about misbehaving code that is wrecking the browser. However, it’s not all doom-and-gloom out there, and I’m delighted to share my favorite browser add-on with you.

I first came across Ralph Hare’s work when perusing the IE add-on sample code at CodeProject. Ralph and I both liked mouse gestures and wished that Internet Explorer offered them. For those of you who have never used mouse gestures, basically, they allow you to trigger commands like back, forward, refresh, etc, without using the keyboard or clicking on toolbar buttons or menus. While not everyone wants to use mouse gestures, some of us find them incredibly compelling. This sweet spot makes gestures the sort of feature ripe for implementation as an add-on.

Fortunately for all of us, Ralph is a great developer and he put together a fantastic gestures add-on for IE which has evolved and improved a lot over the last six years. I’ve installed his add-on on every computer I’ve used since discovering it, and I now find it annoying to use browsers that don’t support gestures. It’s an ironic turn of events for me, since I’ve been a keyboard snob for over a decade. :-)

What makes this add-on so great?

Respect for the User. The gestures add-on respects your existing browser settings, and does not attempt to change your default homepage, search provider, favorites, user-agent string, etc. There’s no junk (e.g. adware, unexpected toolbars, etc) bundled with it either.

Stability. I’ve tried out a lot of different add-ons over the years, but almost always end up uninstalling each after a few days because they’re unstable and result in occasional or frequent browser crashes. In contrast, Ralph has delivered a rock-solid implementation of gestures; the few bugs I’ve found have been fixed quickly and the updated versions are automatically offered using an automatic notification service.

Best Practices. Ralph’s code is compiled following best-practices for secure and stable add-ons, including linking with the /NXCOMPAT and /DYNAMICBASE flags to opt-in to DEP/NX and ASLR memory protections.

Performance. Many browser extensions are useful from time-to-time, but I’m not willing to suffer a performance penalty when not actively using an extension. For some types of extensions (menu extensions, toolbar buttons) this isn’t a problem, because the add-on code only loads when I actively use the add-on. However, an add-on like Mouse Gestures inherently needs to be available at all times, so high performance is an absolutely critical consideration.

Ralph’s Browser Helper Object (BHO) is written in native C++, and designed and coded for speed. After installing, check out the Load Time column inside the IE Tools > Manage Add-ons dialog:

As mentioned previously, the extension offers an auto-update mechanism, but Ralph ensures that this won't hurt startup performance. He does so by running the check in a background thread, and waiting for about a minute after tab startup to kick off the webservice call. Ralph also sets the NoExplorer registry key to prevent his BHO from loading inside Windows Explorer.

Even the default configuration is optimized for performance: by default, mouse trails aren’t shown, and if a user wants them, they can choose between basic trails:

which work fine with all video cards, and the slightly fancier advanced trails:

which work best with higher-end hardware.

Cross-Version Support. Mouse Gestures is compiled in both 32-bit and 64-bit flavors (installed individually) making the gestures add-on one of the very few available for 64-bit IE. The add-on works in all versions of IE and I’ve personally used it on Windows XP, Server 2003, Vista, Server 2008, and Windows 7 without problems.

Ease-of-Installation. The 32bit and 64bit installers together weigh in just under 1 megabyte. The add-on is packaged using the same NSIS installer that I use to install Fiddler.

If you decide you don’t like the add-on, you can easily uninstall it using the Add/Remove Programs control panel.

Customizability and Power. You can customize its options using the Mouse Gestures… item added to the browser Tools menu. The configuration dialog allows you to assign gestures to built-in actions, define new gestures or actions, and change the appearance of mouse trails.

The most common gesture I use is Down,Right which by default is bound to the Close Tab action. I’ve also bound the Down,Up and Up,Down gestures to the Toggle FullScreen Mode action; this is slightly simpler than hunting for the F11 key on my small but beloved Lenovo X200.

If you’d like, you can bind any gesture to open any of your browser Favorites in the current tab, or a new foreground or background tab.

One of the most powerful features of the add-on allows you to bind a JavaScript file to an action. I use this feature to bind a simple page cleanup script to the Left,Right gesture. When I’m reading an online newspaper or similar page with flashing images or other unwanted distractions, I simply hold the right mouse button and waggle the mouse—all of the images and flash objects are instantly removed, allowing me to read in peace.

Price. Mouse Gestures add-on is clearly a labor of love, and Ralph makes it available for free. If you’d like, you can help defray his web hosting costs using the unobtrusive “Donate via Paypal” link buried at the bottom of his site.

Conclusion

If you’re willing to get hooked on a new way of interacting with your browser, give Ralph’s Mouse Gestures add-on a try, and join me in thanking Ralph Hare for his great work!

Eric Lawrence

Participating at W3C’s TPAC 2009

ieblog — Tue, 03 Nov 2009 00:54:00 GMT

This week the W3C holds its annual Technical Plenary and Advisory Committee meeting (TPAC 2009). There will be about a dozen people from the IE team participating and this is a valuable opportunity to continue working together with other W3C members on the next generation of web standards. High quality specifications that improve interoperability between browsers are important. Our goal is to help ensure these new standards work well for web developers and will work well in future versions of IE.

We will participate in a number of browser related working group meetings including accessibility, CSS and HTML sessions. For many groups, this is the only face to face time participants will get and so this is a perfect time to put faces to email addresses. Held in Santa Clara, California this year, the close proximity to many of the companies involved in the W3C means a large number of attendees is expected.

Over the last few months, some of us in the IE team have been working through the HTML5 working draft reviewing the specification text. It is interesting to exchange ideas and help the specification become clearer and I am looking forward to seeing many of the people involved again. There has been a long discussion about the submission we made to the HTML working group about distributed extensibility. Tony Ross, the author of our discussion document, will be participating in a panel on extensibility with Jonas Sicking from Mozilla on Wednesday.

Eliot Graff, a lead technical editor for IE, who is helping edit an updated draft of the Canvas API document that Doug Schepers started will also be at the HTML working group meeting this week.

Kris Krueger, one of our lead test managers, has volunteered to help the newly formed Testing Task Force within the HTML working group. Having a comprehensive test suite that thoroughly tests a specification is a key step to ensuring implementations interoperate successfully. Kris will be taking part in the HTML working group meeting on Thursday and Friday.

Paul Cotton, who was recently appointed as a co-chair of the HTML working group as Chris Wilson changed his focus to programmability in the web platform, will also be with us at the TPAC to help the overall work.

On Thursday, the W3C has organised a Developer Gathering for web and application developers who don’t normally participate in the W3C to join discussions about web standards. In my experience the participation of web developers is extremely important to check the overall ease of use of the specifications and APIs being proposed as standards. One of our program managers, Sylvain Galineau, will be amongst the CSS Strike Force presenting CSS demos.

I don’t have room in this short blog post to mention everyone who will be involved this week but I’ve tried to give a flavour for the work that we will be participating in. Above all, it’s fun to hang out with people you mostly see only by email so there will be lots of hallway conversations and debates over lunch or dinner. I can’t wait.

Adrian Bateman
Program Manager

Now Available: IEAK8 can create custom Internet Explorer 8 packages in 19 additional languages

ieblog — Thu, 29 Oct 2009 23:49:00 GMT

We are pleased to announce that the Internet Explorer Administration Kit (IEAK) 8 now supports creating custom Internet Explorer 8 packages in a total of 43 languages. IEAK8 can be downloaded from http://ieak.microsoft.com.

Custom Internet Explorer 8 packages can be created in the following platform and language combinations:

Windows XP SP2 or SP3 x86:

Total languages:
- Arabic, Bengali, Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hindi, Hong Kong Chinese, Hungarian, Indonesian, Italian, Japanese, Kannada, Korean, Lithuanian, Latvian, Malayalam, Norwegian Bokmal, Polish, Portuguese (Brazil), Portuguese (Portugal), Punjabi, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Telugu, Thai, Turkish, Ukrainian
New languages:
- Bengali, Bulgarian, Croatian, Estonian, Hindi, Hong Kong Chinese, Indonesian, Kannada, Lithuanian, Latvian, Malayalam, Punjabi, Romanian, Serbian, Slovak, Slovenian, Telugu, Thai, Ukrainian

Windows XP SP2 x64 and Windows Server 2003 SP2 x64:

Total languages:
- Chinese (Simplified), Chinese (Traditional), German, English, Spanish, French, Italian, Japanese, Korean, Portuguese (Brazil), Russian

Windows Server 2003 SP2 x86:

Total languages:
- Chinese (Simplified), Chinese (Traditional), Czech, German, English, Spanish, French, Hungarian, Italian, Japanese, Korean, Dutch, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Swedish, Turkish

Windows Vista x86, Windows Vista SP1 x86 , Windows Server 2008 x86, and Windows 7 x86:

Total languages:
- Arabic, Bengali, Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hindi, Hong Kong Chinese, Hungarian, Indonesian, Italian, Japanese, Kannada, Korean, Latvian, Lithuanian, Malayalam, Norwegian Bokmal, Polish, Portuguese (Brazil), Portuguese (Portugal), Punjabi, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Telugu, Turkish, Thai, Ukrainian
New languages:
- Bengali, Bulgarian, Croatian, Estonian, Hindi, Hong Kong Chinese, Indonesian, Kannada, Latvian, Lithuanian, Malayalam, Punjabi, Romanian, Serbian, Slovak, Slovenian, Telugu, Thai, Ukrainian

Windows Vista x64, Windows Vista SP1 x64, Windows Server 2008 x64, and Windows 7 x86:

Total languages:
- Arabic, Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian, Norwegian Bokmal, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian, Hong Kong Chinese
New languages:
- Bulgarian, Croatian, Estonian, Latvian, Lithuanian, Romanian, Serbian, Slovak, Slovenian, Thai, Ukrainian, Hong Kong Chinese

To create custom packages in these new languages, you’ll need to install the latest version of IEAK8.

Thanks,
Jatinder Mann
Internet Explorer Program Manager

IE October 2009 Security Update Now Available

ieblog — Tue, 13 Oct 2009 19:50:00 GMT

The IE Cumulative Security Update for October 2009 is now available via Windows Update or Microsoft Update.

This update addresses three privately reported vulnerabilities and one publicly disclosed vulnerability. The security update addresses these vulnerabilities by modifying the way that Internet Explorer processes data stream headers, validates arguments, and handles objects in memory. For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8.

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Add-on Guidelines in action – AVG Security Toolbar

ieblog — Wed, 07 Oct 2009 02:47:00 GMT

The AVG Security Toolbar team has recently released a new version of their toolbar. It has a more predictable user experience and does a better job of allowing users to stay in control of their browser. It’s a great example of the Guidelines for add-on developers in action.

It’s encouraging to see the example set by the AVG Security Toolbar team. They’re building valuable add-ons for people and at the same time they’re respecting user choice. Here are some high level examples of the changes they’ve made in the new version of their toolbar:

It no longer takes over the search provider. Instead it uses the proper IE8 set default provider API so that users can choose their default.
The close button is visible so that users can manage it like other toolbars. Additionally, the toolbar is positioned in a supported location which improves stability and performance.
It no longer modifies the new tab page to maintain a predictable new tab experience for users.

Kudos goes out to the AVG Security Toolbar team. On behalf of our shared customers, thanks. Following the Guidelines and using supported extensibility points in this way means that people have a consistent and reliable experience that allows them to stay in control of their browser. This is exactly what we’d like to see from all add-on developers.

Before: Previous version of AVG Security Toolbar

After: Newest version (2.507.24.1) of the AVG Security Toolbar provides a predictable experience and lets users stay in control of their browser

-Paul Cutsinger and Herman Ng

Supporting Web Standards Development with SuperPreview

ieblog — Wed, 16 Sep 2009 02:03:00 GMT

This post is a guest post from Steve Guttman, of the Expression Web team. Expression Web has created an interesting tool, SuperPreview, which we thought the IE blog audience would be interested in.

Internet Explorer 8 is an important release because it reconfirms Microsoft’s commitment to interoperability and renewed emphasis on Web Standards. My team—which develops the authoring tool, Expression Web—is also pretty emphatic about Web Standards. We’re in the process of doing significant tooling (and retooling) so we can support existing and emerging specifications, reliably.

The Expression Web team recently shipped SuperPreview for Internet Explorer, a FREE tool for performing cross-browser debugging across Internet Explorer, including versions 6, 7, and 8. This tool also helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8. This is a subset of the full version of SuperPreview (which also supports Firefox) and which ships with Expression Web 3. You can download it here. You can learn more about SuperPreview for Internet Explorer on the Expression Web team blog.

Thanks,
Steve Guttman
Product Unit Manager
Expression Web

Guidelines for add-on developers

ieblog — Wed, 09 Sep 2009 21:34:00 GMT

It’s well understood that the typical computer users today spend much of their time in their web browser, making it the most important software on their computer. Users expect their browsers to be easy to use, fast, stable and secure.

Over the past few months, users have downloaded thousands of great browser add-ons from www.ieaddons.com and other web sites. Users want to use browser add-ons to enhance their browsing experience, not hinder it or make it more confusing.

We have published a full list of guidelines to help add-on developers create quality add-ons. We created these guidelines to respond to demand from the developer community and to help share the thinking of the IE team, gathered from years of providing support to users and developers. We strongly recommend that developers follow these guidelines when developing add-ons for IE users. We occasionally come across add-ons that violate these guidelines so egregiously that we treat them as malware; on the other hand, we frequently see really helpful and creative add-ons that put the “user in control” and enhance the browsing experience. Here are the core aspects of our guidelines:

Do not limit the user’s ability to access Internet Explorer features

Users require access to the entire set of Internet Explorer features, including but not limited to: the address bar, search box and new tab page to navigate and search the Internet easily and safely. Users expect these features to be available to them at all times and our support data shows that users are confused and unhappy when these features are obscured or changed. Please don’t write add-ons that hide, obscure or limit access to Internet Explorer features.

Do not limit the user’s ability to control Internet Explorer settings

It’s important that users be able to control their browsing experience. We’ve provided many configuration options for IE users to help them set up their browser exactly how they want it and protect themselves from potentially harmful malware. (See previous my previous post on toolbars and search defaults)

To support this guideline, add-on software should not remove or limit the user’s ability to view and modify IE settings.

Only use supported APIs

Add-ons should only use supported Internet Explorer and Windows application programming interfaces (APIs), detailed on MSDN. Using an unsupported method of extending Internet Explorer or relying on implementation details in a specific version of IE may cause browser stability problems when Internet Explorer is updated. Also, when two add-ons try to use the same unsupported method of extending Internet Explorer they might crash the browser – our APIs are specifically designed to prevent this kind of problem.

Microsoft is committed to working with all add-on software developers to ensure that our mutual customers – you, the user – have a great experience when using Internet Explorer with add-ons. If you are developing or maintaining an Internet Explorer add-on, please review our guidelines and ensure that your add-ons deliver a good long-term experience for users.

Thank you,
Frank Olivier and Herman Ng
Internet Explorer Program Management

Preventing Operation Aborted Scenarios

ieblog — Fri, 04 Sep 2009 08:48:00 GMT

This post follows up on my original Operation Aborted post to provide some additional information and assistance for web site owners or 3^rd party script libraries.

Recap

Nearly a year-and-a-half ago, I blogged about an error that can occur on some websites that generate content via script. This content can cause Internet Explorer’s HTML parser to get into an unrecoverable state, which makes it doubly-hard to find and diagnose why this error is happening. When this state occurs, the HTML parser cannot continue, and simply throws up its hands and admits: “Operation aborted!”

Early in IE8’s development, we put in a mitigation that alleviated the worst side-effects of this problem. Rather than show a modal dialog and then navigate away from the page after you press OK, instead we removed the dialog and transferred the error notification into the status bar (to the script error notification area). As a result, you are not interrupted by a dialog and you can continue to view the current web page. You may not have even noticed that this error occurred; yet the HTML parser does come to a grinding halt (for that tab only) and any additional content will never be processed.

Not too long after IE8 was released, we began hearing reports of IE8 customers continuing to see the old operation aborted dialog! While we knew that we hadn’t fixed every possible scenario that could cause the dialog to appear (it’s triggered as a catch-all for many subsystems such as the navigation stack and networking), we believed that we had mitigated the worst-cases. With recent reports of users seeing the Operation Aborted dialog in IE8 we investigated further to find any additional scenarios that could be triggering the dialog to appear (rather than the script error mitigation).

In the following two scenarios, the root cause of the Operation Aborted issue is the same (for details, please read my previous post), but the way in which it happens in these scenarios causes IE to bypass the mitigation that we put in place for IE8.

Scenario 1: Nested Parsing after Operation Aborted

<html>
 <body>
  <div>
   <script type="text/javascript">
    document.body.appendChild(document.createElement('div'));
    document.write("Testing");
   </script>
  </div>
 </body>
</html>

In the HTML above, the effect of the first line of the script is to trigger the Operation Aborted problem. In IE8 this is mitigated as previously mentioned. However, if sometime later a document.write API call is issued as shown in the second line of script, all versions of Internet Explorer, including 8, will present you with the old operation aborted dialog.

Scenario 2: Operation Aborted in error handlers

<html>
 <body>
  <script type="text/javascript">
   window.onerror = function() {
    var el = document.getElementById("div2");
    el.appendChild(document.createElement("div"));
   }
  </script>
  <div id="div1"></div>
  <div id="div2" onclick="alert('hi';"></div>
 </body>
</html>

In this HTML file, a script error (in the onclick event handler) has a run-time error, which causes the window object's onerror handler to be invoked. In this scenario, if Operation Aborted is triggered in the error handler, the dialog will also show in IE8.

Programmatically Detecting Operation Aborted

When this error dialog occurs, it is very hard for web developers to find the problem and fix it. Often (and in most cases we’ve seen) the problem is introduced in third-party scripts that are referenced by the affected page. To help web developers quickly find and fix the problem, we’ve written a little script that should help.

This script must be run as the first script in the page that is experiencing the Operation Aborted error. It overrides the usage of innerHTML and appendChild by first checking the parsing frontier before allowing the action. AppendChild is by far the most common DOM entry point that can trigger Operation Aborted, followed by innerHTML. The script may flag false positives, but we wanted to err on the side of being overly cautious.

This script relies on a feature enabled in IE8 standards mode only—Mutable DOM Prototypes. Thus, it will only work for pages that use IE's most standards-compliant mode. See this post on compatibility view for more details on the mode that IE is interpreting your page in. However, the operation aborted problems that this script identifies (in IE8 standards mode) also apply to IE7 and IE6 thereby helping you diagnose and fix this issue in any version of IE.

To use the following script follow these steps:

Add a script element to the head of the page in question. This script element should be before any other script element on the page.
Place the following script text within that script element (or reference a file containing it from the src attribute)
Set the "f1" and "f2" feature values
1. Setting "f1" to true will skip DOM calls that could potentially cause the Operation Aborted error. However, this will also result in a change in program flow, and other script errors could result.
2. Setting "f2" to true stops program flow at the point of a potential Operation Aborted error and breaks into the debugger (external or built-in JavaScript debugger). This is where you can analyze each occurrence to see what assumptions were being made and how the program flow can be altered to prevent the problem.
In IE, navigate to the page in question.
Start the JavaScript debugger by pressing "F12" and then selecting the "Script" tab in the Developer Tools, and press the button "Start Debugging".

(function() {
    // Feature switches
    // WARNING: 'true' may cause alternate program flow.
    var f1 = PREVENT_POTENTIAL_OCCURANCES = false;          
    var f2 = BREAK_INTO_DEBUGGER_AT_POTENTIAL_OCCURANCES = true;
    if (!window.console) {
        window.console = {};
        window.console.warn = function() { };
    }
    var frontierCheck = function(host) {
        // Is host on the frontier?
        while (host && (host != document.documentElement)) {
            if (host.parentNode && (host.parentNode.lastChild != host))
            // This is not on the frontier
                return true;
            host = host.parentNode;
        }
        if (!host || (host != document.documentElement))
            return true; // This node is not on the primary tree
        // This check is overly cautious, as appends to 
        // the parent of the running script element are 
        // OK, but the asynchronous case means that the 
        // append could be happening anywhere and intrinsice
        // knowledge of the hosting application is required
        console.warn("Potential case of operation aborted");
        if (f2)
            debugger;
        // Step up two levels in the call stack 
        // to see the problem source!!
        if (f1)
            return false;
        else
            return true;
    }
    var nativeAC = Element.prototype.appendChild;
    Element.prototype.appendChild = function() {
        // call looks like this:
        //    object.appendChild(object)
        // Go back one more level in the call stack!!
        if (frontierCheck(this))
            return nativeAC.apply(this, arguments);
    }
    var nativeIH = Object.getOwnPropertyDescriptor(Element.prototype, "innerHTML").set;
    Object.defineProperty(Element.prototype, "innerHTML", { set: function() {
        if (frontierCheck(this))
            nativeIH.apply(this, arguments);
    }
    });
})();

We recognize that the operation aborted dialog and its mitigated cousin in IE8 are still the source of significant web developer pain. We hope this information and prevention script help you to diagnose and fix issues related to Operation Aborted in IE8 (and older versions of IE).

-Travis Leithead
Program Manager

Internet Explorer 8 is now available via Windows Server Update Services (WSUS)

ieblog — Wed, 26 Aug 2009 03:14:00 GMT

If you manage your organization’s PCs using Windows Server Update Services (WSUS) I’m pleased to announce that we have made Internet Explorer 8 available via this technology for the following languages and platforms:

Internet Explorer 8 releases on WSUS for August 25, 2009
Windows Vista	All supported languages
Windows Server 2008	All supported languages
Windows Server 2003	All supported languages
Windows XP	English; Arabic; Chinese (Traditional); Chinese (Simplified); Czech; Danish; Dutch; Finnish; French; German; Greek; Hebrew; Hungarian; Italian; Japanese; Korean; Norwegian; Polish; Portuguese (Portugal); Portuguese (Brazil); Russian; Spanish; Swedish; Turkish
Windows Vista and Windows Server 2008	Internet Explorer 8 Language Packs

On September 22, 2009 all supported languages will be available via WSUS, with the release of the following versions of Internet Explorer 8 for Windows XP:

Internet Explorer 8 releases on WSUS for September 22, 2009
Windows XP	Bosnian (Cyrillic); Bosnian (Latin); Bulgarian; Catalan; Croatian; Estonian; Hindi; Latvian; Lithuanian; Macedonian; Romanian; Serbian (Cyrillic); Serbian (Latin); Slovenian; Slovakian; Thai; Ukranian; Vietnamese; Albanian; Assamese; Basque; Bengali (Bangladesh); Bengali (India); Gujarati; Indonesian; Kannada; Kazakh; Konkani; Malay (Malaysia); Malayalam; Marathi; Punjabi; Tamil; Telugu

How do I control my Internet Explorer 8 deployment?

Internet Explorer 8 is available in the “Update rollup” category, and will appear in your WSUS administration console as follows:

Note that even if Auto-Approve for the “Update Rollup” category is on, Internet Explorer 8 will not automatically be deployed- you must approve the Internet Explorer 8 License Terms before Internet Explorer 8 is deployed to your downstream clients. As the Internet Explorer 8 License Terms are shared between all Internet Explorer 8 WSUS items, once you accept the license terms for any of the items, the remaining items may be approved without accepting them.

What other Internet Explorer 8 updates will be available via WSUS?

Today we have also released the standalone Language Packs for Windows Vista and Windows Server 2008 to WSUS under the “Update” category. Also, cumulative security updates for Internet Explorer 8 and Internet Explorer 8 Compatibility View List updates will be made available via WSUS as they are released.

Where can I find more Internet Explorer 8 deployment information?

Visit the Internet Explorer TechNet Center – among other useful resources you’ll find an Internet Explorer Deployment Guide and information about the Internet Explorer Administration Kit which explains how to generate a MSI installer and distribute it using Systems Management Server or Group Policy.

Eric Hebenstreit
Lead Program Manager

Update 8/26: changing references to EULA to License Terms.

Real-World Protection With IE8’s SmartScreen Filter™

ieblog — Thu, 13 Aug 2009 23:48:00 GMT

Back in March, I posted a note to the IEBlog when the pre-release version of IE8’s SmartScreen Filter had delivered its 10 millionth malware block. Today, I’m happy to report that IE8’s SmartScreen Filter has delivered more than 70 million blocks in the first four months since IE8’s official release, for a cumulative total of 80 million blocks. This data is a strong indication of the value of the protection SmartScreen provides, and of just how widespread socially-engineered malware attacks are on the web today.

While we were proud of the work that went into SmartScreen leading up to IE8’s release, we knew that it was only the beginning of our efforts. Microsoft’s commitment to Trustworthy Browsing didn’t end when we signed off on the final IE8 code-- the reputation services behind SmartScreen represent an ongoing investment that we strive to improve every day.

Eighty million blocks is an incredible number of attacks thwarted-- each malicious download blocked helps prevent compromise of that user’s computer. The other key numbers that I announced in March are holding strong, even with a rapidly expanding user base:

IE8 is delivering a malware block for approximately 1 out of 40 users every week
Approximately 1 of every 200 downloads is blocked as malicious

If you’re not running IE8’s SmartScreen Filter, I believe you are missing a key piece of protection to help ensure your safety on the Internet. IE8 users can ensure that SmartScreen is enabled by clicking on the toolbar's Safety button (or if you're in Show Only Icons mode) and examining the SmartScreen Filter submenu. If a “Turn on SmartScreen Filter” item is present, click it to enable protection.

Malware Block Effectiveness

Heading into the launch of IE8, the engineering team commissioned an independent study of SmartScreen Filter by NSS Labs. Our objective was to gather an accurate and independent baseline measurement of SmartScreen’s protection against socially engineered malware attacks. That baseline, run against the IE8 Release Candidate, allows us to validate our investments in improved intelligence and technology. Since then, we’ve made major investments in malware intelligence and rapid response systems to provide an ever-increasing level of protection for users.

NSS Labs has just completed a second round of studies on socially engineered malware attacks, and I’m happy to share the results. In this latest test pass, NSS found a 12% improvement in SmartScreen’s protection levels. Here’s the data from NSS Labs on the malware block rate for major browsers:

Microsoft’s reputation services team has other significant investments staged to launch in the next quarter, so I expect even better results in the near future.

Phishing Block Effectiveness

We’ve spent quite a bit of time talking about the socially engineered malware threat because it is currently the biggest problem users face. However, phishing remains a prevalent and important threat to users as well. We’re continuously making improvements to our data sources and intelligence systems that deliver phishing protection. This continuous investment keeps IE in the market-leading position it established with the release of the Phishing Filter in IE7. Since then, Internet Explorer 7 and 8 have blocked over 125 million phishing attacks.

The newest NSS study included a test pass for phishing blocks. NSS Labs reported the following block rate for major browsers:

You can view the full NSS study at http://nsslabs.com/browser-security.

I hope that the internal data I’ve shared today and the results of the NSS testing are a clear indicator of our commitment to Trustworthy Browsing, and our ongoing execution against that promise.

Thanks,
-Eric Lawrence

Engineering POV: IE6

ieblog — Tue, 11 Aug 2009 03:42:00 GMT

The topic of site support for IE6 has had a lot of discussion on the web recently as a result of a post on the Digg blog. Why would anyone run an eight-year old browser? Should sites continue to support it? What more can anyone do to get IE6 users to upgrade?

For technology enthusiasts, this topic seems simple. Enthusiasts install new (often unfinished or “beta”) software all the time. Scores of posts on this site and others describe specific benefits of upgrading. As a browser supplier, we want people to switch to the latest version of IE for security, performance, interoperability, and more. So, if all of the “individual enthusiasts” want Windows XP machines upgraded from IE6, and the supplier of IE6 wants them upgraded, what’s the issue?

The choice to upgrade software on a PC belongs to the person responsible for the PC.

Many PCs don’t belong to individual enthusiasts, but to organizations. The people in these organizations responsible for these machines decide what to do with them. These people are professionally responsible for keeping tens or hundreds or thousands of PCs working on budget. The backdrop might be a factory floor or hospital ward or school lab or government organization, each with its own business applications. For these folks, the cost of the software isn’t just the purchase price, but the cost of deploying, maintaining, and making sure it works with their IT infrastructure. (Look for “nothing is free” here.) They balance their personal enthusiasm for upgrading PCs with their accountability to many other priorities their organizations have. As much as they (or site developers, or Microsoft or anyone else) want them to move to IE8 now, they see the PC software image as one part of a larger IT picture with its own cadence.

Looking back at the post on Digg, it’s not just IT professionals. Some of the ‘regular people’ surveyed there were not interested in upgrading. Seventeen percent of respondents to the Digg IE6 survey indicated that they “don’t feel a need to upgrade.” Separately, a letter to a popular personal technology columnist last week asked if people will somehow be forced to upgrade from their current client software if it already meets their needs.

The engineering point of view on IE6 starts as an operating systems supplier. Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product. We keep our commitments. Many people expect what they originally got with their operating system to keep working whatever release cadence particular subsystems have.

As engineers, we want people to upgrade to the latest version. We make it as easy as possible for them to upgrade. Ultimately, the choice to upgrade belongs to the person responsible for the PC.

We’ve blogged before about keeping users in control of their PCs, usually in the context of respecting user choice of search settings or browser defaults. We’ll continue to strongly encourage Windows users to upgrade to the latest IE. We will also continue to respect their choice, because their browser is their choice.

Dean Hachamovitch

Engineering POV

ieblog — Mon, 10 Aug 2009 23:05:00 GMT

To date, this blog has focused on the engineering specifics of what we've done with the IE product. From our point of view, it's been a useful forum both for talking and listening. Looking at the comments, we can understand what makes sense to readers and where we need to be clearer.

At the same time, we've seen many questions about broader topics, like IE6, HTML5 and other standards, or benchmarking. With IE8's release and Windows 7's "sign-off," now is a good time to add another kind of blog post. We want to use these posts to share our Engineering Point of View about broader topics and see feedback on them ahead of the next release.

Why? For many web technology questions, finding many passionate and often contradictory opinions is easy. For example, just on the topic of video codecs within HTML5 (much less the rest of the spec), finding strong language from smart people disagreeing with each other is easy. This blog is from the IE engineering team, and everything we write here continues to be from the “Engineering Point of View.” We simply want to be clearer about what we’re thinking and what we balance as we build and service IE.

Your comments are always welcome. We read all the comments on this blog (and many of the posts and comments on many other blogs). We'll also keep posting and reading comments on specifics, like How to make IE open tabs faster and How to log into two webmail accounts at the same time. Comments about other posts you’d like to see are also always welcome.

Thanks –
Dean Hachamovitch
General Manager

Internet Explorer July Out-of-Band Cumulative Security Update

ieblog — Tue, 28 Jul 2009 22:30:00 GMT

Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses three privately reported vulnerabilities which could allow remote code execution. The security update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory and table operations.

In addition, the update includes two defense-in-depth protections against known techniques that are able to bypass ActiveX Security Policy when ActiveX controls have been created using certain Active Template Library (ATL) methods in specific configurations. The first defense-in-depth is enabled by default and modifies how ATL-based controls read persisted data. The second defense-in-depth is disabled by default and offers the ability to regulate usage of the IPersistStream* and IPersistStorage interface implementations within individual controls.

For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all released versions of Internet Explorer except Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003 and Windows Server 2008.

Terry McCoy
Program Manager
Internet Explorer Security

Update 5:41pm: removing * from IPersistStorage

Check Out the New Developer Tools Tutorials

ieblog — Thu, 23 Jul 2009 20:00:00 GMT

I’d like to invite you to check out the new tutorials added to the Developer Tools content. These tutorials are written to help you quickly learn how to use the Developer Tools to solve Web page issues. Each tutorial is set up to focus on a programming problem to solve, such as changing text on the page, update a CSS class, or inspect a Jscript variable. You can follow the step-by-step instructions provided to learn how to use the Developer Tools to solve these and similar problems.

Hi, my name is Duc “Cash” Vo, a Programmer Writer on the Internet Explorer team and I’m excited about developing content for the Developer Tools. As a Web developer, I’ve long wished for an integrated developer tools, and I got my wish in IE8! This is my first time posting to the IEBlog, and I look forward to discussing features and improvements for the Developer Tools with this community.

With the release of each beta for Internet Explorer 8, you might have read about the Developer Tools’ features and benefits on MSDN, and you may even have tried them out. (But just in case, if you haven’t done so, it may be to your benefit to check out the Developer Tools on MSDN now before you proceed.) With the final release of IE8, we’ve written a series of tutorials and created a “sandbox” for you to play in.

We categorize tutorial topics based on your Web site’s problem sets that you can resolve using the Developer Tools. We also title our topics based on tasks you as a web developer might want to perform. For example, under the HTML section, you’ll see topics such as:

I want to change the Item header to Item Description.
I want to center align all of the prices.
I want my Price Total field be a read-only element.

Similarly, under the CSS section, you’ll see topics such as:

I want to update the .listingsTable class.
I want to add a new class .price and have it apply to the Price column.

Head over to the Developer Tools tutorials at http://msdn.microsoft.com/en-us/library/dd565631(VS.85).aspx and have some fun. Once you’re done, we’d love to hear about your experiences using these tutorials. Let us know how can we make them more useful for you, and what scenarios and skills would you like us to add.

Until next time,

Duc (Cash) Vo
Programmer Writer
Internet Explorer

Update on the Compatibility View List in Internet Explorer 8

ieblog — Tue, 21 Jul 2009 23:24:00 GMT

I’ve written a few posts about the Microsoft-supplied Compatibility View List on the IEBlog, calling out the what, how, and why of the feature. I wanted to take this opportunity to bring the community up to speed on what’s transpired since Internet Explorer 8 released back in March of this year and talk a little bit about the future actions planned for the list.

The Story So Far…

Let’s start with a quick recap of the feature... by default Internet Explorer 8 displays web content using its newest, most standards compliant mode. The problem is that some of today’s web pages expect the older, less interoperable behavior from Internet Explorer , handing this latest version of Internet Explorer code meant for older releases of the browser. The result is web pages that might not function correctly in ways ranging from just looking a bit misaligned to not working at all. During the Beta cycle, we introduced the Compatibility View button, which allowed savvy end-users to resolve compatibility problems they might encounter as described above. Despite all of our activities around site outreach, we saw telemetry data that indicated users still had to use Compatibility View in the course of normal browsing. Of particular concern was button use on popular / critical (banking, government, etc…) sites that users rightfully expected to “just work” in Internet Explorer 8. To give users the best possible experience, we combined telemetry data about Compatibility View button presses with other feedback sources – customer-filed bugs, Report a Webpage Problem data, our own compatibility testing, etc… - to create a list of sites that were likely best displayed in Compatibility View. The list’s not enabled by default - users must opt-in to the feature (known simply as the Compatibility View List or Compatibility List, in other documents) as part of the first run experience or later by selecting ‘Include updated website lists from Microsoft’ at Tools -> Compatibility View Settings. For those that chose to do so, Internet Explorer 8 displays sites on the list in Compatibility View rather than the default “best standards mode”. In other words, it’s as if the user pressed the Compatibility View button for sites on the list with the benefit that the end user avoids having to first experience a website compatibility failure to make the determination that these particular sites are best viewed in a non-default manner. You can view the list currently available on your Internet Explorer installation by typing ‘res://iecompat.dll/iecompatdata.xml’ into the browser’s address bar.

Compatibility View List Updates Since Internet Explorer 8’s Release

Though the originally stated list update frequency was about every two months, we’ve actually kept a brisker pace, delivering an updated list about every month. There are a few reasons a faster cadence immediately following Internet Explorer 8’s release has made sense –

To be extra-responsive to end-user and site administrator feedback. The Compatibility View List is still relatively new and we wanted to be as agile as possible in responding to list edit requests.
To align with Windows 7’s Release Candidate build. The Internet Explorer team shipped a Compatibility View List update in May specifically to coincide with Windows 7’s Release Candidate; prior versions of the Compatibility View List were only available for Windows XP and Windows Vista (and corresponding server versions).

Going forward, we expect to return to the originally stated cadence. A spreadsheet, available from the Microsoft Download Center, provides transparency into the changes that have been made to the list since its creation. The spreadsheet also contains targeted guidance for sites on the list including step-by-step instructions for performing compatibility testing with and without the Compatibility View List active and the list removal process.

Changes to the Site Removal Process in Upcoming Compatibility View List Updates

Since the list’s inception, the criteria for site removal has been site owner request (process documented here). Going forward, we’re adding a second way that sites can get removed from the Compatibility View List: basic user experience testing.

For several months now, the Internet Explorer team has been doing basic user experience testing for all sites listed on the Compatibility View List. The test methodology is straightforward: in each test pass a tester starts at the home page of a site and examines a set of pages that follows the core user experience for that website. For example, on a video sharing site the core scenarios include watching a video, rating a video, commenting on a video, sharing the video link with a friend, etc… and the tester will browse around the site completing each operation. On each page visited, testers check for visual and functional issues by performing comparisons between Internet Explorer 8 modes (Internet Explorer 8 Standards and Compatibility View) and between browsers. Doing these comparisons aids in determining what working / not working looks like, which isn’t always obvious on sites / pages the tester isn’t super-familiar with. A grading system tracks the type and severity of problems, ranging from ‘no problems found’ to ‘scenario doesn’t work’. Subsequent test passes combine revisiting pages that were previously identified as having compatibility issues as well as augmenting with new pages.

The question of how much of a site one needs to test to determine compatibility is a difficult one. While it's somewhat straightforward to prove the presence of a compatibility problem, it’s decidedly

less so to prove the absence of one. In other words, if a tester finds a compatibility problem, there’s a problem. But, if a tester doesn't find a compatibility problem, does that mean there isn't a problem or that the tester just didn’t visit a page that happens to demonstrate one? By charting the compatibility “scores” of the tested sites over time and by traversing a different set of pages in subsequent test passes, we’ve grown more confident in our ability to gauge the type of compatibility experiences Internet Explorer 8 users are likely to have independent of the Compatibility View List.

Conclusion

With the next Compatibility View List update you’ll see a new designation for site removal in the tracking spreadsheet – “Removed per Microsoft testing” - indicating that our test passes have not found a compatibility issue for some time and so we’re removing that site from the Compatibility View List. We’ve stated previously that we view the Compatibility View List as a short-term solution and believe that adding this additional site removal criteria helps us achieve this end while at the same time ensuring that users continue to have a great compatibility experience.

Scott Dickens
Program Manager