IE Developer Responds to Mozilla Accusations

sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'

MS needs to change windows fundamentally

[filmmaker]

No one is ready to pay what really bug-free code would cost. We accept a few bugs. Please note that we even accept some airplane crashes (not to mention car accidents), but, naturally, different industries and software components pose different levels of "reasonable" bug count.

And therein lies the heart of the MS development philosophy. Strictly speaking, that's true, but take something like Windows XP. It's is the ultimate case of the kid who cleans his room, ostensibly, but when his mother checks the closet, an avalanche of dirty clothes and assorted toys and things exlpodes from the doorway. I think MS could learn a lot from Apple, as they always have, and should look into utilizing something like BSD to start over. Obviously, they can't come out and say "our products suck; it takes half a gig of ram just to appease the system tray icons in Windows XP...sorry about that." But some way, some time they will have to move away from Windows as it is today.

Re:MS needs to change windows fundamentally

[crayz]

It's so much better this way though. Apple can take things like BSD and Mach and KHTML and H.264 and build on them and make great things cheaply, and Microsoft can spend 10 times the R&D and build it all from scratch, and still wind up with something that sucks compared to what Apple made

Re:MS needs to change windows fundamentally

I've been saying this for 5 years and I'm always roundly ridiculed for it, but I'll say it again.

By 2015, Microsoft will be open source, and most likely, Linux will be its kernel.

Re:MS needs to change windows fundamentally

[Dr.+Evil]

How much RAM does it take to get a system tray icon to appear in Gnome or KDE?

Linux on the Desktop can nearly match Windows feature for feature now, but it can no longer claim low resource requirements while doing so.

IMHO, Mozilla or even firefox is a heavier app than IE. Once running, they're faster (to a trained eye) but sometimes, when pulling out of swap, they will still slug along.

No, the reason to go with Mozilla or Firefox is not performance. It, for me, is everything from reasonable error messages, to being able to control the junk which finds its way on to my machine, to standards compliance.

Re:MS needs to change windows fundamentally

[21chrisp]

OSX takse up it's fair share of RAM. More than XP or any other OS by my experience.

Re:MS needs to change windows fundamentally

[filmmaker]

Honestly, I use a patched Windows 2000 Pro. I do video editing and all kinds of stuff with a 64MB RAM nvidia video card from 2001 and half a gig of system RAM. Win2K Pro is hands down the finest product MS ever released for my dollar. Well, I like MS Money too. It's not all doom and gloom.

Re:MS needs to change windows fundamentally

[A+beautiful+mind]

Uh, isn't that a bit, just a tiny bit favoring apple? I"d be all for it, but to be honest it's not how things look like atm.

First of all, the price could be argued, second of all. it seems that you're advocating the FOSS power as a base or foundation for an operating system, rather than apple's talents.

Re:MS needs to change windows fundamentally

[ettlz]

By 2015, Microsoft will be open source, and most likely, Linux will be its kernel.

I think this is unlikely. The underlying NT is quite well-designed (originally by David Cutler of VMS, amongst others, as I believe), and a reasonably flexible system upon which to develop applications. Microsoft's not going to give it up any time soon. It's what's run on top that's wrong with Windows.

Re:MS needs to change windows fundamentally

[at_slashdot]

I don't think we accept airplane crashes. We don't even accept space shuttle crashes. We want 0 crashes, it's not like "it's ok to have a crash each x number of flights"

Re: MS needs to change windows fundamentally

I used to run it in half that, and it worked just fine thanks.

This is where every damn discussion about bloat ends up.

"[Product] is bloated. I tried to run it on a [X] Mhz system with [Y] MB of RAM, and it was painfully slow. I was so frustrated that I wanted to take a sledgehammer to my computer."

"I don't know what you're talking about. I ran [Product] on a [X/5] Mhz system with [Y/3] MB of RAM, and I thought it was great. I was singing praises to the makers of [Product] for the incredible amount of attention they paid to efficiency."

In the end, you never know who's right, so none of the comments are worth reading.

Re:MS needs to change windows fundamentally

[rhizome]

>Uh, isn't that a bit, just a tiny bit favoring apple? ...
>First of all, the price could be argued

What's not to favor? I don't believe the price *can* be argued. It could at one time, but not anymore. Once Apple incorporated IDE into their machines the prices have been on par with Intel machines. It's true, it's just the perception of Apples as more expensive that persists. I have a maxed out 12" PowerBook that cost $2k brand new. This is about what I'd expect to pay for a nice Intel laptop with similar specs and is probably quite a bit cheaper than Sony's offering at this level. Apple doesn't offer a $500 WalMart PC, it's true...oh wait, scratch that (and don't gripe: you already *have* a mouse, monitor and keyboard).

>second of all. it seems that you're advocating the FOSS power as a
>base or foundation for an operating system, rather than apple's
>talents.

Where are you drawing the line? If I take this statement at face value, you're advocating homegrown-only development without considering that Apple's talent here might consist of being able to *choose* FOSS power. Microsoft seems to have painted itself into such a corner so that this option is not available to them at all. That's not a good position to be in when your whole stated development methodology revolves around interpreting what customers want. OS X is eating Microsoft's lunch in this regard.

The developer in the article is trying to backtrack out of Microsoft's age-old discourse about IE being part of the OS. Well, now they call it an API, big whoop. Semantics aside, the thing (whatever it's called now) that Microsoft has built to express this API is a security-lacking bug-riddled piece of shit. I don't think anybody would argue that, even if they can't think of a way to change it. Bill or Ballmer should be writing these things, and the fact that they aren't should tell you something.

Re:MS needs to change windows fundamentally

[Aumaden]

I don't think we accept airplane crashes. We don't even accept space shuttle crashes. We want 0 crashes, it's not like "it's ok to have a crash each x number of flights"

"Want" and "Tolerate" are quite different things. We "Want" no crashes, but what is "Tolerated" is quite another thing. The space shuttle program has been grounded for 2 years now. Tolerance there, clearly zero. What would happen if that tolerance was applied to air travel?

I expect much of that is influenced by the media. The space shuttle crashes and you'll see the footage played again and again for days. A major airliner crash will make the evening news for 2, maybe 3 days. Automobile fatalities will rarely make the news at all.

Re:MS needs to change windows fundamentally

[gbjbaanb]

NT 3.51 had that separation of userspace and kernel, and it was completely solid. Of course, it ran the old Windows 3.1 GUI.

NT4 came along and adopted the Win95 GUI, and I guess people at MS thought, lets make this a desktop OS as well as a server one. So, much userspace stuff was merged with the kernel and speed and responsiveness did improve. Of course, this means that the original design is 'broken', but on the other hand, if you consider that NT4s design was that you trade speed for stability, then its not flawed at all.

You can talk about kernel/userspace/rings and design all you like, but all of us live in the real world where real work is done, not in some academic perfect environment where real-life tradeoffs don't need to be considered in an elegant design.

BTW. What about the Linux kernel... not exactly a micrkernel now is it, but no-one's mentioned that. (not that I care - its not what you have, its how you use it that matters to me).

Re:MS needs to change windows fundamentally

[douglips]

Of course we accept airplane crashes. When an airplane crashes, air travel is not affected by any measurable amount - people still travel. The only event in memory that noticeably affected air travel was when a bunch of troglodytes hijacked 4 airplanes in one day and used them in spectacularly heinous attacks.

The only reason we want zero space shuttle crashes is because there are only three shuttles. United Airlines, American Airlines, Continental Airlines, Delta Airlines, and Southwest Airlines have about 3000 aircraft, and let's say they fly an average of 3 legs per day.

If we had a fleet of 3000 space shuttles flying 10,000 missions a day, we certainly would accept 1 crash every twenty years.

Re:MS needs to change windows fundamentally

Pardon me, but your ignorance is showing. VMS was touted as one of the better OS's in its day. It was stable, running for months at a time. Security was addressed routinely. Many of the features you see in today's OS's were ripped from VMS. I'm not saying that VMS didn't borrow from other OS's, that just to be expected, but you obviously never studied VMS internals or progressed very far in developing software for it. DCL was like any scripting language. It was certainly a hell of a lot further along than any of the *nix scripting languages. It may not have had pipes, but so what... they could be implemented with file i/o (just as pipes were done under *nix).

The NASA worm (WANK) spread at a time when networking was pretty infantile and the assumption was everyone on the network was "friendly". This was a time when computers were used to accomplish tasks, not to serve as playgrounds for groups with an agenda (anti-nuclear, political, etc).

Re:MS needs to change windows fundamentally

What a bunch of twat. From the apple store:

Dual 2.5GHz PowerPC G5
1.25GHz frontside bus/processor
512K L2 cache/processor
512MB DDR400 SDRAM
Expandable to 8GB SDRAM
160GB Serial ATA
8x SuperDrive
Three PCI-X Slots
ATI Radeon 9600 XT
128MB DDR video memory
56K internal modem

3000 bucks.

That's with 512mB.

First off, you're comparing the very tippy-top high end where the x86 processors jump up by $300 bucks for just an extra 0.1 ghz. At that price point, yes, the ridiculous premiums Apple takes seem relatively less ridiculous because you're already paying huge premiums on just the processor.

(BTW, I don't know exactly how comprable Opterons and G5's are clock-for-clock, but I'm guessing it's a give and take situation. I'm basing this assumption on the trend that this is the usual situation between Apple and PC processors.)

If you're willing to settle for--horrors--a 2.4ghz dual opteron box with 2gB (NOT 512mB), these baselines parts (w/motherboard) can be had for under $1800. That's rounding up.

Now consider what you can buy with the remaining $1200. If you're insane and like spending huge premiums for processors that go just a bit faster rather than spending the money on a decent (or great) video card, then Apple is not a bad choice. (Actually, same applies for the PC vendors like Dell.)

As for a dual 2ghz Opteron base system, that goes for under $1000. Compare the system built off of that to Apple's no-frills $2500 dual 2ghz baseline.

As for the Windows tax, first, OEM WinXP Pro goes for $140 on Newegg, so no reason to spend $300; second, isn't this Slashdot?

Re:MS needs to change windows fundamentally

[batkiwi]

toddestan below my replied about theme service, but do THIS to put windows into "turbo" mode:

Right Click on "My Computer"->properties
"Advanced" tab->"Performance" box->"Settings" button
"Visual Effects" tab->"Adjust for best performance"

Click apply/ok, and enjoy XP which has no eye candy and is even faster than 2k/98.

Hmmm

[That's+Unpossible!]

I can't figure it out. Is Dave playing dumb, or is he really dumb?

The guy works for Microsoft, so maybe it is willful ignorance. How else can you explain someone that works on IE from trying to claim it is not part of the OS? Oh, we're going to get down to nit picking. Yes, yes, yes IE is not part of the kernel.

However, Microsoft wasn't too interested in this argument when it was fighting for its life in court, arguing that IE was embedded and could not be removed from the OS.

And now we see, they were right. IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.

Re:Hmmm

[gowen]

IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.

But the same is true of a core Unix library, like libc. It's exposed to data from wild sources, like DNS records in gethostbyname(), and yet it doesn't seem to have the same history. Similarly, the KDE GUI libs and libkhtml (for example -- or the equivalent Gnome ones) perform the many of same functions as IE's DLLs, without anything like as many security holes.

Fact is, IE is a security disaster because it's badly written, not because exposing common rendering components to HTML code in the wild is necessarily a bad idea.

Re:Hmmm

[That's+Unpossible!]

But the same is true of a core Unix library, like libc. It's exposed to data from wild sources, like DNS records in gethostbyname(), and yet it doesn't seem to have the same history.

Uhh ok, well I wasn't defending IE, but anyway I will on this count. Are you honestly trying to compare a full-featured web browser to libc?

Fact is, IE is a security disaster because it's badly written, not because exposing common rendering components to HTML code in the wild is necessarily a bad idea.

My point was if you have many OS components that rely on this poorly written software and interact with it in a trusted way, you are going to have many more severe security issues than with something like Firefox.

Re:Hmmm

[MightyMartian]

Microsoft simply changes the story to fit the audience. To a more technical audience, it denies that IE is part of the OS. To a court that could make its life miserable, it claims deep embedding. If this fellow doesn't like the accusation then perhaps he should go to his betters in Redmond and ask them what they mean by IE being part of the OS. I mean, we're only repeating what MS told a court, and MS wouldn't lie to a judge, would they?

Re:Hmmm

[MightyMartian]

Since Windows has always been as much a GUI as a kernel, it's not the simple divide that X is in the *nix world. Yes, the basic Win32 kernel does not at all rely upon IE, but the GUI is such an integral part of the OS that it seems little more than an argument over semantics. I can't specifically to Redhat, but none of the Linux servers that I have built and run at my place of work have X or run any software that relies upon it. They are pure CLI machines.

The IE apparatus is very much a core part of the GUI of Win32/64. You can delete it from the desktop but it's still going to pop-up when you go into Windows Explorer, as can clearly be demonstrated by typing "http://slashdot.org" in the address bar. It's so clearly integrated into the GUI that I'd speak of it as a subsystem rather than as a separate piece of software. The tight integration is easily demonstrated by cranking down the security settings in IE and watching all these delightful spyware programs use ActiveX registration.

So yes, in the strictest sense, IE is not part of the base operating system (storage handling, resource allocation, driver management) but the very nature of Windows itself makes that distinction rather meaningless.

Re:Hmmm

A person gets so tired of hearing the same uninformed rhetoric. When MS was facing the, "remove IE" from Windows case, they were asked, "Is it possible to remove IE from Windows without significantly affecting its operation?" How would you respond to that? So many of Windows' operations rely on IE's HTML interpretation engine, graphic rendering, etc. Do you say, "yes of course IE can be removed, but it will severely restrict the OS features", or do you say, "no, IE is integral to Windows functions?" Seems like MS (rightly) said the latter. The EU is just now finding out what happens when you FORCE MS to remove otherwise desirable components (such as media player).

The same analogy would be, "Can you remove gecko from Linux without affecting its function?" How would you answer that? Well, yes it's possible, but then there's no more graphics, no browsing, etc. Or, do you assume that browsing and graphics rendering are important OS functions and say "gecko can't be removed".

Re:Automatic Cup Holder

[Timesprout]

Eh no, this is an issue will allowing scripts run with unfettered access to the system. Made IE great for intranet applications but a security disaster on the web.

But does it really make a difference?

[sexyrexy]

IE may only use documented APIs, but isn't it how many APIs you use before it becomes "a part of the operating system"? If Firefox uses a handfull and IE uses so many it has its fingers curled around every nook and cranny of Windows, what difference does it make whether those nooks are documented or not? When you call enough OS APIs your app is as bulky as the OS itself, and we all know how well that works.

They're working on that.

They're working on that. It's called Longhorn. Maybe you've heard of it?

Whether or not they'll achieve any or all of their goals for Longhorn is, of course, open for debate based on past events. But the goal from the beginning has been to de-cruft Windows (and "improve" the user interface by making even more of it task-based. Joy!).

But frankly, my money at this point is on Longhorn being another Windows ME. Big on promises, half-assed changes, and lots of bugs. Maybe I'll be pleasantly surprised.

Re:They're working on that.

[wootest]

My basis on thinking that it'll be more stable and secure is that - if I've gotten this right - major parts of the actual architecture will run as managed code and it will therefore be easier to 'throttle' any bugs or exploits.

I love Linux as much as anyone here, but seriously, saying that "3D stuff on the desktop isn't anything new and we have it already running on linux." is just meaningless. Lots of technologies already exist. However, the vast majority don't use them. Are you willing to bet that even 5% of Linux *desktop* users use "3D stuff on the desktop"?

WinFS may not be coming, but there's certainly plenty of stuff available. Paul Thurrott has a nice article about some of the new stuff, and I like the look of things like Stacks. (Advocates, take note; Paul Thurrott is a semi-Microsoft advocate. ;)) Syncing and searching are always nice, as is competent permissions - Windows will actually put up a dialog asking for temporary administrator permissions when doing stuff like installing programs; the way it's done in OS X, BSD and *nix, and about damn time, too. (The link above had a screenshot of this earlier and I think it's been removed.)

Microsoft might have had to tighten a lot of security screws all over the place, and might have had to restructure a lot of the internals as well, but I don't think the "Applications" team have been noodling since the release of XP.

Otherwise we'll have to wait until it's released to say anything good or bad about Longhorn. In the meantime there are anough things to say about XP. Both good points. But all I'm saying is that for something that will have been in development for over five years (at the time of release) by one of the largest companies in the world should not reasonably be assumed to be as crappy (or even half as crappy) as a rushed Windows version that too at most two years to finish and mainly served as a good reason to upgrade to XP**. I don't want to glorify Microsoft - they've done enough to warrant my outright hatred and very little to make up for it - but I'm just saying that it's not very logical to underestimate them either.

(In the interest of full disclosure, I'm writing this on a Mac, and my other two computers run XP and Fedora Core respectively. I try not to be biased but judge everything on its merits rather than on its supporters or its history. I've also never tried out Longhorn myself.)

(** The Douglas Adams in me wants to add "where of course new exploits await your pleasure" here, but I opted against it because this comment is long enough already... what's that? Oh. Crap. ;))

I'm Confused.

[itsNothing]

I mean if

... there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..

Then how is it that ...

IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.

These two statements seem to contradict each other. Either:

It's part of the OS and uses "internal" or protected calls that provide it a significant advantage OR It uses the exact same interface as any other program in which case it can be pulled out and replaced without affecting anything else in the OS.

Re:Automatic Cup Holder

[grasshoppa]

Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter

Er...isn't that sorta the point?

erm...

[carpe_noctem]

"IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present."

So why not just have an html rendering library and make IE an optional add-on? Plenty of other OS's seem to get by with this approach; I guess that none of them are so hellbent on pushing out a particular product...

Re:Not tied?

[Arathrael]

They are operating system APIs used by IE, he says so - just none that are 'not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows', i.e. no secret undocumented APIs. So you can rest easy in the knowledge that if someone finds a bug letting them use a malformed website and IE to read files off your local hard drive, IE is only using a documented API to do it.

And he also says that IE is indeed part of the operating system 'so that parts of the OS and other applications can rely on the functionality and APIs being present'. Which presumably would mean a bug in IE could affect those parts of the OS and other applications. Which seems to be to go right along with what I thought the Mozilla guy was saying.

As responses go, it's not the best is it? :-)

Re:what i want from Firefox...

[Ironsides]

I'm not sure if the is I.E. or File Explorer that allows you to do that. I do know that when I launch file explorer I can do that and go to the other computer and the same with I.E.. I also know that you can do the same thing using Total Commander. Then again, I'm pretty sure that I.E. and File Explorer are the same program.

Re:what i want from Firefox...

That should never be supported by a browser because that is not an internet standard and a big security risk. A browser should only work with valid URL's.

From a web developers eyes.

[dacoto]

As part of the testing phase when I design a new web site I have to point out that the majority of my time is spent "tweaking" the site to display correctly in IE. While on the other hand I can take the same site and test it in Mozilla, Firefox, Konqueror, Safari, Netscape, etc. on various platforms (Linux, Mac, and Windows). I don't see why all browser developers can not or will not just design browsers to be equally compliant. With all the market share MS already has in my opinion they should, as atleast an act of good faith, build IE to conform with standards. I can not see any reason not to, I mean come on how difficult is it.

Re:From a web developers eyes.

[mankey+wanker]

I agree with the above poster, that's the main problem right there: non compliance with standards.

Security is also an issue, certainly. It's less of an issue if you aren't a complete bonehead.

Re:From a web developers eyes.

[MemoryDragon]

You dont know Microsoft my friend. That has been their tactics since the mid eighties. They call that embrace and extend a standard. Which is the standard way for them to take over existing standards.

First they follow the standards, then they start to extend them with Microsoft only stuff, then they add bugs to their implementations which they never fix, and in the end you have to do twice the work, once for Microsoft which by then usually has the significant market share and once for the rest of the world which still follows the standards. If you just follow the standards then you get the heavy beating of the users. Most people simply due to cost reasons then do Microsoft only versions and basically cement the monopoly of Microsoft. This is not done due to lazyness but often due to cost reasons.

The last step of this approach is to take over entirely, close the standard, break it in every possible way and put NDAs patents etc.. on it so that nobody outside of the Windows world really can use it.

This tactic has worked with SMB so far, Corba was another thing, OpenGL as well which basically was the base for the first really usable Direct3d version. With HTML Microsoft already has started to do it by not implementing a properly working CSS1 and totally ignoring CSS2 and 3.

They already work on a closed replacement called Xaml which should by pushed by not doing anything they speced themselves in the W3C. They already broke SVG with an incompatible implementation which they called differently and plasted with patents although only a few commands are broken, and the next step on this road probably will be the breaking of the newly specified open document format.

Kerberos was such an issue as well, they added a few bytes to the standard implementation and put everything under an NDA.

So what does this say to you. Dont expect anything from Microsoft, and the last you can expect is some decency and goodwill regarding the usage of standards, they only follow standards as long as they have less than 30% market share.

Also dont expect anything from your users, the average user is not aware of this whole mess caused by them, they just want things to work, the problem is they most of the times want to work with half working soft which has nice UIs and the tag of microsoft on top of it.

Which basically means you run constantly into problems and cannot move towards working alternatives.

If I count all the time together in the last 10 years, I probably have spent around 30% of my working time to navigate around problems Microsoft deliberately has caused and never fixed. The percentage probably would have been much higer if I had not used java and other cross platform stuff in the last few years, which normally just works.

And I am probably not the exception, count towards all developers in the world which have to deal with Microsoft platforms and the problems caused by them and you probably end up with the sum Microsoft has in the bank calculated from the loss of worktime over their deliberate breaking of standards.

So in the end my conclusion is that lots of the earnings by Microsoft are basically indirectly drained from the worktime of others to bypass their monopoly game on the technical side to make things work again. This is not a false conclusion since their non standard conformity tactis have been used by them since the mid eighties on a regular base.

From the blog..

[tmasky]

"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."

I would have loved to be at the party they must have had when ActiveX went through it's security reviews.

Seriously though, that post was a load of bollocks. But hey, I pity the guy.. in a way. He can't turn around and admit the architecture's a piece of shit.

Complete nonense

[gilesjuk]

What he means is parts of the Windows desktop environment rely on the HTML engine which is also part of IE.

It's like saying KDE can't work without Konqueror and KHTML. Of course it can, you use Gecko.

Also they obviously mean IE is part of the Windows distribution package. Are they going to say MSN/Windows Messenger is part of the OS next?

Honestly, it is this kind of technical retardedness that stops me using Windows.

Re:what?!!

[TommyBear]

Yes but that is just explorer. explorer is an app in windows just like anything else. You don't need explorer to run windows, in fact you can replace it. So no IE isn't REALLY part of the OS but it is reused heavily in primary apps on the windows desktop.

yes, but...

[LegendOfLink]

To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'

The question is why would I want my browser to make OS calls? Could that be why the minute you surf the "wrong site" on IE, you get infected with loads of spyware, or worse, a virus?!

I'd rather stick to being limited on some performance issues and functionality (ActiveX sucks anyways) than being able to have a website install loads of crap onto my PC.

Re:It IS part of the OS

[RailGunner]

ls is an application. It's a utility, not part of the kernel.

The reason IE is part of the Windows operating system is because of mshtml32.dll, shdocvw.dll, etc. - System DLL's that explorer.exe uses. Really, all IE does is to wrap the browser control and provide bookmarks, etc.

In all seriousness, this is not a bad thing - it promotes code re-use in the Windows code base and prevents Windows developers from having to continually re-invent the wheel (or browser). The problem is that IE (ahem, the Internet Explorer_Server Window Class) is a complete piece of vulnerable, buggy, garbage.

It's really easy to use though - Anyone can write a simple MFC based browser - just use CHTMLView for your view class, add an address bar, implement navigation buttons, and hook it up to either the correct CHTMLView member function or the correct COM call if you're doing it that way, and you're done. Should take 2 hours tops.

Re:what i want from Firefox...

[jd142]

\\servername does NOT work for me, FF 1.0.2

\\servername\dir DOES work

\\servername\c$ DOES work

So the only thing that FF can't do that IE/Explorer can is browse to the server root, \\servername.

Re:Not tied?

[TheRaven64]

The term operating system is not a clear one. In academia, the terms operating system and kernel are used more or less interchangeably, the operating system (OS) is the part that has more privilege than user programs - either a monolithic kernel and device drivers, or a microkernel and privileged servers. In Microsoft's world, an OS is `a kernel, and all of the stuff we pile on top of it and call an OS' (note that this is similar to RMS's definition of an OS, e.g. Linux + GNU tools + X11 + desktop environment). The second is more accurately known as an operating environment (OE) - a kernel and a set of basic libraries and applications that developers can rely on being present. OS is typically used in place of OE, because an OS on its own is not really much use to anyone, and so they are rarely available separately.

Internet Explorer is not part of the Windows OS (kernel). It does not have a privileged status, and makes use of no extra functionality that is not available to other applications. Internet Explorer is part of the Windows OE. Other applications depend on the libraries provided by it (most commonly the HTML layout engine). The most obvious example of this is the Windows help program, which most applications use. As such, it is not possible to remove Internet Explorer without replacing it with something functionally equivalent (i.e. exposing the same API), unless you expect things to break.

Being part of the Windows OE does not inherently make Internet Explorer insecure, this is just FUD spread by idiots. It does, however, mean that flaws in Internet Explorer are more likely to be important (it is tied into other applications, providing multiple attack vectors for an exploit). Internet Explorer has a large number of flaws (a fair number in design, as well as implementation), and I would not wish to be in the position of having to defend it, but claiming that `it is tied to the OS and therefore bad' is just stupid and undermines any rational arguments that may be proposed at the same time.

Re:Automatic Cup Holder

[grasshoppa]

What, Mozilla does security through lack of features?

If the "features" are insecure, would you want them?

Re:Microsoft Unfairly Competes

[bpbond]

The fact that this tool hasn't been released to other developers is proof that they unfairly compete.

What? How is that unfair? They must document and release all APIs, sure, but all their in-house development tools too? That's quite a standard, and I bet not one you'd put on any other company in any other industry. Assuming those tools use some clever coding and those same public APIs, what's to stop anyone else from making their own super-DLL-optimizer?

I agree with the basic subject of this post ("Microsoft Unfairly Competes"), but this seems ridiculous.

Really. .. ?

[abhinavmodi]

To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows.. How do we know ? You did not show us the code ;)

Antisocial Engineering

[Doc+Ruby]

I worked with a guy last year who came from the IE6 team at MS. He wasn't a programmer, but he agreed that it was common knowledge on the team that IE used secret APIs for better performance/quality, which competitors like Mozilla couldn't. He also said that this was also true about MS SQLServer, though he didn't have direct knowledge. And that these secrett APIs weren't controversial, or just gossip - they were assumed by everyone talking about development strategies for those products.

This MS developer is lying. I used to talk with people programming VB6, when I was project lead for a big NYC insurance project that MS was hot to get started in the industry through. They would routinely lie to me about internal code paths that were triggering bugs, especially in printing. When I would analyze them into a deductive corner, they would tell me a little truth. Their big mistake was their managers' greed to get into the industry, which put me in direct, unmediated contact with the programmers, combined with their technical inadeqacy to keep up with the discussions enough to mediate them.

I suspect that the MS claims of "national security" interest in keeping their code secret is based partly on the political havoc that would ensue (pun intended) if we could see just how much MS code is written to protect their anticompetitive abuses. The Department of Justice would have a lot to answer for, and it certainly wouldn't stop there. Especially if the ripples could prove how many Congressmembers were bribed to keep their monopoly "remedy" decisions untouched by human hands.

Re:Antisocial Engineering

[the+eric+conspiracy]

This MS developer is lying. I used to talk with people programming VB6, when I was project lead for a big NYC insurance project that MS was hot to get started in the industry through.

Given the history of Microsoft on this issue I cannot imagine that anyone would take ANY pronouncements of this sort at face value until you can go into Add/Remove and uninstall IE and seemlessly replace it with another browser. If IE is only providing services to other applications in the manner they describe, MS should publish the API so alternatives can seamlessly replace IE.

If somebody from Microsoft is making pronouncements of this sort without first getting them approved by MS and their legal team there are either nuts or looking to be fired/sued. This developer should be viewed as the Mouth of Sauron until proven otherwise.

Re:Automatic Cup Holder

[Zaiff+Urgulbunger]

But you *can't* fix them! Those bits use proprietry MS code. What MS is saying is that anyone _could_ hook into their code, and therefore, arguments that IE is tightly integrated with the OS are rubish.

But the counter argument being made here is that, yes, Mozilla (for example) could integrate with these MS "features", but doing so would result in an insecure browser.... so probably not a good idea.

I'd venture that MS can't _un-integrate_ them from IE because and bunch of other code (from MS office to Encarta) depends on this functionality.

And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design.

And hasn't that been the argument all along?!

Re:Gone to the dogs

[Myen]

Especially considering that it's not VBScript's fault, is the WMP ActiveX control. That particular piece of code can be translated into JScript rather trivially and work just as well.

It will not work without Windows media player.

It does not involve any privlege escalation either - it was designed to do that (even if rather stupid).

Kinda wish the modded-Informative post-bashing would at least get their facts right... Yeah, I know, never going to happen.

Re:Automatic Cup Holder

[dasunt]

If the "features" are insecure, would you want them?

User: I want to be able to log in without a user name or a password! Remotely!
Tech: That's horribly insecure
User: I don't care! Its easier that way!
Tech: * finds rusty knife and commits seppuku *

And that, boys and girls, is one of the reasons why Microsoft is the 800 lb gorilla. It understands that users are more than willing to sacrifice security on the altar of 'its easier that way'.

I confused

[asoap]

I'm not all that technical, so I might have gotten this wrong. But did this person just admit that IE is not apart of the operating system, but it just relies on APIs built into the opeating sytem? Therefore it can be removed from the opeating system?

Hello? Wasn't this an issue of the monopoly law suit? That it CAN'T be removed from the operating system?

I must be wrong, so somebody please clear this up for me. Can somebody explain this to me in lamen's terms?

Also, he says that the IE development process prevents them from introducing bugs into the software? Then how does stuff like viewing .jpgs become a security flaw? Is it that there development process is just not up to snuff? Or is it the APIs that the use from the operating system that are flawed? So it's not the browser, that's flawed, it's the operating system? That makes me feel better. Also regarding a user experience the difference between the operating system is null?

I confused.

interesting comments

[rizzo420]

the blog was obviously microsoft-centric, considering it was written by an employee. however, the comments were pretty interesting and thought-provoking until you got to the ones posted today after this was posted to slashdot. why must all the people on slashdot be out to get microsoft? as a company they are not evil. a lot of the comments to the blog just make open source advocates out to be a bunch of complete idiots. one comment in particular... "move away from closed source, that's always been microsoft's downfall". microsoft doesn't seem to be collapsing or losing money to me... apparently closed source works for them. come on now people, get real...

Re:interesting comments

[HerbieStone]

Changing Windows 3.1 so it would show an error-dialog when started from DR-DOS is evil in my book. From then on they lost my trust and I guess I wasn't the only one.

Re:Automatic Cup Holder

[iamacat]

I would, if only MS didn't claim EMBED tags are their OS.

Windows Updates

[flood6]

Dave Massey: "IE in turn relies on Operating System functionality to do it's job. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows."

Really Dave? Great, so i can use Firefox for Windows updates?

Re:Automatic Cup Holder

[steve_l]

The specificness here is that the ActiveX control that comes with windows media isnt smart enough about handling running in an untrusted container.

there are win32 api calls that manage this (you have to implement some other interface in your COM object to get told about security zones), but nobody ever does.

ActiveX is the underlying problem here. They took something that worked in a constrained role -OCX controls for adding functionality to VB apps, and made them -as you note- scriptable by web pages.

the worst part: they dont give up. Even IE6SP2 leaves activeX at "prompted" in the internet zone. Since windows update sites are in that zone, you cannot run windows update without saying yes to prompted downloads. If you disable AX in the internet zone, bye-bye security patches. I despair.

Re:Automatic Cup Holder

Or perhaps your scenario indicates the failing of the technology industry to find a solution that does not place undue burden on the user?

HE IS A LIAR

He says, "To be clear there are no Operating System APIs that IE uses that are not documented on MSDN", because he knows we cant go and check the source to ensure he isnt lying, BUT HE IS LYING.

http://www.desktoplinux.com/articles/AT7614463206. html

Jeremy White (CEO of CodeWeavers) who actually got IE to work under wine says so:

Lehrbaum: Did the issues that needed to be addressed relate to undocumented Windows functions used by the app, or non-API functions and/or environmental considerations expected by the app?

White: In the case of Quicken and QuickBooks, no. For Visio, you can see that the programmers at Visio had used some rather interesting pieces of the Windows API. These required new implementations or new understandings of the Windows API, and a reworking of Wine. For the undocumented API calls, the king is Internet Explorer!

Re:HE IS A LIAR

Yeah, because White stands to gain..um, err..nothing at all from lying?

Come on now

[FyberOptic]

Everyone keeps whining about not being able to remove IE from Windows. But did you ever stop to think about just how many applications actually use IE's API, and integrate html and web pages into their programs? So even if it were possible to rip IE out of Windows, which so many people seem inclined to do for whatever reasons, those programs just wouldn't work anymore.

And you know why? Because nobody else has developed such an API for Windows. It's not impossible for one to replace IE's API if they really tried. I know that many of the open source software developers are a clever breed, and can work around any obstacle presented to them. It's just that nobody's done it, or even tried to do it that I know of.

So don't whine about not being able to remove IE if you don't have an adequate replacement to prevent many other pieces of software from breaking. It would become a tech nightmare if IE WAS removable, because then every dummy would be trying to uninstall it to hate on Microsoft like all the "cool" people, then be crying for someone to come fix their machine when all their instant messengers stopped working.

I mean seriously, if you hate IE that much, why are you even still using Windows?

Re:Automatic Cup Holder

[Hachey]

Eh no, this is an issue will allowing scripts run with unfettered access to the system. Made IE great for intranet applications but a security disaster on the web.

Oh, I'd say less of a security disaster and more of a security mushroom cloud. It is pretty much the source for most security problems on the internet.


-----
Check out the Uncyclopedia.org , the only wiki source for not-semi-kinda-untruth about things like Kitten Huffing and Pong! the Movie!

Re:Automatic Cup Holder

[DavidTC]

Or, in the case of automatially installing malware, any burden on the user!

Re:They are not serious

[timjdot]

Yep, once the megalith recognizes the upstart then the upstart has succeeded. That is how we can surmise FF and Linux are ending M$FT's strangle-hold on technology advancement. Viva la software developer, maybe a time of advancement awaits!

Re:Gone to the dogs

[dknj]

Hold on hold on, let me get this straight. You originally said that IE is allowing secret hidden APIs (at least that is what is interpreted from your quote) because there was a security hole that allowed VBscript to load arbitrary ActiveX controls. Yet you failed to give any example of how Microsoft has kept developers from integrating VBscript into their own applications (for sake of argument, we will say Mozilla). Then you went to change your argument to how MS is so bad because they allowed such a glaring security hole. Do you see the topic jump there? We've gone away from talking about these secret hidden APIs that supposedly exist to bashing MS because of an old security hole.

3 years ago your post would have been -1 troll or flamebait and no one would have cared to argue with you. Times have changed and moderators are not moderating properly and have given you +5 interesting for a comment that is IRRELEVANT to the article. I am a windows supporter in the fact that I use it on a daily basis. I am also an OSS zealot in the fact that I use and contribute to many OSS projects.

I have yet to see a valid comment about how Microsoft his hiding secret apis from developers. Instead I see this post-apocolyptic wasteland created from your comments and the moderators that are falsely promoting your FUD.

-dk

Way to go Slashdot.

[KarmaMB84]

I could tell that Slashdotters were posting half way down the page when the comments turned into "OMGF OSS" and "But in the anti-trust case..." bullshit repeated over and over again.

My Problem Isn't With "Secret API's"...

[Carcass666]

Frankly, I could give a rat's ass if IE uses super-secret API calls. Other browsers seem to do just fine without them.

To me, the larger problem is the level at which other applications leverage IE's COM interfaces (IWebBrowser, etc.). These interfaces are published in the Platform SDK as part of the Windows development environment, without much mention of IE (that I could find). But using them requires IE to be on the system, since Microsoft makes it difficult (imposible?) for other browser applications to expose these interfaces and to be used instead of IE. Quickbooks is a great example, it uses these COM interfaces to include web pages in its application, requiring keeping IE on the computer in organizations that would like to purge IE. Sloppyness on Intuit's part? Perhaps. But is it really in their best interest to wedge support in for say, Gecko, when IE is pretty much guaranteed to be on the computer?

While it might be a misnomer to say "IE is part of the Operating System", it might as well be since developers are guided with a club toward it.

Insecure features

[CDarklock]

Features are not insecure, users are insecure.

There is an old saying: UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things.

We used to complain that you couldn't do clever things on Windows. Now we're complaining that you can do stupid things on Windows.

Meanwhile, Linux continues happily letting people do even stupider things, and whenever these people complain -- we respond that it's their own stupid fault for not being smarter.

So why is it always the user's fault on Linux, but always Microsoft's fault on Windows? It seems to me that all the recent email worms need some dumbass to actually RUN THE PROGRAM. On Linux, we would say this user was stupid. But on Windows, this user was victimised by Microsoft's insecure operating system? I don't think so.

Security is the reciprocal of convenience, and the developer is simply unqualified to determine what security I need and what convenience I don't.

Re:Insecure features

[moderators_are_w*nke]

Thats simply not true. Linux does let you do incredibly stupid things, but only as root. Its also designed in such a way that you mostly don't need to be root. It is therefore a reasonable assumption to make that a person running as root will be (i) Cluefull and (ii) careful.

Windows, however is setup in such a way that if you want to do pretty much anything that you need to run as 'root' to do anything, as gaining additional privilages for a single command on windows is a pain in the ass (actually, this is getting better see RunAs). Therefore Windows is forced into a dumb compromise which pleases nobody where superusers get training wheels and morons get the ability to screw things up royally.

FireFox will Burn

[PaulQuinn]

I use FF now, but I have a preminition:

IE will get fixed, people will accept it and the world will move on. FireFox will go down as a footnote in history as the browser that fixed IE.

Insane MS Bashing

[Rac3r5]

Its interesting to see the the insance amount of MS bashing that goes on her everytime a MS related article is posted.

Just to clear the air b4 someone calls me a MS agent, I'm a HW/SW developer that works for a bioTech comany and I do all my development work on *nix.
And no I'm not trolling, I'm just trying to state some facts.

I hear a lot of crying about IE being sucky etc etc. Fine, there are a lot of holes in it that are discovered routinely. But have you guys stopped to think that most of these holes are discovered because the browser is very popular. FireFox is becoming popular and it is starting to get attacked too (I've started to get pop ups in FireFox). But this concept applies to anything, if you live in a house facing a busy street, i.e. main road, your house will be more susceptible to crime, but when you move the same house to a quiet street, the house becomes less susceptible to crime.

About the whining that it comes packaged with windows, I say why not, when you buy a car, wouldn't you like it to come with free goodies instead of you having to pay extra for everything from floor mats to a CD player?
MS Windows also comes packaged with MS Media player, but why are there still so many users of WinAmp? I've been using Winamp for the past 7 yrs. The same thing applies to other pieces of software that come prePackaged with windows and yet has ppl using other solutions. The fact of the matter is if someone doesn't like a product and finds a better one they will go and get it. This even applies to cars, if ppl don't like what they have they buy stuff like CD decks, speakers etc.. The same applies to IE.

Re:Gone to the dogs

[Xiaran]

I have yet to see a valid comment about how Microsoft his hiding secret apis from developers. Instead I see this post-apocolyptic wasteland created from your comments and the moderators that are falsely promoting your FUD.

Youre confusing me. You keep going on about the hidden APIs issue and I dont think that was what was being implied... Im assuming you mean this quote

IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..

You also start the parent post with

Hold on hold on, let me get this straight. You originally said that IE is allowing secret hidden APIs (at least that is what is interpreted from your quote) because there was a security hole that allowed VBscript to load arbitrary ActiveX controls. Yet you failed to give any example of how Microsoft has kept developers from integrating VBscript into their own applications (for sake of argument, we will say Mozilla).

I didnt interpret his post this way and I dont think others did either(I could be wrong of course). I thought that the grand daddy post was making the point was that it was actually a good thing that Firefox et al dont have access to these APIs or else the browser can start accessing things it has no right to access.

Sorry if Im wrong... but I dont think its a issue of hidden APIs that Mozilla cant implmement is the issue. The issue is these APIs are documented fine, but we shouldnt implement them.

As to how this relates directly to the article being discusssed... specifically the original quote. He is arguing(I think) that the idea of intergrating something as netward facing as a HTTP client with core functionality is "stupid".

Re:Hmmm ..

[madcow_ucsb]

I wish I could say that about *any* stack.

All the kernel mode stuff is downright maddening. Maybe I'm just stupid, the whole notion of an IRP just seems like a pain in the ass. Ok so it's asynchronous. The the code to deal with it is huge and if things don't work, it's damn near impossible to figure out *why*.

And, as a USB developer, it boggles my mind that the XP DDK comes with a "simple" USB BULK transfer driver example: it's 8492 lines of code in 6 C files and 7 headers. 2751 of those lines are for Windows PnP support. 1686 are for power management (USB only supports three states! Connected, suspended, disconnected!)

And it does damn near the same thing as the 349 line usb-skeleton.c in Linux (essentially allows simple read()/write() access to a bulk endpoint pair).

Well-designed my ass. We're talking a factor of 24x more code to do the same thing.