Slashdot Mirror
IE8 Released As Critical Update For XP
Binestar was one of several readers writing in to note that Microsoft is listing IE8 as a critical update to Windows XP. CNet reported a couple of weeks back that Microsoft would be rolling our IE8 to users in a gradual fashion, and requiring an opt-in before installing it. Opinion has been split as to whether IE8 is worth installing or not. Binestar notes delicately, "For those not interested in upgrading to IE8 at this time, the MSDN released information back in January on how to keep IE8 off your machine."
I use Firefox as my default browser. Should I care what version of IE is on my (XP) system?
"For those not interested in upgrading to IE8 at this time, the MSDN released information back in January on how to keep IE8 off your machine."
Install Linux
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
...the better!
So this means that more of the browser market will be standards compliant?
What exactly? I don't know. I am a bit confused though.
So MSIE8 is more standards compliant in a significant way. Is this still the case? Is the "default" mode standards mode or compatible mode? I ask this because I want to understand what Microsoft's expectations are going to be.
If the default mode will be standards mode, then I have to say that this is a courageous move on Microsoft's part.
If the compatible mode will be default, then I still have to applaud Microsoft for taking some initiative on this. Even if it doesn't break everything or anything, it's still a gutsy move and is clearly a step in moving in the direction of standards compliance. While this move might potentially slow the growth in use of alternative browsers, Microsoft will potentially lose their edge when it comes to maintaining their lock-in status in IT. And potentially losing some of that edge is a really gutsy move.
Microsoft can lose me and I am sure quite a few others here as Microsoft-haters if they were to just straighten up and fly right. I am hopeful that they will. I once loved Microsoft and all they did when it was still an exciting time... I know... but I speak the truth.
Whenever I encounter a computer running ie6, I want to take a sledgehammer to the computer.
Fuck Beta
How is microsoft abandoning patching IE6 any different than Mozilla abandoning patches for Firefox 2?
Seriously.
IE6 has some root code that is insecure and patching is merely chasing the tail of the dragon when it comes to security exploits.
So abandoning it, and moving users to an inherently more secure browser that also happens to be more inline with modern browser standards is a good move, not a bad one.
Software companies (all of them) abandon old code for new code all the time, and when they do, they stop issueing security updates and patches for the old code.
It's common, and happens all the time.
I was hoping they would fix the issue where WMP11 Media Sharing stops working after installing IE8 on Vista before rolling it out like this.
I've reported it myself, and so have many others. I guess they will wait until the masses have it via automatic updates and they get a significant number of complaints the next day before they do anything about it.
I.O.U One Sig.
It's good news because it will help kill IE6, which has serious CSS rendering problems and doesn't support PNG24 graphics.
As of today, IE6 still has significant market penetration. My guess is that corporate users keep that number high.
Step into a huge movement. Don't Tread In Me.
shouldn't they patch the version XP shipped with instead?
They did. The patch is called "IE8".
I'm currently unemployed and don't have to deal with the fallout from this!
I'm the same. I use Opera and Firefox for almost all sites and use IE6 only for those sites that do not work with Opera or FF.
Does this include the XP version shipped on netbooks? I have enough space problems without worrying about how much IE8 will consume - especially since I will never actively use it. ...A Firefox using Anonymous Coward
Yes, frequently. I said nothing about timely.
Serious? Seriousness is well above my pay grade.
Normally I'm opposed to Microsoft pushing out feature updates as compulsory (versus security fixes and bug patches), however, in this particular case I'd have to say this is a good move. The benefits are many and the negatives few.
IE might have a bad reputation, and not at all unfairly much of the time, but no matter how much you hate IE, IE8 brings a lot to the table; even if what it brings is long overdue. Improved security, much better standards support, and even some genuine innovative features.
The debate can rage on about the ethics and legality of bundling the browser with and integrating it into the OS, but the reality is this is the case, and the security benefits alone make the upgrade sensible in my view.
However, the upgrade should be done in the background and in no way alter any preferences. Provided no configuration settings the user has set are changed (in particular, default browser), then the background benefits are gained, and the user can check out IE8 at their leisure if they wish, or ignore it completely.
Oh, and finally, this helps to kill off IE6, which really does need to FOAD.
How is microsoft abandoning patching IE6 any different than Mozilla abandoning patches for Firefox 2?
Firefox 2 wasn't forced down our throats as a supposedly integral part of the operating system. If IE6 was a critical part of the operating system, shouldn't it get critical updates for the life of the operating system? Shouldn't corporate customers who bought in with the promise that they'd have a stable platform for however many years actually be able to use that platform, with all its knotholes, for that long?
Not that I mind seeing it go, but it kind of acknowledges the emperor's lack of clothes.
My thoughts too, initially. But the people that use automatic updates will already have been forced to install IE7. Whether or not IE8 is forced will do very little about IE6.
The 20-30% of computers that still use IE6 either have updates turned off, or they are in some company that won't switch to IE7 yet, because of outdated intranet software, or just an incompetent IT staff.
We're just waiting now for the sales to drop off (or the phone lines to be swamped) as our business to business customers get their browsers upgraded and don't buy online from us. We've got $m's worth of projects on the go to replace the platform but the business feels it has been strongarmed into replacing the platform with a like for like replacement with no business advantage.i.e. they are set back 2 years to get to the same place we are at now.
In a way, this is a blessing in disguise because MS is never going to be selling enterprise solutions (beyond file & print) here again and now open source is certainly not frowned upon and is a real contender for big enterprise systems. It's certainly not fluff - This organisation deals with a quarter of the population of UK and employes 10's of thousands of people.
If IE6 was a critical part of the operating system, shouldn't it get critical updates for the life of the operating system?
IE6 is getting critical updates for the life of the operating system, but the problem is that the operating system is at its end of life. Microsoft have put it into extended support, where XP (and therefor IE6) gets security updates for the next 5 years.
Shouldn't corporate customers who bought in with the promise that they'd have a stable platform for however many years actually be able to use that platform, with all its knotholes, for that long?
By the time MS stops security patches for XP, they will have supported the platform for 13 years. How much longer do you want a stable platform?
Does anyone know if this is still in effect?
http://www.sitepoint.com/blogs/2009/02/19/ie8-standards-mode-opt-in/
http://blogs.msdn.com/ie/archive/2008/12/03/compatibility-view-improvements-to-come-in-ie8.aspx
Does this seem like a way for Microsoft to require people to mark their pages as "standards compliant" in a Microsoft-specified syntax?
It seems like IE8 users would click the compatibility mode button not because they think the site should render better in IE7, but because it doesn't look right. Won't this populate Microsoft's "render as IE7" list with sites that are just poorly rendered in IE8? Surely this can't be what's going on. It'd be a train wreck in progress. Any good, standards-compliant pages IE8 can't render very well get rendered even more poorly unless you put MS markup in them?
Can't be.
My guess is that MS are engaged in some kind of gambit to pollute the existing DOCTYPE standard somehow, by requiring browser-specifying markup, but it's not clear to me exactly how. Well, IE8 is here. We'll see what happens.
It is not critical.
It is not an OS update. It claims to be an integral part of the OS, but as the result of lawsuits, as well as the many available "stand alone" versions of previous "integral parts of the operating system", it has been proven that IE was written to make it appear to be so but in fact was not.
It's release via automatic update is not, as they claim, more convenient. It is more convenient to initiate your own download when you choose to that to have to start to download this fairly "required" software when abd because you're told to, then cancel or delay that download.
That process is the normal one for refusing an automatic update download. It is not, as the headline states (with an exclamation mark no less) an IE8 Blocker Toolkit.
Simply put, Microsoft is lying about these things. If they're lying about these, what else are they lying about? Anything?
Well, for one, they're faking the popularity of related searches/links on IEBlog. The "Tags" box lists related items with different sizes of fonts. Elsewhere these are usually generated by user searches, the larger the font, the more often requested. However, the links from these are hard coded to constant items which frequently have nothing to do with IE. Some of them contain a single line blurb such as a statement from an IE development team member saying they're going to tell you something, but haven't posted that promised nugget in months since their first statement.
Let's say I'm your car's mechanic. I've been been charging you for your car's muffler bearing. I keep telling you it's a necessary part of the motor, even though there are plenty of people driving around with no muffler bearing, but rather an entirely different and optional piece of equipment, like a Kentucky Gofaster (that's a raccoon tail on the radio antenna) that does the same thing better. But I'm also insisting that it's my muffler bearing, not yours, and you're only paying for my permission for you to use it. Now I tell you that for your convenience I'm going to put your car up on the rack, start to replace your muffler bearing with a new, chrome plated muffler bearing, which you can then choose not to have installed. What would you do? Nod your head and say "uuuuuuuh, yep, uh huh, put her on up there bub", or find a mechanic who doesn't lie to you and try to sell you a "required" piece of equipment that's not required?
But wait! There's more! With this new chrome plated muffler bearing you will only be able to have certain things done at my garage, unlike your old muffler bearing which allowed you to have anything done at my garage. Last I checked, there were parts of msn.com that wouldn't work with IE8.
NOW how much would you pay? Call in the next 15 minutes and we won't charge you anything, except you'll have to have our Genuine Advantage mechanic take a look at it monthly to make sure you haven't fiddled with it to make it look like you own it rather than it still being our property installed on your car. And if you don't call in the next 15 minutes, we'll call you and make the same offer again, because it's for your own good. We promise.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
If you're a home user, figure it out yourself.
If you're on a corporate LAN, you should be using WSUS to control updates yourself anyway. its a free download with minimal updates, all you need is a domain controller or copy of regedit to push your workstations to the WSUS server's IP instead of microsoft directly.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
You haven't been paying attention to the way Microsoft works, have you? This has been typical for .... ummm .... as far as I can remember. Ship first, patch later and frequently.
Erm. Then you haven't been paying attention to the way Microsoft have worked for the past 5-6 years, have you? They have seriously pulled themselves together since the code red, nimda and initial IE6 days. I know that it's a popular myth that Microsoft software is swiss cheese, but security analysts are starting to point at Microsoft SDL (Secure Development Lifecycle) as an example on how to do it. Independent analysts, i.e. IBM, researching vulnerability reports, have for the past 3 years pointed out how Windows XP and Windows Vista are actually the operating systems hit with the fewest vulnerabilities (but still most exploits).
Looking at vulnerability stats at secunia shows that Microsoft QC have improved drastically across their entire product portfolio:
On the whole Microsoft seems to do pretty well and considerably better than their competitors in all of the above areas. And no, Microsoft does not hide vulnerabilities. They may delay publication in a responsible disclosure, but any MS admin will tell you that they are very specific about each vuln in their patch bulletins. Microsoft cannot slip a "fix" through, as they have to provide enough information for admins to take a decision whether to block or allow a given patch based on security against stability (like in fewer changes). And Microsoft does not patch "frequently". They patch 12 times a year + emergency patches. This schedule has in general been well received by admins and several other vendors are now following the same schedule.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
>Looking at vulnerability stats at secunia shows that Microsoft QC have improved drastically across their entire product portfolio:
You have to read these with caution, though. Microsoft has been trying to get the vulnerability count down, and one way of doing this is merging several vulnerabilities into one. It looks good on paper, but it does not make the product any more secure.
That being said, the recent product certainly show improvements. They absolutely beat Java and Acrobat, when it comes to security. I think the comparison with Firefox may be uneven, though, because the Firefox guys class just about anything as a potential security issue, just to be on the safe side.
You have to read these with caution, though. Microsoft has been trying to get the vulnerability count down, and one way of doing this is merging several vulnerabilities into one. It looks good on paper, but it does not make the product any more secure.
Perhaps you would look with caution, too? You are talking about advisories or bulletins. They are often aggregated. However, secunia lists a count for actual vulnerabilities. And those were the numbers I quoted.
And even in Microsofts own bulletins (not the advance notices) the individual vulnerabilities are clearly listed and identified with CVE references. CVEs are not aggregated, not from Microsoft and not from anyone else.
That being said, the recent product certainly show improvements. They absolutely beat Java and Acrobat, when it comes to security. I think the comparison with Firefox may be uneven, though, because the Firefox guys class just about anything as a potential security issue, just to be on the safe side.
So does Microsoft. An uncontrolled browser crash is a potential vuln. But you're right, if the bug is handled in a controlled fashion (i.e. caught exception) it is probably not classified as a vuln but rather a bug. I am not aware that Mozilla would do it any other way.
I haven't tallied by the the severities of the vulnerabilities. Theoretically all of the FF vulns could be "less critical" whereas all of the IE ones could be "highly critical". But I doubt it. Anyway, it's food for thought. I don't think we should give Microsoft nor Mozilla free passes.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
You need to relearn the difference between full disclosure and responsible disclosure, know that MS doesn't even follow RD guidelines, then go and rewrite your post. You can't compare numbers of vulns when one of the projects doesn't disclose them.
"They may delay publication in a responsible disclosure ...." Yes. They delay it until a patch is available or a vulnerability is in the wild.
Put identity in the browser.
Which version of XP? the new one (SP3)that comes on netbooks with IE7?
SP3 does not come with IE7, if it's shipped by default on your netbook that means the OEM added it seperately.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
That's what IE8 is.
No, by design, IE8 isn't backward compatible with crappy corporate intranet sites that were coded up for IE6's crappy eccentricities. That's a good thing for most people, but bad for companies that don't want to spend millions revamping their internal apps at MicroSoft's whim.
Yes, of course they shouldn't have gotten into that situation in the first place, but once they're there, you at least expect them to make good on their support commitments (which they are; see the other subthread).
Anyway, my complaint is mainly long-held bitterness over their claim that IE was integral to Windows. It was / is monopoly abuse of the most blatant sort.
Since the parent got moderated as a troll because some moderator didn't understand the point, if you don't disclose and immediately start patching, you don't allow the public any ability to defend themselves against the vulnerability in question.
So long as Microsoft holds their head in the sand about a reported vulnerability, you can go and work on a well-thought-out exploit that will take over the Internet, whereas a reported exploit in a full-disclosure or even responsible disclosure group will cause a patch or reasonable response within a much shorter time frame.
To all those who don't get it, go look up "time unpatched" for each of IE's vulnerabilities. That is, time from when they were reported to time when they were patched. That's the time Microsoft left you swinging in the wind.
- Michael T. Babcock (Yes, I blog)
While all the Two Minute Hate attenders are busy bashing MS for this move it seems that none of them, even those who were vocal in their support of Firefox, care to point out that Firefox is set to automatically update out of the box.
At least with Windows you're forced into making a decision on the hows and whens of your updating process on set up. No such luck with Firefox. Infact, I'm having a hard time thinking of any other software package that handles updating as poorly as Firefox does. Even Java is nice enough to ask permission first.
With IE being closed source, we will never know how many "quiet" vulnerabilities there are, and "quietly fixed" too. Maybe none. Maybe lots.
But you know what? None of that matters. What matters is how vulnerable you are just using your machine in a normal way.
The fact is, Windows machines are compromised more frequently and by more vectors than any other OS. And that includes IE - using it is more risky. It's an undeniable fact.