Slashdot Mirror
Interview with IE Lead Program Manager
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
a relative of Protestnic Vaughan Jeltz?
Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.
120 characters for a sig? That's bloody useless.
..that page looks a lot better in Firefox.
Slashdot Burying Stories About Slashdot Media Owned
Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)
http://psychicfreaks.com/
why isn't IE7 doing a better job with supporting CSS standards?
> At Microsoft, I'm one of several Lead Program Managers on the IE team. My team and I are
> responsible for handling all of the incoming customer & security requests.
Q: Can you make it secure please?
A: Sadly, no - as I've been asleep for the last 5 years! Why else do you think nothings happened on the IE project since 2001?
I couldn't get through the second sentence without a wtf moment:
"We met while working on Windows Server 2003 at the twice daily status meeting."
Morning meeting: "I'm planning on writing some code today"
Afternoon meeting: "I had planned on writing some code, but I was busy preparing my presentation for this meeting"
This explains a lot...
Christopher has worked on every release of Internet Explorer since version 2
And he's kept his job?!?
It's been a while since I read much about IE7, but last I heard they were stripping a lot of its hooks out of the OS so that it sits "on top" like other browsers do. That alone should significantly reduce the security risk it poses.
IE6 has just been around too long; the hackers have had too long to play with it and find every possible exploit there is. If Opera were still sitting at version 5 (and controlled a larger market share) it would probably have just as many security holes discovered. It's the frequent updates and relative obscurity that make other browsers apparently more secure today.
120 characters for a sig? That's bloody useless.
we're trending in the right direction as a company
Did he mean 'tending', or is this some horrible fusion of trend and tend that I was previously unaware of?
A brief search reveals that I am out of touch. But everyone else is wrong, I should add.
every IE release since IE 2 or 3
Glad he's paying attention
The first lesson was that the Internet isn't an innocent place any more. When IE6 was under development 6 years ago, viruses were inconveniences and true Internet crime wasn't a concern.
Oh, really? Let's hear it for forward thinking...
-- Is "Sig" copyrighted by www.sig.com?
Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#. They have more than enough money to maintain an internal second version that is pure managed code. The advantage is that if the SHTF, they will have a fall-back app that they can immediately distribute. Not only that, but it would allow them more leeway in coercing developers into deprecating code that relies on the current native code which has hooks deep into the OS.
...MS Propaganda Week on /. ?
sig has been sent away for a few small repairs...
I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)
I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.
ttuttle is a rankmaniac
In light of yesterday's request for interview questions for the creator of CSS, I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture'
How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
The cesspool just got a check and balance.
These hooks being only introduced in the first place so MS could justify that it wasn't bundling IE and that it was a necessary part of the OS. Once again MS putting security and the end user lower down its priority list than profits, control and market share.
Some, yes. Some of the hooks existed already as part of Microsoft's great failure: placing "user-friendly" over security. That is ultimately what has made their software so vulnerable: in the interest of maintaining their hold on the market, they made their OS as easy to use as possible. That means minimizing security challenges and that sort of thing...which means opening it up to exploitation. Add in the fact that their two biggest products besides Windows--IE and Office--both hook deep into the OS and provide the same sort of vulnerabilities, and you get a recipe for disaster.
120 characters for a sig? That's bloody useless.
From TFA
Well in one respect, I don't really care where spyware & malware is going - I just want it eliminated. Whether it's key loggers or rootkits or adware, our job is simple: keep unauthorized software off of the users' machines. We've attacked this problem at multiple levels
And this from the company that won't let you install security fixes unless you install their spyware, sorry WMA. Or is it that their spyware is OK, others is not because 'they're the good guys'
init 11 - for when you need that edge.
As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.
If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.
Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Sadly - I think someone previously hit the nail right on the head, and the guy is partially right about drawing the line between outrageous functionality and security. I know for a proven fact that users, when given the option of a 'secure' browser or one that lets them send web pages to buddies on their Yahoo! messenger... well you know which one they'll pick. The problem is maintaining functionality that allows the user experience to be rich and meaningful without being able to hook into the operating system... this still leaves the browser exposed! BHOs are an atrocity which we in the security world have had to live with for some time - I cringe every time my wife says "my browser is so slow" and I look into her "Manage Add-Ons" menu - there's always crap in there! See... browser security is a constant battle between user experience and what security features we want. I don't see IE7 being any better at it... and I think FireFox had the right approach... build a base browser and force the users to add-in plugins they want to use. Microsoft's bloated IE comes with everything they think you'll ever want, toaster included, so there's just so much to exploit. Anyway - I could rant but I'll stick to the hard truth... when presented with an option, users always choose the more functional, easier to use, more colorful version - and they don't care if it's more 'secure' ... all the education in the world isn't going to change human nature folks.
If MS themselves refuse to use .NET for their own programs, what does that say about the viability of it for the rest of us? It doesn't inspire confidence.
Microsoft gets a bad rap here on Slashdot, but for the record I'd like to publicly thank them for one of the best, most altruistic decisions in tech history.
I'm talking about the decision to discontinue Internet Explorer for Mac. As a web developer this has made my life far easier. God knows how many man-decades of work this has saved the world's html coders.
The cloud to this silver lining is that I still spend a good proportion of my working life abusing my code so that it'll work on IE without breaking on real browsers. Multiply that up by the number of web designers / developers in the world and that's got to cost a few lives.
So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?
http://savingiceland.org
Tsk, I thought .net was the future and Microsoft always ate their own dog food. Yet strangely, IE7 is yet another MS product that is written native. Is there a message here perhaps?
I want a list of atrocities done in your name - Recoil
I don't understand why they are not pushing managed code internally. It sure doesn't look good from the outside if they won't start using something they recommend for customers. They don't seem to want to eat their own dog food.
Error reading device 'Signature'. (A)bort, (R)etry, (F)ail?
PM stands for project manager and I would imagine a project the size of IE would have at least half a dozen.
Search TFA for "CSS" and it's not there. Hmm...
Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
Why cannot MS write anything themselves? IE is only a newer version of the Spyglass browser. They ditched the in-house version 1.x and made Spyglass IE 2.0. Not even the name is a MS invention, they bought the name "Internet Explorer" for a lot of cash some years ago.
From the article: "Remember too that IE7 is built from the same code base as Windows Vista which has received a huge amount of scrutiny, so this is going to be the most solid code base of IE we've ever produced."
So that's a good thing, right?
Some folks may think otherwise
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
Cripes.
No wonder development is so slow.
defintitely the same reason - when you right click, you get a list of commands you can perform on the document. If Open wasn't one of them, then you couldn't open it :-)
.reg files - leftclick them and I get notepad with the text inside it. Also, for dlls, leftclick and I get dependancy walker. Similarly, when I click a cpp file, it loads in Visual Studio. If left-click was hard-coded to open, none of these things would work.
You can change the default action to something else instead of open.
Left-click is just a shorthand way of right-clicking and selecting the default.
The reason its done this way is that's much better (a more OO way) of associating commands with a file type. You can add a new command, change the default to that, and then left-click the file performs the new command! I do this for
If you want to know more, read about Shell Extensions in MSDN.
As touted by MS dev, the IE7 is supposed to "fix" the IE layout fixed positioning. But as posted on the IE NG, sites such as :
htpp://www.aide.info/assistance/ that are using fixed positioning to feature an "elastic layout" clearly show that IE is buggy on fixed layout ! This site is working on Firefox, Opera, Safari, etc. An MS conditional comment for IE version less than 7 was put to enable a "CSS layout fix" that is perfectly working on IE 5.5 and IE 6. Not only IE 7 latest beta is ignoring conditional comments (that is the MS recomandation to handle the IE "legacy") but evey if "disabled" the page is baddly rendered !
Dean Edwards has proved fixing the CSS on IE is doable with simple ECMAScript. So please, MS do not tell us it is not possible because of blahblahblah and will be done on next version of IE. Dean has fixed most CSS bugs with Guys this was done by one guy in a few days !!! C'm'on MS stop fuding and fix IE now !
"So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?
I'll answer for him. Somewhere around, oh, 2020. Unless Firefox stops being an annoying, memory-leaking POS that hangs on me every half hour, or Opera actually gains some momentum, or Linux captures more than 50% of the market.... none of which I'm anticipating.
I say 2020 only because I think the browser concept will probably last about that long.
I would...
I accidentally posted this for the wrong article so I'll probably get flammed and modded down for it, but here it is again.
At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.
Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.
What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/ [secunia.com]) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.
I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.
IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.
Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.