IE 8 To Include New Security Tools 177
Trailrunner7 writes "Internet Explorer has been a security punching bag for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Microsoft has been trying to get their act together on security, and the new beta of IE 8, due in August, will have a slew of new security features, including protection against Type-1 cross-site scripting attacks, a better phishing filter and better security for ActiveX controls."
Better security for ActiveX controls (Score:5, Insightful)
Or scrap ActiveX controls?
Nope, just the best one to date. (Score:4, Funny)
"Uninstall Internet Explorer 8? Are you sure? Yes/Yes"
Perfect security tool, IMHO.
Re:Nope, just the best one to date. (Score:4, Interesting)
Re:Nope, just the best one to date. (Score:5, Insightful)
Technically, if they break the use of the product it is THEM that broke it. For example, if you take a car to a dealership for an oil change, and they break your transmission, the auto company/dealership is NOT immune to a lawsuit because "hey, you got usage out of the transmission".
In fact, they will have to get you the FULL value of the transmission / replace it with a fully working one. See the whole issue is that a remedy to a broken contract is supposed to set you off AS WELL OR BETTER THAN BEFORE THE DAMAGE WAS INCURRED!
Pay attention to the caps... there's a reason for them. That was originally the whole point of contracts, fulfillments and remedies in case of broken contracts. Seems that companies that deal in software are permitted to break the product and the client is to blame. Strange that. Nowhere nearly as strange as the fact that you seem to think that such things are perfectly fine. Amazing. Nothing short thereof.
Not that I care. It was one more reason why I stopped using XP period. Guess what. Unless they give me a copy of Vista FREE, I don't plan to ever go back either. Hell, since I stopped gaming I've had more spare time than I've been able to waste with a conscious effort :)
To be sure... I would be perfectly happy with: (Score:2)
If they wanted to regain me as a user (and perhaps buyer of future microsoft products, though I highly doubt it given their track record of shit customer support) I would suggest that since they've deliberately crippled XP and Vista, the next time they move on and discontinue support for an OS they SELL to people, they should, perhaps, like a GOOD producer, unlock the old product, perhaps a tweak, perhaps a program that disables the "disable" feature for the 30 day "activation wizard" counter.
Since their ph
Re: (Score:2)
Technically, if they break the use of the product it is THEM that broke it. For example, if you take a car to a dealership for an oil change, and they break your transmission, the auto company/dealership is NOT immune to a lawsuit because "hey, you got usage out of the transmission".
In fact, they will have to get you the FULL value of the transmission / replace it with a fully working one.
Note that the transmission is worth considerably less than the total value of the car. Also note that they actually broke your car, a better analogy would be if the gas station broke down and you weren't able to get petrol to fill the tank.
See the whole issue is that a remedy to a broken contract is supposed to set you off AS WELL OR BETTER THAN BEFORE THE DAMAGE WAS INCURRED!
What contract did you and Microsoft sign when you purchased the software? What contract did you and Microsoft sign when you instigated the use of the activation service? If you actually did sign such a contract, please post an excerpt from the contract where they agree to
Re: (Score:2)
Or I could be entitled to a "working" operating system? Nah, I don't need entitlement... I've already fixed the issue, but thanks for caring. (Not really.)
I agree, no written contract, indeed a problem. Secondly, since there is no written contract, it also means that I don't need to buy their next product again.
I love voting with my wallet. :) Best voting there is. Especially when an operating system sold "in good faith" (we presume it was) turns out to be a 30 day dud because the company crippled it on
Re:Better security for ActiveX controls (Score:5, Insightful)
ActiveX is a critical technology in (South) Korea - you can't do any online banking, online shopping, etc. without ActiveX support. MS can't drop ActiveX or it would lose the Korean market.
Re:Better security for ActiveX controls (Score:5, Insightful)
> MS can't drop ActiveX or it would lose the Korean market.
Lose it to whom? There aren't any other ActiveX providers, so if MS dropped ActiveX, South Korea would have no choice but to use whatever MS would provide as replacement.
Re: (Score:2)
Anyone rushing to provide ActiveX support? How exactly does someone rush to provide a fully compliant alternate version of a closed source system? If it was that easy to seamlessly duplicate ActiveX there would be ActiveX plugins for Firefox and Opera and this whole conversation would never have come about.
Re:Better security for ActiveX controls (Score:5, Informative)
There is an ActiveX plugin for Firefox: http://www.iol.ie/~locka/mozilla/plugin.htm [www.iol.ie]
Either browser could easily support ActiveX on Windows if they wanted to. The main reason they don't is for marketing reasons (because it's perceived to be insecure).
Aside from that ActiveX is actually a documented Open Group standard, and there are (were) 3rd party implementations.
Re: (Score:2)
Err...Javascript is considered insecure by some.
How is running third party binary code secure?
Re:Better security for ActiveX controls (Score:4, Insightful)
It isn't.
But yet every single modern browser has a way of running 3rd party binary 'plug-ins' or 'add-on' because its too damn useful. Therefore the only real distinction here between browsers that support ActiveX and browsers that don't is marketing.
Re: (Score:2)
Your ignoring the fact that ActiveX can be executed from any page with only a small security warning which everyone clicks yes on.
Re:Better security for ActiveX controls (Score:5, Insightful)
Actually, I'm not. If you look at that Firefox plug-in I linked above, it uses a site whitelist which makes it considerably more secure than IE. Just because IE has/had poor ActiveX security doesn't mean another browser would have the same policies.
Look at the posts in this thread. Everyone's convinced that "ActiveX==BAD" while they probably have 50 Firefox add-ins and plug-ins installed. They're the basically the same damn thing, so I'll maintain this is almost entirely a perception issue (which exists for valid, but historical reasons).
Re:Better security for ActiveX controls (Score:4, Interesting)
Ahh yes, whitelisting. You know what would happen if Microsoft did the same thing, they'd be accused of monopolizing the ActiveX market and using their power to control who is allowed to install controls and who isn't.
There is no solution there.
Re: (Score:2)
Re: (Score:2)
If you look at how Firefox has implemented whitelisting add-ons, its just another dialog box/infobar to click-through.
Unfortunately multiple confirm actions is what passes for "security" in modern browsers.
Re: (Score:2)
You're right that Firefox's extension technologies have not been as widely adopted as ActiveX. But not because Firefox doesn't have the features.
In terms of the underlying mechanism and security risk, there's is almost no difference. Both are systems to e-z install native code into your browser process.
Re: (Score:2)
Users have proven that they'll do whatever it takes to visit whatever porn site they want to. They'll whitelist anything. How is that any different from clicking through several levels of warnings?
Re:Better security for ActiveX controls (Score:4, Insightful)
Or maybe South Korea could pull their collective head out and stop supporting lock-in and using crap technologies.
Re: (Score:2)
If dropping ActiveX granted any real market advantage (people who know what is ActiveX are less than 2% of the overall computer-using population and people who know how bad ActiveX really is doesn't reach 1%), they would screw the South Koreans all over.
BTW, it seems they already screwed SK pretty bad.
Re: (Score:2)
Re: (Score:2)
If only... no one act would improve more the quality of everyone's browsing experience.
Re:Better security for ActiveX controls (Score:5, Interesting)
Or scrap ActiveX controls?
Too much legacy, best thing to do is continue to sandbox them as much as possible.
MS is shoving devlopers to either Silverlight or XBAP that have extensive sandboxing/security in comparison. MS has been in the process of killing ActiveX for several years now, next trick is to smack the developers around by making non-internal deployment really freaking hard.
Even Win32/64 has been being killed off slowly, but developers are slow moving creatures sometimes. (This is the biggest reason even people that hate Vista should be rooting for it to replace XP at the very least, as the non-Win32 APIs are its bread and butter, even working directly inside the vector composer of Vista, that XP can't do even if you try running .NET 3.x on it.)
Re: (Score:2)
Every Internet Explorer "plug-in" uses ActiveX. This includes Silverlight, Java, Flash and so on. AFAIK there's no plans for that to change, if you want to extend the browser, you need to use ActiveX.
What TheNetAvenger is saying is that Microsoft has been discouraging developers from writing custom controls. Part of this is making them more and more difficult to install. In most cases these controls were only used for custom UIs and things that did not require full unsandboxed system access. So they would
Re:Better security for ActiveX controls (Score:5, Insightful)
ActiveX is the only thing keeping large businesses TIED to IE. The last thing MS would do is scrap them. And to be honest, within a corporate intranet (where users don't have the rights to install activex controls), ActiveX is a pretty solid technology.
Re: (Score:2)
If you wanna to get conspiratorial, these changes aren't really about "security". They're designed to nudge companies with legacy VB6/VC controls into redeveloping with Silverlight.
Re: (Score:2)
Absolutely, that's what I meant. We package ActiveX controls for the business users, and then push them out through SMS. Frankly we haven't even upgraded to IE7 yet because of all the apps that would break.
Re: (Score:2)
That's not how windows security works. If they doubled it, expect:
An activeX control has been detected on this site. Allow it to run (Yes/No)?
(the close window button is missing, yes and no don't exist)
Are you sure you want to run it?
(They may use both yes and no buttons instead of an OK button here)
Re: (Score:2)
Re:Better security for ActiveX controls (Score:4, Informative)
Neither are sandboxed and both run with the same privs as the browser AFAIK.
The only real difference is that Firefox comes with a whitelist which prevents random sites from installing add-ons.
Re: (Score:2)
Interesting - I was operating on bad information. (Shh!)
Internet Explorer's ActiveX controls (on non-Vista/IE7 machines, so most of them) with native privileges. Evidently they were designed to run fast-as-native-code and be "building blocks" other programs could hook into. For example, Internet Explorer exports a COM interface, which lets other apps load web pages or parse an HTML interface.
So, my Googling found that ActiveX relies on digital signatures and permissions explicitly given by a user.
Re: (Score:2)
The digital signatures really only prevents one form of social engineering attack, it's not a sandbox/permission model like Java. And the big reason that ActiveX has such a terrible reputation is that the prompts could easily be bypassed in early versions (3/4).
Vista Protected mode does provide a sandbox, but I think you can break out of it with a UAC prompt. Which would be easy to social engineer around.
Re: (Score:2)
There's no "fast as native" code with ActiveX, it *IS* native code.
Re: (Score:2)
- the companies issuing code signing certificates were more than willing to sell them to anyone who'd pay, including all sorts of shady adware and spyware vendors, though most of the time they did at least check the company name on the certificate was correct.
- a lot of people just automatically clicked "Yes" when asked if they wanted to install the software, and there were all sorts of social engineering attacks used to encourage them.
Re: (Score:2)
Re: (Score:2)
Neither are sandboxed and both run with the same privs as the browser AFAIK.
you know wrong. ActiveX on Vista runs in a sandbox with lower rights than the current user.
Actually, the GP isn't wrong. But you're not wrong either. The GP is right that ActiveX runs with the same privs as the browser, and you're right that ActiveX runs with lower privs than the current user (on Vista); because the browser *also* run with lower privs than the current user.
Was I the only one to misread the title? (Score:5, Funny)
Re:Was I the only one to misread the title? (Score:5, Insightful)
Was I the only one to misread the title as: "IE 8 To Include New Security Holes" ?
That's true for almost everything new. As complexity rises, so does the chance of a problem, and browsers are surprisingly complex nowadays.
Re: (Score:2)
Security, hah. (Score:2)
On hacker/cracker messageboards everywhere:
OOH! more security vulnerabilities to play with!
Re:Security, hah. (Score:5, Interesting)
Let me guess... (Score:5, Funny)
Re: (Score:2)
Yes, congratulations is in order for Microsoft's IE team: they've finally reached nearly the same level as Firefox+NoScript. And they've only been in the game...how much longer? [/msFlame]
But seriously, maybe we should give Microsoft a little credit. As bad as they've been about IE security in the past, they're actually trying this time.
Re: (Score:3, Insightful)
As bad as they've been about IE security in the past, they're actually trying this time.
Because they say they are, right? They've said that it'll be more secure than before everytime they've done this and nothing really changes.
Re: (Score:2)
Well, yes, but this time it's more of a "must do" situation. If they don't change something they're in for a bit of a rough ride. And for that, I give them the benefit of the doubt.
Re:Let me guess... (Score:5, Funny)
Re: (Score:2)
Yes, congratulations is in order for Microsoft's IE team: they've finally reached nearly the same level as Firefox+NoScript.
Funnily enough, even Firefox without NoScript isn't at the same level. These comparisons should really only be done at default settings without 3rd party addons. It is fairly easy to lock down any of the browsers out there, but the majority of people don't do it.
Please say.. (Score:3, Interesting)
I mean that security bar thing that appears below the address bar for example when you want to download something. "Are you sure you want to download this file? It may contain viruses, malware, zombies, ghosts, or even the mother-in-law amongst other Scary Things (tm)?" YES! Why no "Don't ask me again, I'm smart enough to know what I'm downloading thanks" option....
Ahem, rant over sorry.. But please MS, try harder this time..
Re:Please say.. (Score:4, Interesting)
It would be nice if Microsoft's biggest security "feature" is asking the user to confirm any operation that could conceivably cause a problem. Oh, well, at least they can blame the user now... after all HE allowed it.
The one time I tried to use IE7 and MSN search (to look up TV remote control codes) MSN search returned a link that hijacked IE7 to a site trying to play porno movies and because of the constant message boxes claiming "Microsoft" found security problems and should I let it install a "fix" (probably Javascript trying to get me to install malware). The message boxes wouldn't go away and I couldn't even shut down the browser without killing the whole app from the task manager. (By the way, I checked the first several pages of Google's results to see if that fake link showed up, and it wasn't there. MSN is useless, too.)
I would have never in a million years thought that IE7 would be that horrible. It's like it's 1998 all over again. Microsoft does nothing but FAIL. I've been using Firefox (with NoScript, AdBlock+, etc) since it was Phoenix 0.4 or so and I had literally forgotten how horrible IE used to be... and still is. In all those years nothing like that has ever happened to me with Firefox.
I'm convinced Microsoft just needs to give up. They have become completely worthless and literally have nothing else to offer.
More details and ranting if you're interested: http://conceptjunkie.blogspot.com/2008/04/microsoft-needs-to-die.html [blogspot.com]
Re: (Score:2)
You could easily create a similar messagebox loop for Firefox, to try to encourage someone into installing a malware Add-On.
Unfortunately, no browser that I know of allows you to kill a javascript without taking out the whole browser.
Re:Please say.. (Score:5, Informative)
Actually, you can't with Firefox 3. It will detect a looping script and give you the option of stopping it. If you use NoScript, you can block it entirely.
Re: (Score:2)
Well, that's good to hear!
And FWIW, you could configure IE to whitelist javascripts on a site basis by using 'zones'.
Re: (Score:2)
Well, like most of the security features Microsoft provides, IE zones are annoying and a pain to use properly. Firefox, by default, blocks most annoying Javascript behavior, but NoScript really takes it to the next level. If you ever find yourself on Firefox, you should try AdBlockPlus+NoScript. It's a pretty good combination and is very usable. See here [noscript.net] and here [adblockplus.org] for more information.
Re: (Score:2)
Yeah, I'm aware of those extensions. NoScript in particular makes the web browser practically unusable for a normal person (as would managing IE zones), so I think it's a somewhat unfair standard to set. Only a few nerds are willing to break normal browsing behavior just to prevent getting rickrolled or dialog-spammed.
Re: (Score:2)
Firefox 2 would pop up a dialogue box after a while telling you that a script was taking a long time to run, and giving you the option of killing it. Or at least it did for me; I've no idea if that was stock behaviour or one of my extensions.
Re: (Score:2)
Yeah, it may have been in Firefox 2 as well...I don't remember exactly when they added that feature.
Re:Please say.. (Score:5, Interesting)
Maybe you could, but it's never happened to me... even before NoScript came along.
That's the irony about the Web. It started out as a document display technology and eventually morphed into an application platform, taking about 15 years too long and going down too many dead ends on the way. I read somewhere that someone suggested the Web should have simply been X from the start. It surely would have saved them reinventing the wheel a dozen times in the last 20 years, that's for sure.
We've almost come full circle. The browser is _almost_ the OS which runs your applications. In fact, Microsoft's biggest problem was that they hooked the browser directly into the OS (in fact, their problem has always been that they hook everything directly into the OS). ActiveX was just a shortcut to run native code via the Web, and it suffered all the obvious problems from being so. "Hello, world,, run anything you want on my computer. I trust you." Java was better, but it's just too darn bureaucratic. I can't imagine having to actually develop in Java... from everything I've seen it's worse than dealing with the government and insurance companies combined.
So where will it all end up? Starting around 1991, we reverted back some 15 years in UI development and had to go through the 80's again, but in browsers. I figure in another couple years Web apps and native apps will essentially be indistinguishable, especially from the non-techie's point of view. That's not bad except all the good UI standards and conventions developed by Xerox, IBM, Microsoft, Apple backed with decades of research have been almost completely abandoned. I can't even imagine what the average computer experience will be like in 10 years, but if the past 20 is an example, some things will advance more than I could have ever guessed and others will barely change, and it will still take an expert to solve all but the most basic problems.
The term "bleeding edge" was a play on the term "leading edge" but at the rate things change, there is no more "leading edge" any more. With Vista and recent releases of OSX, the "bleeding edge" is the mainstream, and we've come to not only not be surprised that systems aren't even remotely complete when shipped, in fact, we expect a "dot oh" product to be essentially a late alpha. I don't recall what product it was, but it was a "release candidate" and at the same time the release notes said in effect, "but we haven't documented all the features yet because we don't have a firm list of what will be included". That's not a "release candidate" by any definition... not even Microsoft's. That's an alpha release, by the original definitions. But these days (and Google is a perfect example, even though many of their products are very good), most software never really gets out of "beta" any more. There are Google products that were literally labelled "beta" for years. It's always possible there was some legal reason for this, but the idea of a "test version" vs. a "release version" barely exists any more. Often the only distinction is the size of the group of users who have access to it. Microsoft does this, even though they still pretend to adhere to the gigantic monolithic release after years of development apparently because that's the only way they can justify charging people for the same old crap, but shinier and slower. I think the Ubuntu concept works well. They seem to have an attitude of "We'll take what we've got and make sure it installs and works together" every six months. Each release isn't always a huge change, that depends on the state of things like Gnome, KDE or the Linux kernel or who knows what, but this "evolutionary release cycle", where each subsequent upgrade is relatively small, seems to work a whole lot better than Microsoft's "revolutionary release cycle" where it's a major IT undertaking that is so massive most companies these days would rather not bother.
Hmmm... I seem that have digressed a bit.
Re: (Score:2)
Why the hell were IE7 and MSN Search your first options to getting some information?!
Re: (Score:2, Insightful)
"Better" security for Activex? (Score:2)
The only good activex is a DEAD activex. Kill it once and for all, for christ sakes.
Re: (Score:2)
As I commented under the first post it's not that easy. In Korea everything runs on ActiveX (online banking, e-commerce, etc.), it was the preferred way to provide rich client functionality for years. While ActiveX is deprecated, they can't drop it right now because of the giant backlog of legacy ActiveX applications in Korea. This is also one of their most loyal markets, so it would be a shot in the foot.
Re: (Score:2)
Fuck Korea, Microsoft and the horse they rode on.
Activex should've died a simple rapid death a decade ago. Microsoft is willing to actually make their stuff standards compliant: that'll mess much more many people up than killing activex off.
In any case, I dont care at all: ive necer used activex and I never will. Hell, i dont even use IE and never will.
Re: (Score:2)
While it would in theory be totally smarter to upgrade everything to
Even if MS gave away all of the tools and converters to migrate away from all the VB, there would still be a crushing battle with bureaucratic inertia.
Re: (Score:2)
so kill it,
and make the banks, etc reconsider in their next round of development. its actually pretty easy to adhere to standards that make apps cross-browser happy.
geez, if an online app gets 3 years of production life, its done pretty well, so planning for the next version _without_ activeX should be pretty straight forward.
just looking through my web server logs, theres still plenty of nufties running ie5/6, so killing activeX in ie8 wouldnt be the end of the world overnight - ppl would just have to have
Re: (Score:2)
What a great idea.
I do have one question...
If Microsoft kills it's plugin technology (ActiveX) how do you expect people to render video?
Every major browser out there (with the possible exception of Lynx) has a plugin technology that allows things like video rendering to be possible. As long as you allow plugins that have the ability to render arbitrary code, you have an environment that is the functional equivilent of ActiveX.
ActiveX has a bad reputation simply because it is the most popular plugin technol
Re: (Score:2, Informative)
Typing < will give you <
You have to escape the special html characters. Man I had to preview that 3 times to make sure I had the tags right!
I only have one comment..... (Score:3, Interesting)
Since IE7 and Vista, I am no longer qualified to comment on the user experience of Windows products. These two products killed off *any* thoughts I might have of using MS products at my personal expense. Still on XP with FF/OOo et al at work. It might^H^H^H^H^H^H will take more to get me to try another MS product than it did to get me to try Ubunutu.
New security tools sounds like a good idea. Hope they do well with that. Everyone has to work to keep the bar high on secure computing development, but I won't be trying it. Yeah, don't bother telling me about how F/OSS has problems too... everything does. I just prefer my problems not be served to me without the lubricant.
I do hope they achieve something good, it will be good for the Internet as a whole.
Sandbox javascript, flash etc ... (Score:4, Insightful)
There isn't any good reason why the javascript engine should run with the same privileges as the browser, and there certainly isn't any good reason why plugins like flash should have as many privileges as they do. Sandboxing those bits should help a lot.
Re:Sandbox javascript, flash etc ... (Score:5, Informative)
In IE7 on Vista, those bits (and everything you do, actually) are sandboxed. It's called protected mode [microsoft.com] and like everything well-written and intelligible in life, there's a MSDN article. ~~
If you can get to a Vista machine, boot up Internet Explorer 7. In the bottom-right hand corner, you'll see a "Internet|Protected Mode: On." Internet Explorer, and everything launched in/from IE, run under a low "Integrity Level", which means they only have access to the "Temporary Internet Files\Low" folder and "HKEY_CURRENT_USER\Software\LowRegistry" key.
Any file access is transparently redirected from these points: An ActiveX control trying to create "virus.dll" in "c:\windows\system32" will have it actually created "Temporary Internet Files\Low\C\Windows\System32". (Nothing in this folder is executable.)
Open up task manager. (CTRL+SHIFT+ESC) You'll notice an "ieuser.exe" process - should something need more privileges, like you saving a file to your downloads directory, this process will grant that one action regular, non-admin user privileges. Anything system changing has to pass through an "IEinstal.exe" process, which will trigger a UAC prompt.
My understanding is limited to some Vista beta-era documentation and the MSDN article I linked, but they pretty much sandboxed the entire browser with sub-guest-account privileges. It's relies on some new parts of the Vista kernel (you won't see the same sandboxing on IE7 in XP) but it's still pretty nifty, I think.
So keep using internet exploder 7 'till then, k? (Score:3, Funny)
-MS lackey
PS- Despite what anyone tells you, don't get 'fire fox,' it's probably a virus.
The most welcome security feature... (Score:2, Funny)
Now, that sounds familiar! (Score:2)
Will this turn out to be the same BS from Microsoft, as it was with all the previous IE releases? History tells us - yes. I mean, what real incentive do they have? All they care about is that IE integrates tightly with their other technologies, so already locked-in corporate users are happy.
The side-effect of less or no security introduced by having IE preinstalled on about all of the new consumer PC shipments is not their concern. Nobody pays for it, anyway.
"IE8 will be the most secure version of IE yet" (Score:2)
Re: (Score:2)
Ok, even more, they said that for middle versions like IE 5.5 too.
Screw security, give us standards! (Score:2)
I don't care what they do for security, I just want IE8 to support standard CSS stuff like border-radius, box-shadow and text-shadow. That's what people want to see when they sign up for contracts.
Same goes for Firefox (still no box-shadow) and Opera (neither box-shadow or border-radius).
Yada yada yada specs not finished, I don't care. Use the standardized prefixes for non-approved standards, they're here for that (ex: -moz-border-radius, -webkit-border-radius, etc).
Re: (Score:2)
That's the way the W3C wants browser to implement things. They have standardized the names too (-browername prefix) so once the standard is approved you don't have incompatible parameters on the real names.
Also, if a browser doesn't know a CSS tag it's supposed to simply ignore it.
currently implemented in Firefox 3 and Safari 3, respectively:
-moz-border-radius: 6px;
-webkit-border-radius: 6px;
There is no shorthand way to specify different corners though (which is dumb IMHO, considering all the other styles s
You can't fix ActiveX controls in IE. (Score:2)
So long as IE is built around the idea that it's possible, even in theory, to create a sandbox that is both leaky and secure, the Microsoft HTML control will continue to be the biggest channel for malware in the world.
We (the security community) have been saying this for a decade, and Microsoft keeps saying "this time for sure".
Don't bet that this time is the last time they say it.
Technically, IE7 is the most secure browser out... (Score:4, Interesting)
it's the only one I know that runs with only the following privileges (Vista only)...
"RO to File System"
"RW to user IE temp dir (explicit DENY on execute)"
Everything other browser runs as logged in user I believe.
So even if IE7 gets hosed into the floor, nothing will happen.
That said, it still sucks compared to FireFox 3 in terms of useful functionality, but that's another story.
Re:Technically, IE7 is the most secure browser out (Score:4, Informative)
You *can* set up browsers under Linux to have the same types of permissions, using AppArmor or SELinux. It's not OOTB though, and not as easy to approve outside-the-sandbox actions (like saving a downloaded file to a non-temp folder).
It's also worth noting that this feature, called Protected Mode, is not available if UAC is disabled. If you honestly can't stand privilege escalation requests (for things that damn well should have them) then open the Local Security Policy management console (use the Start search, or look under Administrative Tools), find the UAC policy options, and set it enable automatic escalation for Administrators. You're still sort of protected, in that any app that was started as a non-admin will stay non-admin until it requests privilege escalation, but you won't be given a chance to deny that escalation.
IE8 already? (Score:2)
Just in time to break Apple's new MobileMe service...
whatever (Score:2, Insightful)
year after year after year after year after year after year after year......
all we ever hear is how MS is making their next OS/Browser/Apps more secure. Have they ever succeeded? Not once... all I have witnessed is bug patches and more complexity. Its very tiring to hear the same garbage over and over again.... ...and for any site that only runs activex - get with the rest of the world and learn something....
best security tool (Score:2)
Developer tools (Score:2)
Personally I'd be more interested in some decent developer tools. Specifically things like a JavaScript profiler and debugger. I know there are a few third party tools that kinda-sorta do this, but frankly they're all pretty horrible, at least compared to their Firefox equivalents. Give me Firebug and Venkman for IE and I'll be happy.
Re: (Score:3, Interesting)
I certainly hope they make IE8 faster. My (admittedly very anecdotal) experience is that IE7 is an absolute dog on startup and in browsing. There's a real lag there, that Firefox simply does not have.
Re: (Score:2)
I'd say IE7 XP isn't that bad to start up but in Vista it takes forever.
Re: (Score:2)
I honestly don't see the difference between IE7 and IE6 on either XP or Vista. And I think IE is a heck of a lot faster to load and initialize than Firefox. But Firefox seems to render pages slightly faster than IE7.
You might want to check the IE add-ins or whatever they're called. A girl at work started having problems with startup times and some pages that would get stuck when loading in IE7, until she figured out that the Skype ActiveX control was causing it. She disabled it and everything started workin
Re: (Score:2)
I honestly don't see the difference between IE7 and IE6 on either XP or Vista.
It is pretty easy to notice the difference between IE 6 and IE 7 on Vista. One runs, one does not. Also, how do you not notice the tab support in IE 7?
Re: (Score:2)
It is pretty easy to notice the difference between IE 6 and IE 7 on Vista.
I know that. What I emant is that on the same hardware (pretty much), I can't see IE7 being much slower than IE6.
Also, how do you not notice the tab support in IE 7?
I don't understand that...? Of course I noticed it.
Re: (Score:2)
I'm not disputing your claim, but you may want to make sure both browsers are either fully prefetched or not prefetched at all before you run a comparison between the two. For me the opposite is happening, Firefox is the slower one, IE7 is in the middle, Opera is ahead, but then again I am used to having so man
Re: (Score:3)
Your last statement implies that even though IE was not to blame your computer has still been compromised.
For many years I have been running Linux without any antivirus and my computer has never been compromised.
Re: (Score:2, Interesting)
I'm a Mac user also and it seems like I install a security update about once a month. OS X is good but it's not that good. Hell, it's a few weeks after details of the huge gaping exploit in ARD was announced and there still isnt a security update. The best you can do is remove ARD.
Re: (Score:3, Informative)
No, that's because they batch them in some gigantic 100mb+ update, instead of doing small updates for several applications, which is what Microsoft does.
Seriously, there's no reason why a security update should take several dozens of megabytes [apple.com]. This only ensures that dial up users will not install them and that people are more likely to delay installing patches due to the download time.
Also, most patches on Windows are released every month, on what is called patch Tuesday [wikipedia.org], which is the second Tuesday of eve
Re: (Score:3, Informative)
Re: (Score:2)
Then what the hell happens to them?
Re: (Score:2)
Re: (Score:2, Interesting)
Agreed, but they don't know what to do with us. I currently work as an on-site contractor for Microsoft in Redmond.
When left to my own devices, I'm several times as productive as the next best person I've ever met. If they'd let me, I would could our product's defect rate by an order of magnitude in a couple of weeks, but they're too damn afraid of change to let me do that. There's always a new release around the corner, and they're always in "OMG we can't change
Re: (Score:3, Insightful)
Right, because only nimrod programmers have bugs in their software.
Re: (Score:2)
Uhhh... guys?
Hello?