Slashdot Mirror
IE 8 To Include New Security Tools
Trailrunner7 writes "Internet Explorer has been a security punching bag for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Microsoft has been trying to get their act together on security, and the new beta of IE 8, due in August, will have a slew of new security features, including protection against Type-1 cross-site scripting attacks, a better phishing filter and better security for ActiveX controls."
Or scrap ActiveX controls?
Was I the only one to misread the title as: "IE 8 To Include New Security Holes" ?
On hacker/cracker messageboards everywhere:
OOH! more security vulnerabilities to play with!
If you can read this, I forgot to post anonymously.
An 'Install Firefox' button?
Apple has never claimed not to be evil, they're just very stylish about it.
I think the IE7 solution to ActiveX sandboxing was well done. It's still a problem, but a lesser one I guess. I always thought that was the most serious issue with IE.
It just feels like it's taking forever to make IE a good browser. All those years in a stagnant pond where the order of the day was fighting little fires instead of improving the product beget Firefox, and now Microsoft is really feeling the heat. Competition is good, but Microsoft seems to still be moving at a glacial pace.
The twitter monologues. Click on my homepage and be amazed.
"Uninstall Internet Explorer 8? Are you sure? Yes/Yes"
Perfect security tool, IMHO.
" What luck for rulers that men do not think" - Adolf Hitler
..that they will be more usable than the current 'security tools' we get with IE7 which serve the purpose of securing IE by making it so annoying that no-one wants to use it..
I mean that security bar thing that appears below the address bar for example when you want to download something. "Are you sure you want to download this file? It may contain viruses, malware, zombies, ghosts, or even the mother-in-law amongst other Scary Things (tm)?" YES! Why no "Don't ask me again, I'm smart enough to know what I'm downloading thanks" option....
Ahem, rant over sorry.. But please MS, try harder this time..
The only good activex is a DEAD activex. Kill it once and for all, for christ sakes.
NO SIG
Since IE7 and Vista, I am no longer qualified to comment on the user experience of Windows products. These two products killed off *any* thoughts I might have of using MS products at my personal expense. Still on XP with FF/OOo et al at work. It might^H^H^H^H^H^H will take more to get me to try another MS product than it did to get me to try Ubunutu.
New security tools sounds like a good idea. Hope they do well with that. Everyone has to work to keep the bar high on secure computing development, but I won't be trying it. Yeah, don't bother telling me about how F/OSS has problems too... everything does. I just prefer my problems not be served to me without the lubricant.
I do hope they achieve something good, it will be good for the Internet as a whole.
Support NYCountryLawyer RIAA vs People
Its a boot time, heck there should have been a vastly better ver of IE with vista but of course they only care about makeing things pretty now rather then good code. The worst type of malware imbeds itself into IE and is like impossible to remove. For example zone alarms spy blocker bar/other scamware toolbars.
That's exactly what IE7 is. Why is this one going to be different?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
âoeIE8 prevents âoeupsniffâ of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script.â
âoeWe were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type.â
So much for them working towards natively supporting image/svg+xml which allows javascript in SVG files (does this also break Adobeâ(TM)s SVG viewer?)
I still haven't installed IE 7 after the WGA scandal and all the PC's I had to de-WGA for months. IE8 is kind of like "that guy I hate"s kid bro.
But since Vista is WGA infested, I doubt it will ever be mainstream in Developing countries where FOSS strives to compete with Piracy.
There isn't any good reason why the javascript engine should run with the same privileges as the browser, and there certainly isn't any good reason why plugins like flash should have as many privileges as they do. Sandboxing those bits should help a lot.
Better late than never!
You are about to visit a new web page, Allow or Cancel?
No wait...to include NEW tools....
When I think of TOOLS, I always think of Microsoft.
My name is Inigo Montoya. You killed my Father! Prepare to die!
I've used IE6.x for over 4 years with no ill issues. Though I know how to set security and options and I know when to scan and what websites are allowed to run things(cookies, activex, etc) and which shouldnt.
Not once has my computer been compromised due to IE.
It's a good idea of course, but if Microsoft would actually care(wishful thinking) they would make IE6 absolete already. Their users will be safer, the developers would be happier..
support for the application/xhtml+xml mime type? It's been several years now, Microsoft. I'm sick of hearing people go on about how the new IE team *cares*, and yet I don't see all that much improvement.
I don't even care about whether IE actually parses xhtml as xhtml or as tag soup. Just accept the damn mime type and then internally parse it with your crappy engine.
We promise you IE8 will be cool.
-MS lackey
PS- Despite what anyone tells you, don't get 'fire fox,' it's probably a virus.
This can only mean that when IE8 comes out there is going to be a massive hit to web designers out there. Gear up for the site re-design fest!
//de ~ 9cimi
You know, statements like that don't just piss off Microsoft programmers, it pisses off Firefox coders, Safari coders, Opera coders, et al. It's *not* a simple job. It's an extremely fucking complicated job.
Not to diss Microsoft or anything... but seriously they need to get their act together with security updates. Every other day there seems to be a new security updates for MS XP why don't they stop messing with things then you don't need security updates. I'm a mac user and i would have to say mac's barely ever have updates for security, Is that cuz mac's are better?!?!?!?
Perhaps the most long-awaited security feature of all, the IE8 team promises that it will immediately uninstall itself if someone mistakenly puts it on their PC.
Will this turn out to be the same BS from Microsoft, as it was with all the previous IE releases? History tells us - yes. I mean, what real incentive do they have? All they care about is that IE integrates tightly with their other technologies, so already locked-in corporate users are happy.
The side-effect of less or no security introduced by having IE preinstalled on about all of the new consumer PC shipments is not their concern. Nobody pays for it, anyway.
Of course, that's not saying much.....
I don't care what they do for security, I just want IE8 to support standard CSS stuff like border-radius, box-shadow and text-shadow. That's what people want to see when they sign up for contracts.
Same goes for Firefox (still no box-shadow) and Opera (neither box-shadow or border-radius).
Yada yada yada specs not finished, I don't care. Use the standardized prefixes for non-approved standards, they're here for that (ex: -moz-border-radius, -webkit-border-radius, etc).
I'm a Mac user also and it seems like I install a security update about once a month. OS X is good but it's not that good. Hell, it's a few weeks after details of the huge gaping exploit in ARD was announced and there still isnt a security update. The best you can do is remove ARD.
Karma: Positive. Mostly effected by cowbell.
The smell of brimstone, the hulking body and dragging claws, the sound of "stfu d00d u r teh suk" -- yup, this must be a flaming troll.
"Kill 'em all and let Root sort 'em out"
"But Microsoft has been trying to get their act together on security"
SHHHH! QUIET! You will scare away all the open source people! Even a whisper of a positive spin on Microsoft could shut this site down. As an embedded programmer over here in the Northeast I refuse to accept this as the truth, even if it is true and I see it with my own eyes. No matter how true this might be it still must be false!
So long as IE is built around the idea that it's possible, even in theory, to create a sandbox that is both leaky and secure, the Microsoft HTML control will continue to be the biggest channel for malware in the world.
We (the security community) have been saying this for a decade, and Microsoft keeps saying "this time for sure".
Don't bet that this time is the last time they say it.
No, that's because they batch them in some gigantic 100mb+ update, instead of doing small updates for several applications, which is what Microsoft does.
Seriously, there's no reason why a security update should take several dozens of megabytes. This only ensures that dial up users will not install them and that people are more likely to delay installing patches due to the download time.
Also, most patches on Windows are released every month, on what is called patch Tuesday, which is the second Tuesday of every month. I'm not sure I fully agree with the idea of a fixed patch schedule as it gives the malware authors a one-month window to exploit, although it does give corporate deployments a chance to test patches prior to deployment on a sane schedule.
Jean-Francois Im's blog
Actually, MS hires some of the best coders in the world. You're just an idiot.
For love of God, please include a feature that is a one-stop shop to remove the various crippling toolbars.
Yes, there's the addon screen, but the number of evil toolbars that skip that are certainly the majority. They fall under the category of spyware/adware/trojans but just make it controllable. How hard can it possibly be?!
Every average users computer I've helped fix has always had one or more stubborn toolbars that a mixture of spybot, registry tweaks and detective work. Give the average user some way of managing the crap.
Simply inexcusable.
They'll make sure content is rendered completely different from their previous browsers and those of their competitors.
IE 6 was arguably the least secure browser of all time.
Well, IE6 was released in 2001, pre XP SP2 (over three years before FireFox), and is still in use seven years later. IE 6 has a total of 130 secunia advisories (highest unpatched is Moderately Critical). FF 1-3 have 71 advisories (highest unpatched Highly Critical) since release in 2005 and IE6 had 35 advisories in the same period.
Keeping in mind there are lies, damn lies, and statistics, I'm not going to argue either way and let the fanbois take their browsers into the shower with a ruler.
More than browser vulnerabilities I take issue with the verbiage of the OP. Superlatives are the worst things in the world.
Oh tools, I thought you said holes... or was it trolls...
it's the only one I know that runs with only the following privileges (Vista only)...
"RO to File System"
"RW to user IE temp dir (explicit DENY on execute)"
Everything other browser runs as logged in user I believe.
So even if IE7 gets hosed into the floor, nothing will happen.
That said, it still sucks compared to FireFox 3 in terms of useful functionality, but that's another story.
throw new NoSignatureException();
You're absolutely right, it's the testers fault that these things happen so often.
Yes, they're old. But the best testers in the world would have noticed the mistakes (?) the best coders in the world made.
In more modern operating systems, it's become well known that MSFT hid the facts about how incredible their coders really are.
Right, because only nimrod programmers have bugs in their software.
Annoying the user seems like a running pattern with anything Microsoft try and make secure.
Windows Live messenger: "This file was a security risk and has been removed", User: "BUT IT WAS AN MP3?!?!"
Windows Vista: *download program* IE7: "Are you sure you want to download?" *click yes... wait...* "File downloaded" *click Run* IE7: "Are you sure you want to run this file?" *click yes* Vista Access Control: "This file is a program and may cause bad things to happen! Are you sure?" User: "ARGH FOR THE THIRD TIME YES I'M SURE"
A good analogy would be.. all the best lysol cans (coders) in the world can't make shit** (m$ products) turn into gold*. (gold being of course open source projects)
**m$ seems to be constipated, normally shit doesn't take 7 years to come out.
*you have to have time to find a lot of gold, but in the end, it's worth it.
Just in time to break Apple's new MobileMe service...
If they stop spam then how will people phish?
Microsoft is about the only company with the clout to change the email protocol. They should set a date (eg. Jan 1st 2008), openly publish the specs, push out an update to outlook, then make the switch.
So long as they don't try anything underhanded then most people will follow them. End of spam, end of phishing.
This would achieve far more security than any browser update.
No sig today...
year after year after year after year after year after year after year......
all we ever hear is how MS is making their next OS/Browser/Apps more secure. Have they ever succeeded? Not once... all I have witnessed is bug patches and more complexity. Its very tiring to hear the same garbage over and over again.... ...and for any site that only runs activex - get with the rest of the world and learn something....
Internet Explorer has been a security punching bag for years
Internet Explorer has been a security bug for years
There, fixed that for you.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Microsoft needs to announce the best security fix for their software: Opera or Firefox... until then, same ole same ole bloatware yet again with a new number
I have not deployed IE 7 to all of my computers, yet. I am interested in seeing how IE 8 will interact with our network applications. IE 7 had one problem but there was a quick fix that resolved the issue pretty quick. I am looking forward to seeing the differences between the to.
Then what the hell happens to them?
Agreed, but they don't know what to do with us. I currently work as an on-site contractor for Microsoft in Redmond.
When left to my own devices, I'm several times as productive as the next best person I've ever met. If they'd let me, I would could our product's defect rate by an order of magnitude in a couple of weeks, but they're too damn afraid of change to let me do that. There's always a new release around the corner, and they're always in "OMG we can't change anything!!1" mode. The only changes they'll approve are cosmetic fixes for things reported by customers, despite the fact that you can't look at 100 lines of code without seeing an obvious bug. It's the least productive environment I've ever seen. I could literally replace 20-30 people in my department and nobody would notice a difference in output level.
p.s. Yes, I am looking for a new job outside Microsoft. I'm fed up with the BS.Well, here's one data point against your assertion.
I hate plugins.
Of course, I'm also the kind of guy who, if his wife would let him, take the family to the mountains to live off the land. You know, the kind of guy who, when the TV broke, just never bothered to fix or replace it.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
If they wanted to regain me as a user (and perhaps buyer of future microsoft products, though I highly doubt it given their track record of shit customer support) I would suggest that since they've deliberately crippled XP and Vista, the next time they move on and discontinue support for an OS they SELL to people, they should, perhaps, like a GOOD producer, unlock the old product, perhaps a tweak, perhaps a program that disables the "disable" feature for the 30 day "activation wizard" counter.
Since their phone support and internet activation options will not activate a legit product, and its impossible to get one of those damn tech support monkeys to actually stay on the line instead of making excuses to put one on hold, I would wager that they won't pull an ID software thing and release the product, either fully, or just plain DE-cripple it... nope. Well that's fine and dandy... the few Windows games I wish to play can easily be played on 98 or 2000. Which basically means that once I'm done with those, I can even wipe the 2000 rig.
Not a bad deal. Especially given that the two games I'm looking forward to, Starcraft II and Diablo III, will both likely run natively in Linux (okay so one can hope) or, like Warcraft II, III, Starcraft, Diablo I, II, and WoW, will probably run flawlessly in WINE. Again, less and less reasons to ever stay on Windows as a primary OS, or even a secondary one at that.
Not that I mind. Their support was always crap, but now, in a downturned economy, crap support at a price is NOT enticing. To me at least. Your mileage may vary.
" What luck for rulers that men do not think" - Adolf Hitler
I really hope that the new IE security experience is something like this.
.....
Click... This web page can be dangerous for your computer. Do you want to proceed? (click yes)
Click(again)... This web page can be dangerous for your computer. Do you want to proceed? (click yes)
Click(again)... This web page can be dangerous for your computer. Do you want to proceed? (click yes)
Click(again)... This web page can be dangerous for your computer. Do you want to proceed? (click yes)
Click(again)... This web page can be dangerous for your computer. Do you want to proceed? (click yes)
Click(again)... This web page can be dangerous for your computer. Do you want to proceed? (click yes)
> Actually, MS hires some of the best coders in the world. You're just an idiot.
Parent may be wrong about Microsoft's coders, but it's the managers who are the problem. They put money ahead of making good code, as one might expect from people who make commodity software.
You *can* set up browsers under Linux to have the same types of permissions, using AppArmor or SELinux. It's not OOTB though, and not as easy to approve outside-the-sandbox actions (like saving a downloaded file to a non-temp folder).
It's also worth noting that this feature, called Protected Mode, is not available if UAC is disabled. If you honestly can't stand privilege escalation requests (for things that damn well should have them) then open the Local Security Policy management console (use the Start search, or look under Administrative Tools), find the UAC policy options, and set it enable automatic escalation for Administrators. You're still sort of protected, in that any app that was started as a non-admin will stay non-admin until it requests privilege escalation, but you won't be given a chance to deny that escalation.
There's no place I could be, since I've found Serenity...
Read the AC's post below.
It'll have the Firefox-tab extension.
IE7 might be the most secure browser on Vista.
But what does that matter if most IE users remain on WinXP? IE7 on XP does not have the sandbox feature. So if you look at things this way, it actually is a shame that Vista is so unpopular.
I am not really here right now.
"June 26, 2008 (Computerworld) Security researchers are warning users about an unpatched cross-site scripting bug in Internet Explorer 6 (IE6) that could be used by hackers to capture keystrokes and steal other information." from http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9103859 I guess that M$ prefer not to fix bugs and vuns in current releases but rather make a new IE version for hotter vulns... I guess by this time next year we'll have Internet Explorer v.932***...
The IE6 was used as a "punching bag" only because during its time it was the only browser that could hold a punch. Everything else would fall apart and drop into crapper at the mere sound of the word "punch". Now, when the other browsers are finally starting to show promice of becoming usable in the foreseeable future, they still can't even remotely compete with IE7 on the security front. The original poster, of course, conveniently failed to mention IE7 in his post.
and we should believe you why?
I believe the parent because of the horrible shit that M$ releases. If you want us to believe you, you're gonna have to come up with a better argument than "you're just an idiot", but perhaps you can't and that's the reason M$ cock-smokers like you have zero credibility here and in the real world.
Microsoft has been trying to get their act together on security...
I'm sorry, that one had me cracking up. Thou grandest of all understatements has arisen.
Upon installing IE8: "Windows (version to be named) detected, Uninstall? Yes/ Heck Yes" "Are you SURE? Yes/ Oh Yeah, you betcha!" Either that, or nuke it from orbit...you know the rest.
Personally I'd be more interested in some decent developer tools. Specifically things like a JavaScript profiler and debugger. I know there are a few third party tools that kinda-sorta do this, but frankly they're all pretty horrible, at least compared to their Firefox equivalents. Give me Firebug and Venkman for IE and I'll be happy.