IE8 Released As Critical Update For XP

Binestar was one of several readers writing in to note that Microsoft is listing IE8 as a critical update to Windows XP. CNet reported a couple of weeks back that Microsoft would be rolling our IE8 to users in a gradual fashion, and requiring an opt-in before installing it. Opinion has been split as to whether IE8 is worth installing or not. Binestar notes delicately, "For those not interested in upgrading to IE8 at this time, the MSDN released information back in January on how to keep IE8 off your machine."

So what

[rossdee]

I use Firefox as my default browser. Should I care what version of IE is on my (XP) system?

Re:So what

[anjilslaire]

I use Firefox as my default browser. Should I care what version of IE is on my (XP) system?

Seeing as how IE is integrated into the OS, having a vulnerable, outdated browser can be a problem. Like when you use windows update.

Re:So what

[click2005]

Some software uses IE embedded. Valve's Steam & the HTML help system both do and I'm sure theres plenty more too.

Let me guess...

[click2005]

"For those not interested in upgrading to IE8 at this time, the MSDN released information back in January on how to keep IE8 off your machine."

Install Linux

The sooner the insecure, poor-rendering IE6 dies..

[darpo]

...the better!

Good for web developers?

[Verdagon]

So this means that more of the browser market will be standards compliant?

Didn't XP ship with 6?

[prehistoricman5]

Whenever I encounter a computer running ie6, I want to take a sledgehammer to the computer.

Re:what's so critical about a web browser?

[initdeep]

How is microsoft abandoning patching IE6 any different than Mozilla abandoning patches for Firefox 2?

Seriously.

IE6 has some root code that is insecure and patching is merely chasing the tail of the dragon when it comes to security exploits.

So abandoning it, and moving users to an inherently more secure browser that also happens to be more inline with modern browser standards is a good move, not a bad one.

Software companies (all of them) abandon old code for new code all the time, and when they do, they stop issueing security updates and patches for the old code.

It's common, and happens all the time.

This is good news for web developers.

[Peter+Trepan]

It's good news because it will help kill IE6, which has serious CSS rendering problems and doesn't support PNG24 graphics.

As of today, IE6 still has significant market penetration. My guess is that corporate users keep that number high.

Re:This is good news for web developers.

[jonwil]

Corporate users wont be switching away from IE6 anytime soon. Not whilst PHBs continue to be worried about some tiny little funky feature that no-one uses on some corporate intranet site breaks as a result of the switch.

Re:This is good news for web developers.

[NMSpaz]

We just need to get all the golf websites to drop IE6 support, then watch how fast IT departments are told to make upgrading the standrard corporate browser a priority.

Re:And by critical they mean?

[Randle_Revar]

Yes, Standards mode is default, although it is easy to override, either from the user side or the web author side: <meta http-equiv="X-UA-Compatible" content="IE=7" />

http://blogs.msdn.com/askie/archive/2009/03/23/understanding-compatibility-modes-in-internet-explorer-8.aspx

Re:what's so critical about a web browser?

[EvanED]

shouldn't they patch the version XP shipped with instead?

They did. The patch is called "IE8".

Hooray!

[genner]

I'm currently unemployed and don't have to deal with the fallout from this!

A Good Move

[Ralish]

Normally I'm opposed to Microsoft pushing out feature updates as compulsory (versus security fixes and bug patches), however, in this particular case I'd have to say this is a good move. The benefits are many and the negatives few.

IE might have a bad reputation, and not at all unfairly much of the time, but no matter how much you hate IE, IE8 brings a lot to the table; even if what it brings is long overdue. Improved security, much better standards support, and even some genuine innovative features.

The debate can rage on about the ethics and legality of bundling the browser with and integrating it into the OS, but the reality is this is the case, and the security benefits alone make the upgrade sensible in my view.

However, the upgrade should be done in the background and in no way alter any preferences. Provided no configuration settings the user has set are changed (in particular, default browser), then the background benefits are gained, and the user can check out IE8 at their leisure if they wish, or ignore it completely.

Oh, and finally, this helps to kill off IE6, which really does need to FOAD.

Re:what's so critical about a web browser?

[subreality]

How is microsoft abandoning patching IE6 any different than Mozilla abandoning patches for Firefox 2?

Firefox 2 wasn't forced down our throats as a supposedly integral part of the operating system. If IE6 was a critical part of the operating system, shouldn't it get critical updates for the life of the operating system? Shouldn't corporate customers who bought in with the promise that they'd have a stable platform for however many years actually be able to use that platform, with all its knotholes, for that long?

Not that I mind seeing it go, but it kind of acknowledges the emperor's lack of clothes.

Re:what's so critical about a web browser?

[rapiddescent]

in terms of cost - it isn't a user problem in my view. The finance company I consult at has its entire sales platform built on VB6/IIS5 and (shock horror) VBScript so it only works on IE6. This was sold to them as an approach by MS back in the day - the platform will cost over $20m - $30m to replace... It hasn't helped that the weakness of the VB6/IIS platform for enterprise software has made it very hard to replace (no business effective tier separation, lack of rules engine, poor security approach etc) and MS did not provide an upgrade approach to .NET for large platforms.

We're just waiting now for the sales to drop off (or the phone lines to be swamped) as our business to business customers get their browsers upgraded and don't buy online from us. We've got $m's worth of projects on the go to replace the platform but the business feels it has been strongarmed into replacing the platform with a like for like replacement with no business advantage.i.e. they are set back 2 years to get to the same place we are at now.

In a way, this is a blessing in disguise because MS is never going to be selling enterprise solutions (beyond file & print) here again and now open source is certainly not frowned upon and is a real contender for big enterprise systems. It's certainly not fluff - This organisation deals with a quarter of the population of UK and employes 10's of thousands of people.

standards compliance is not about exception markup

[Onymous+Coward]

Does anyone know if this is still in effect?

1. When a user has a problem with a website in IE8, they can click the "Compatibility View" button to revert to IE7 rendering.
2. The URL is sent to Microsoft who compile a list of IE8-incompatible websites.
3. This list is sent to IE8 users so the site can automatically switch to IE7-mode for everyone.
4. If your website is fixed or is accidentally added to the list, you can add a meta tag to disable compatibility mode!

http://www.sitepoint.com/blogs/2009/02/19/ie8-standards-mode-opt-in/
http://blogs.msdn.com/ie/archive/2008/12/03/compatibility-view-improvements-to-come-in-ie8.aspx

Does this seem like a way for Microsoft to require people to mark their pages as "standards compliant" in a Microsoft-specified syntax?

It seems like IE8 users would click the compatibility mode button not because they think the site should render better in IE7, but because it doesn't look right. Won't this populate Microsoft's "render as IE7" list with sites that are just poorly rendered in IE8? Surely this can't be what's going on. It'd be a train wreck in progress. Any good, standards-compliant pages IE8 can't render very well get rendered even more poorly unless you put MS markup in them?

Can't be.

My guess is that MS are engaged in some kind of gambit to pollute the existing DOCTYPE standard somehow, by requiring browser-specifying markup, but it's not clear to me exactly how. Well, IE8 is here. We'll see what happens.

Re:what's so critical about a web browser?

[benjymouse]

You haven't been paying attention to the way Microsoft works, have you? This has been typical for .... ummm .... as far as I can remember. Ship first, patch later and frequently.

Erm. Then you haven't been paying attention to the way Microsoft have worked for the past 5-6 years, have you? They have seriously pulled themselves together since the code red, nimda and initial IE6 days. I know that it's a popular myth that Microsoft software is swiss cheese, but security analysts are starting to point at Microsoft SDL (Secure Development Lifecycle) as an example on how to do it. Independent analysts, i.e. IBM, researching vulnerability reports, have for the past 3 years pointed out how Windows XP and Windows Vista are actually the operating systems hit with the fewest vulnerabilities (but still most exploits).

Looking at vulnerability stats at secunia shows that Microsoft QC have improved drastically across their entire product portfolio:

• IE7 was released at roughly the same time as FF2. IE7 has had half (77) of the vulnerabilities of FF2 (154). And those vulnerabilities stopped counting last year when FF2 was EOLed. And FF3 is already at 68 - about to overtake the 3 year old IE7. Of course there are still browsers out there with much fewer vulns than all of these.
• The .NET Framework 2.0 is roughly as old as JRE 1.5, and although the former also has "enterprise" stacks such as ASP.NET etc, the .NET Framework 2.x has been hit by 10 vulns whereas JRE 1.5 has had 111 vulns in the same period.
• IIS6 was released with Windows Server 2003. Since then it has had 4 (four) vulnerabilities. IIS7 was released with Vista/Server 2008. It has experienced 1 (one!) less critical vulnerability. In comparison Apache 2.x has experienced 23 vulnerabilities. Considering what they had to work with, I'd say that's pretty impressive.
• Silverlight 1 and 2 both have clean sheets. Zero vulnerabilities so far. Compared to Flash Player 9&10 with 37 and 5 vulnerabilities respectively , Microsoft is certainly doing allright there as well. Especially considering that some of those Flash vulns were high-profile potent vulns which were featured in pwn2own.
• On the database front, SQL Server 2005 has registered 10 vulnerabilities. Oracle Database 10.x comes in with a staggering 828 vulnerabilities.

On the whole Microsoft seems to do pretty well and considerably better than their competitors in all of the above areas. And no, Microsoft does not hide vulnerabilities. They may delay publication in a responsible disclosure, but any MS admin will tell you that they are very specific about each vuln in their patch bulletins. Microsoft cannot slip a "fix" through, as they have to provide enough information for admins to take a decision whether to block or allow a given patch based on security against stability (like in fewer changes). And Microsoft does not patch "frequently". They patch 12 times a year + emergency patches. This schedule has in general been well received by admins and several other vendors are now following the same schedule.

Re:what's so critical about a web browser?

[thsths]

>Looking at vulnerability stats at secunia shows that Microsoft QC have improved drastically across their entire product portfolio:

You have to read these with caution, though. Microsoft has been trying to get the vulnerability count down, and one way of doing this is merging several vulnerabilities into one. It looks good on paper, but it does not make the product any more secure.

That being said, the recent product certainly show improvements. They absolutely beat Java and Acrobat, when it comes to security. I think the comparison with Firefox may be uneven, though, because the Firefox guys class just about anything as a potential security issue, just to be on the safe side.

Re:what's so critical about a web browser?

[Daengbo]

You need to relearn the difference between full disclosure and responsible disclosure, know that MS doesn't even follow RD guidelines, then go and rewrite your post. You can't compare numbers of vulns when one of the projects doesn't disclose them.

"They may delay publication in a responsible disclosure ...." Yes. They delay it until a patch is available or a vulnerability is in the wild.