A First Look At Internet Explorer 8 RC1

bogaboga writes "TG Daily reports that Microsoft quietly released the first update to its IE8 beta 2 to its closest partners last week. This new version only scores a dismal 12/100 on the Acid 3 test, though the score improves significantly if one leaves the [browser] window open for at least a minute. It is marked as 'Release Candidate 1.'"

But does it fix the critical vulnerability?

[Van+Cutter+Romney]

Does it fix this?

Re:But does it fix the critical vulnerability?

[Atti+K.]

Oh yeah. IE lets you browse the internet, and vice versa.

Re:But does it fix the critical vulnerability?

[BasharTeg]

Actually it does mitigate that vulnerability. Internet Explorer 7 and 8 both have the ability to enable DEP/NX heap protection. Unfortunately, due to certain extensions like Adobe Flash being written like shi... written in such a way that they weren't compatible with DEP/NX (I won't even get into them dodging protected mode, just see: http://keznews.com/4244_Vista_hacked_on_3rd_day_thru_Adobe_Flash__Linux_Undefeated_), but anyway, because of extensions like Flash and Java which weren't compatible with DEP/NX, Microsoft was unable to enable by default the DEP/NX protection in Internet Explorer 7 at release. However, you can enable it now since most plugins have been modified to work with DEP/NX.

To enable this protection in IE7 right now, go to Tools, Internet Options, Advanced, and check the check box next to "Enable memory protection to help mitigate online attacks". If you're running IE8 beta 2, you should notice that this check box is checked by default. This change should mitigate a significant number of future remote attacks against Internet Explorer 8.

If you check the advisory, one of the work arounds is enabling the DEP/NX protection in IE7.

Why It Takes an Extra Minute

[eldavojohn]

This new version only scores a dismal 12/100 on the Acid 3 test, though the score improves significantly if one leaves the [browser] window open for at least a minute.

It's true, it improves to 100/100! The reason you need to leave the browser open for at least a minute is because that's how long it takes to download this extension, install it, run the extension and put the acid 3 URL into the extension's address bar.

I recommend anyone who loves IE to do this!

Re:Why It Takes an Extra Minute

[docgiggles]

Does anybody really love IE anymore. There are so many more secure open source browsers that using the Microsoft utility that came with the computer seems like it cannot possibly be the best choice

Re:Why It Takes an Extra Minute

[plague3106]

i never liked IE in the past, but 7 was ok, and I find myself actually liking IE 8. I've never looked at the source code to Firefox, so I could care less about my browser being open source. As far as security holes go... well I have vista with UAC enabled, so I'm not too worried. All browsers have security holes.

Re:Why It Takes an Extra Minute

[sexconker]

You COULDN'T care less.
You could not care any less, because you absolutely do not care.

If you COULD care less, then you care some non-minimal amount.

Re:Why It Takes an Extra Minute

[giafly]

No! One minute is just enough time for your computer to get zombie'd, which improves the average code quality.

Re:Why It Takes an Extra Minute

[FriendOfBagu]

So if I blow of a college exam and only get 12% because I don't care, I didn't fail it?

Sure, if you didn't sign up for the course in the first place.

Re:Why It Takes an Extra Minute

[causality]

It's not that anybody loves Internet Explorer. It's just that nobody outside of geekdom loves any browser at all. Arguing over browser popularity is like arguing over gas station popularity.

Sometimes I think that the only real definition of "geekdom" is "a solid understanding of cause and effect".

Most people don't care, and don't see any real difference. They're just going to the first one they see.

That's why when they get a compromised system or otherwise suffer, I don't see them as victims even though I'd rather they not get compromised and I'd rather they not suffer.

They are making a trade-off and are taking a risk of experiencing security flaws for the sake of convenience as the browser is already installed and knowledge of its quality and security history is not needed to use it. They have set their priorities and made their choices and now they experience the results. Really, what rational person (technical or non-technical) expects to have good results when operating an extremely complex machine that they don't understand? Is there anywhere else in life where you can take the very first option to come along without ever looking at your other options and then consider yourself to have made a good choice? That the average person can routinely use a computer this way and have everything work out as well as it does is amazing, but rather than appreciate this we instead scratch our heads and wonder why certain problems (like botnets) just aren't going away.

Maybe this makes me unusual, but I am happy with both Linux and FireFox even if both of them never become anything like mainstream. They are actively developed and have enough of a userbase to ensure this for some time to come, they do what I need them to do, and they run the way I want them to run. I can't say with any certainty that I'd derive any direct benefit from the sort of ubiquity that Windows and IE currently enjoy and I see a certain risk of stagnation if that ever did happen.

Re:Why It Takes an Extra Minute

[mrdoogee]

It's a whole nuther thing here if you could care less. It makes me nauseous at how this nukeular power supposably is illiterate for all intensive purposes. I hate it, irregardless.

__________
__________
Now my head hurts.

Re:Why It Takes an Extra Minute

[Kalriath]

However, it passes ACID 2 with flying colours.

If I were a conspiracy theorist, I might find something interesting about a new ACID test which IE fails miserably the instant Microsoft releases a browser which passes the old one.

IE needs a new slogan...

How about:

Internet Explorer: Holding the Web Back Since 2001!

Re:IE needs a new slogan...

[v1]

I prefer the older standby - empowering 0wners since 2001

IE 10

[Cornwallis]

I'm guessing that by the time IE 10 is released it won't run at all finally making for a safe browser experience.

Re:IE 10

[AKAImBatman]

By the time IE 10 comes out, it will look like what Netscape 2.0 looks like to today's market. Even today, users hanging on to IE are reminiscent of the die hard users of Netscape 4. Netscape 4 was awful in comparison to IE5, but since it was the only viable alternative to IE, it hung around for quite a while. Life got a lot better when the Internet purged NS4, and it will get a lot better when it purges Internet Explorer.

The only difference between the Netscape 4 debacle and Internet Explorer is that Netscape didn't have the resources to develop a better browser. They ended up needing to spin off browser development, thus resulting in Firefox in the long term. Microsoft has no such constraints. They have nearly everything they need to make IE a better browser, but they don't want to give up their stranglehold on the web.

Well too damn bad. It's only a matter of time before IE loses its majority market share. The more the IE percentages drop, the faster the uptake of alternative browsers.

Re:IE 10

[ianare]

That would be IE 9

Seriously?

[DarrenBaker]

Surely you can't be serious - It scores higher if you leave the browser window open for a minute?

What is it, an Oldsmobile?

Re:Seriously?

[IceCreamGuy]

Holy crap I miss my 1990 Oldsmobile Cutlass Supreme. Thanks for bringing that up. :'-(

Re:Seriously?

[sir_eccles]

It's like high end Hi-Fi equipment you have to let the browser window burn in before you can get that richer and warmer internet experience. I always leave my browser to burn in overnight the first time I install it and find pages load quicker when I use oxygen free unidirectional tubes.

Re:Seriously?

[jbeaupre]

You must not be in marketing. That's "A 75% performance improvement over time."

Some people STILL think they should use IE

[theaveng]

Like this guy: http://www.highdefforum.com/768120-post19.html

I don't know how someone can say "IE is not any more vulnerable" with a straight face. And it only scored 12/100 on compatibility tests? RUN from IE.

Re:Some people STILL think they should use IE

[gzipped_tar]

The best (worst) argument for IE I've ever heard was "to save disk space".

Damn, did I really not know?

[IceCreamGuy]

Is a release candidate still considered a beta? I was always under the impression that release candidates were past the "beta" moniker and were part of the next phase of deployment. But I'm an admin, not a programmer, and really have no clue when it comes to that kind of stuff.
Coincidentally, I just watched Blade Runner on my Sony Superbeta hi-fi, still looks fantastic after all these years. Suck it, Blu-ray.

Re:Damn, did I really not know?

[will_die]

In Microsoft speak a RC is a feature complete product, parts are still buggy but the capabilities are in, they still reservice the right to add features but will not remove them.
Now that is not to say that things still will not change for instance with the release of parts of Office 2007 some products would work in the RC phase on Windows 2000 but come release they stopped working. However at that phase you can usally start developing for the new product and it will work on the release with at most minor changes.

Re:Damn, did I really not know?

[lloydchristmas759]

In Microsoft speak a RC is a feature complete product, parts are still buggy but the capabilities are in, they still reservice the right to add features but will not remove them.

Really? I thought that was the definition of "service pack 8".

IE

[ionix5891]

is like a bad smell that wont go away

Good

[spinkham]

As someone who does both web security and some web design, I couldn't be happier.
Yes, IE 8 still sucks, but it sucks less then IE 7, which sucks less then IE 6.
IE 8 has some decent rendering improvements, a built in XSS filter, and lots of other changes.
In standards compliance it still sucks versus all the compition, but as long as it helps kill off IE 6, I'm happy.

Re:Good

[Leafheart]

In standards compliance it still sucks versus all the compition, but as long as it helps kill off IE 6, I'm happy.

As someone doing web design for a living for the past 10 years I can tell you that I'm really not happy. At all. I put standards compliance much higher than any gimmick like XSS. If firefox still had all the Extensions (which is hard to live without) but was not standards compliant, I would hate it, a lot.

Another IE that is not standards compliant, means or a new set of rules I cannot use on my code, or another set of hacks (already ahve one for 5, 5.5, 6 and 7

Re:Good

[Rearden82]

IE6 is still very popular despite the fact that 7 came out over two years ago. If users haven't upgraded by now, I see no reason why they would when 8 is released.

I'm sure IE8 will be broken in slightly different ways from 6 and 7. So all this really means is we will have to implement hacks for three different versions of a shitty, non-standards-compliant browser for the foreseeable future, instead of two.

Re:Good

[spinkham]

Actually, ~50 % of websites tested in the past year by WhiteHat Security. It's the best metric we currently have for security flaws, as WhiteHat has many customers across quite a few industries, and they are all automatically retested over time. It has little to do with the browser targeted, and everything to do with the web frameworks used, the knowledge of the programmers, and the testing or lack thereof most websites get before deployment.

If you check xssed.com you'll see that near 100% of websites have had XSS vulnerabilities in the past.

Re:Good

[spinkham]

IE8 gives a number of mechanisms for either you or Microsoft to request the legacy IE7 renderer for your website. is all it takes to not have to add IE 8 specific version of your website.

Even simple HTML can crash IE8

[VJTod]

This simple HTML still crashes Beta2.  It will probably still crash the RTM.  This was a trick I found back in 2002.  I had reported it somewhere, but obviously nowhere important.

<table>
<tr>
<td><div style="width:100%;height:100%"/></td>
<td>
<div>
<span style="height:100%;width:50%">></td>
<span style="height:100%;width:50%">></td>
</div>
</td>
<td><div style="width:100%;height:100%"/></td>
</tr>
</table>

Re:Even simple HTML can crash IE8

[TeXMaster]

Poorly written HTML should NOT crash a browser.

Re:Even simple HTML can crash IE8

[Fastolfe]

Nothing should crash anything.

Re:Even simple HTML can crash IE8

[twistah]

This is a highly ignorant comment. A browser should never crash due to poorly written HTML, or due to anything. From the security angle, this is at least a DoS, but likely something more. Take a look at the IE7 0-day which is affecting millions of users. It is not a buffer overflow; it's a simple crash. However, because of JavaScript, one is able to manipulate ("spray") the heap enough to a point where even a simple crash can be used for code execution. ANY crash in a browser should be taken seriously.

Not following standards costs us

[MazzThePianoman]

As a web designer it really pisses me off to see Microsoft continuing to write their own standards and not follow the conventions set forth so that web pages could look the same across browsers. Passing the acid test should be mandatory and doing so would likely save millions if not billions in lost productivity time between broken websites and the extra hours of work web designers have to put in to work around IE's bugs.

Re:Not following standards costs us

[jc364]

Actually, IE 8 passes the Acid 2 test (yes, they are last, but its an improvement). Not to mention that Microsoft contributed 2524 test cases to the CSS 2.1 test suite. I'm a web developer, and I know the horrors of developing for multiple browsers (especially IE), but I have to give Microsoft some credit for their interest in standards in this coming IE version.

Also, the acid tests are just one indicator of how well a browser does standards. To make it the defining standards test would not be completely fair. More info on that here.

IANA Coding Guru, but....

[penguin_dance]

Being that M$ tied their browser to their OS to avoid a court judgment of having an illegal monopoly the main reason they're in this pickle in the first place? You can't nimbly fix bugs or create features if what you do on that level ends up crashing your OS on another level.

Seems to me they've screwed themselves in the long run. They avoided having to removed Internet Explorer from Windows, but now their browser sucks on ice, is bloated, slow and filled with bugs that affect the OS. All of this could have been avoided (not to mention the continued $ hemorrhage of having to pay programmers to work on this) had they just concentrated on a decent OS and let others create the browsers. Instead they have (and still) pig-headedly insist on taking over or competing with every bit of software that touches their computers.

 

12/100?

[Masami+Eiri]

IE6.5 gets a 12/100 on the Acid3 test if you let it sit for a few moments. No, seriously. I wish I was kidding.