×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE 8 To Include New Security Tools

ScuttleMonkey posted more than 5 years ago | from the hopefully-half-of-them-work dept.

177

Trailrunner7 writes "Internet Explorer has been a security punching bag for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Microsoft has been trying to get their act together on security, and the new beta of IE 8, due in August, will have a slew of new security features, including protection against Type-1 cross-site scripting attacks, a better phishing filter and better security for ActiveX controls."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

177 comments

Better security for ActiveX controls (5, Insightful)

sakdoctor (1087155) | more than 5 years ago | (#24062565)

Or scrap ActiveX controls?

Nope, just the best one to date. (4, Funny)

DaedalusHKX (660194) | more than 5 years ago | (#24062627)

"Uninstall Internet Explorer 8? Are you sure? Yes/Yes"

Perfect security tool, IMHO.

Re:Nope, just the best one to date. (-1, Troll)

davester666 (731373) | more than 5 years ago | (#24062769)

"Uninstall Windows XP/Vista? Are you sure? Yes/Absolutely Damn Yes"

Much better security...

Re:Nope, just the best one to date. (-1, Offtopic)

DaedalusHKX (660194) | more than 5 years ago | (#24063143)

Nah, XP no longer installs anyways. Seems Microsoft has disabled the "activation software" when you call in. They keep you on hold eternally. If you call in, and the indian tech support schmuck asks to put you on hold while "validating your key" do NOT accept him to do so, since once you're on hold, they no longer pick it up. Obviously if it was pirated they would tell you. Since my copy is legit (retail pack) its impossible for them to not activate it. Thus they have basically robbed me of the price of one professonal edition Windows XP, since it is a product I can no longer use. Technically they owe me, and anyone else who cannot activate their legit version, about 300 bucks plus tax... nevermind reimbursing us for inflation loss on that 300 bucks plus tax.

I could see a remarkably awesome lawsuit coming out of this. I just don't have the desire to enable the state apparatus... so I'll find another way, preferably using the market.

Re:Nope, just the best one to date. (3, Interesting)

GigaplexNZ (1233886) | more than 5 years ago | (#24063637)

You paid $300 for use of software, I assume you got some use out of it, and later on after the shelf life of the product you want a refund not only for the full amount, but an amount higher than you initially paid for it? That's some serious optimism there. For the sake of argument, let's assume you are entitled to a refund. If you got any use out of the product at all, you are not entitled to a full refund, as you would be getting something for nothing. Even if you never were successfully able to activate (thus being entitled to a full refund), you made a conscious decision to buy the software at that price at that time, forgoing any interest you might have made on the money. If the software did work, you still wouldn't have got that interest.

Re:Better security for ActiveX controls (4, Insightful)

Tweenk (1274968) | more than 5 years ago | (#24062743)

ActiveX is a critical technology in (South) Korea - you can't do any online banking, online shopping, etc. without ActiveX support. MS can't drop ActiveX or it would lose the Korean market.

Re:Better security for ActiveX controls (5, Insightful)

Anonymous Coward | more than 5 years ago | (#24062905)

> MS can't drop ActiveX or it would lose the Korean market.

Lose it to whom? There aren't any other ActiveX providers, so if MS dropped ActiveX, South Korea would have no choice but to use whatever MS would provide as replacement.

Re:Better security for ActiveX controls (1)

AllIGotWasThisNick (1309495) | more than 5 years ago | (#24063077)

Lose it to whom?

You're far too serious sounding A. Coward to be sarcasm. My apologies if this was genuinely intended to be funny ;( In answer to your question: To (a) anyone that rushes in to provide ActiveX support in the void or (b) anyone that provides the replacement technology (if they still haven't learned -- seemingly the case), or (c) all browsers should they start using (eg) air/flash or regular ole' https+html instead of https/silverlight.

Re:Better security for ActiveX controls (1)

Telvin_3d (855514) | more than 5 years ago | (#24063403)

Anyone rushing to provide ActiveX support? How exactly does someone rush to provide a fully compliant alternate version of a closed source system? If it was that easy to seamlessly duplicate ActiveX there would be ActiveX plugins for Firefox and Opera and this whole conversation would never have come about.

Re:Better security for ActiveX controls (4, Informative)

IntlHarvester (11985) | more than 5 years ago | (#24063489)

There is an ActiveX plugin for Firefox: http://www.iol.ie/~locka/mozilla/plugin.htm [www.iol.ie]

Either browser could easily support ActiveX on Windows if they wanted to. The main reason they don't is for marketing reasons (because it's perceived to be insecure).

Aside from that ActiveX is actually a documented Open Group standard, and there are (were) 3rd party implementations.

Re:Better security for ActiveX controls (1)

cheater512 (783349) | more than 5 years ago | (#24063533)

Err...Javascript is considered insecure by some.
How is running third party binary code secure?

Re:Better security for ActiveX controls (3, Insightful)

IntlHarvester (11985) | more than 5 years ago | (#24063571)

It isn't.

But yet every single modern browser has a way of running 3rd party binary 'plug-ins' or 'add-on' because its too damn useful. Therefore the only real distinction here between browsers that support ActiveX and browsers that don't is marketing.

Re:Better security for ActiveX controls (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24063347)

Cause Korea doesn't have anti-trust laws? The problem is thus: There was a window between the Mosaic project winding down and closing up shop and the plethera of what became opensource browsers and standards. In that window, Microsoft was inventing the standards very quickly and with little consideration. Well in exactly the way the free-market had been doing a good job since Adam Smith's time. But the problem is that kind of thing isn't particularly helpful at a networking technology, be it roads/railroads/POTS/or lolcat infused intarwebz.

That has created a world of multiple standards which have unintended and undesirable consequences, but none-the-less have a tremendous amount of invested capital behind them. You might as well advocate the taking of an axe to any machine (or host of a virtualized machine) running legacy COBOL code. It's just not always convienent to rebuild the world from scratch, even if it's a GLOB of 1's and 0's.

The money isn't there to run two platforms sidebyside into the future, elegantly and mercifully letting the legacy cudgles fade away. The downtime for a do-over is so comically idiotic that standards zealots even speak to the idea at all is practically an indictment of their whole position. So we'll get to enjoy the interaction of a million (million-million?) poorly considered decisions for decades to come.

Re:Better security for ActiveX controls (1)

owlnation (858981) | more than 5 years ago | (#24062917)

Or scrap ActiveX controls?

If only... no one act would improve more the quality of everyone's browsing experience.

Re:Better security for ActiveX controls (4, Interesting)

TheNetAvenger (624455) | more than 5 years ago | (#24063041)

Or scrap ActiveX controls?

Too much legacy, best thing to do is continue to sandbox them as much as possible.

MS is shoving devlopers to either Silverlight or XBAP that have extensive sandboxing/security in comparison. MS has been in the process of killing ActiveX for several years now, next trick is to smack the developers around by making non-internal deployment really freaking hard.

Even Win32/64 has been being killed off slowly, but developers are slow moving creatures sometimes. (This is the biggest reason even people that hate Vista should be rooting for it to replace XP at the very least, as the non-Win32 APIs are its bread and butter, even working directly inside the vector composer of Vista, that XP can't do even if you try running .NET 3.x on it.)

Re:Better security for ActiveX controls (0)

Anonymous Coward | more than 5 years ago | (#24063071)

If what you are saying is true, why hasn't MS stopped using ActiveX for WGA for most of their downloads?

Re:Better security for ActiveX controls (1)

IntlHarvester (11985) | more than 5 years ago | (#24063419)

Every Internet Explorer "plug-in" uses ActiveX. This includes Silverlight, Java, Flash and so on. AFAIK there's no plans for that to change, if you want to extend the browser, you need to use ActiveX.

What TheNetAvenger is saying is that Microsoft has been discouraging developers from writing custom controls. Part of this is making them more and more difficult to install. In most cases these controls were only used for custom UIs and things that did not require full unsandboxed system access. So they would be better off using AJAX/Silverlight/Flash/Java.

Re:Better security for ActiveX controls (4, Insightful)

JebusIsLord (566856) | more than 5 years ago | (#24063203)

ActiveX is the only thing keeping large businesses TIED to IE. The last thing MS would do is scrap them. And to be honest, within a corporate intranet (where users don't have the rights to install activex controls), ActiveX is a pretty solid technology.

Re:Better security for ActiveX controls (0, Flamebait)

Z34107 (925136) | more than 5 years ago | (#24063439)

ActiveX controls sound a lot like Firefox Add-Ons. Except ActiveX controls are sandboxed, whereas Add-Ons run at browser privileges.

Am I wrong? Or should Firefox scrap Add-Ons before IE8 scraps ActiveX?

Re:Better security for ActiveX controls (3, Informative)

IntlHarvester (11985) | more than 5 years ago | (#24063467)

Neither are sandboxed and both run with the same privs as the browser AFAIK.

The only real difference is that Firefox comes with a whitelist which prevents random sites from installing add-ons.

Re:Better security for ActiveX controls (1)

Z34107 (925136) | more than 5 years ago | (#24063605)

Interesting - I was operating on bad information. (Shh!)

Internet Explorer's ActiveX controls (on non-Vista/IE7 machines, so most of them) with native privileges. Evidently they were designed to run fast-as-native-code and be "building blocks" other programs could hook into. For example, Internet Explorer exports a COM interface, which lets other apps load web pages or parse an HTML interface.

So, my Googling found that ActiveX relies on digital signatures and permissions explicitly given by a user.

Was I the only one to misread the title? (5, Funny)

The Standard Deviant (869317) | more than 5 years ago | (#24062583)

Was I the only one to misread the title as: "IE 8 To Include New Security Holes" ?

Re:Was I the only one to misread the title? (5, Insightful)

kjart (941720) | more than 5 years ago | (#24062675)

Was I the only one to misread the title as: "IE 8 To Include New Security Holes" ?

That's true for almost everything new. As complexity rises, so does the chance of a problem, and browsers are surprisingly complex nowadays.

Re:Was I the only one to misread the title? (0)

Anonymous Coward | more than 5 years ago | (#24063475)

Was I the only one to misread the title as:

"IE 8 To Include New Security Holes" ?

That's true for almost everything new. As complexity rises, so does the chance of a problem, and browsers are surprisingly complex nowadays.

What's IE?

Signed, a loyal Netscape, Mozilla, now Firefox user

Re:Was I the only one to misread the title? (-1, Troll)

spion666 (922711) | more than 5 years ago | (#24062859)

No, you were not. I misread it too; that's expected considering IE's history.

Security, hah. (1)

Kingrames (858416) | more than 5 years ago | (#24062587)

On hacker/cracker messageboards everywhere:

OOH! more security vulnerabilities to play with!

Re:Security, hah. (4, Interesting)

Antique Geekmeister (740220) | more than 5 years ago | (#24063129)

And more DRM to wade through. Much of Microsoft's current 'security' development is aimed squarely at DRM and protecting the control by businesses, not at protecting users.

Let me guess... (5, Funny)

GSPride (763993) | more than 5 years ago | (#24062593)

An 'Install Firefox' button?

Re:Let me guess... (1)

snl2587 (1177409) | more than 5 years ago | (#24062679)

Yes, congratulations is in order for Microsoft's IE team: they've finally reached nearly the same level as Firefox+NoScript. And they've only been in the game...how much longer? [/msFlame]

But seriously, maybe we should give Microsoft a little credit. As bad as they've been about IE security in the past, they're actually trying this time.

Re:Let me guess... (3, Insightful)

lostmongoose (1094523) | more than 5 years ago | (#24062747)

As bad as they've been about IE security in the past, they're actually trying this time.

Because they say they are, right? They've said that it'll be more secure than before everytime they've done this and nothing really changes.

Re:Let me guess... (1)

snl2587 (1177409) | more than 5 years ago | (#24062829)

Well, yes, but this time it's more of a "must do" situation. If they don't change something they're in for a bit of a rough ride. And for that, I give them the benefit of the doubt.

Re:Let me guess... (1)

lostmongoose (1094523) | more than 5 years ago | (#24062931)

They lost any benefit of the doubt after 6, imo. They could have done all this with 7 like they promised but they didn't. They've had years to correct the issues with security but would rather add useless superficial 'security' measures than any real fixes.

Re:Let me guess... (1)

GigaplexNZ (1233886) | more than 5 years ago | (#24063721)

Yes, congratulations is in order for Microsoft's IE team: they've finally reached nearly the same level as Firefox+NoScript.

Funnily enough, even Firefox without NoScript isn't at the same level. These comparisons should really only be done at default settings without 3rd party addons. It is fairly easy to lock down any of the browsers out there, but the majority of people don't do it.

Good (1, Insightful)

willyhill (965620) | more than 5 years ago | (#24062603)

I think the IE7 solution to ActiveX sandboxing was well done. It's still a problem, but a lesser one I guess. I always thought that was the most serious issue with IE.

It just feels like it's taking forever to make IE a good browser. All those years in a stagnant pond where the order of the day was fighting little fires instead of improving the product beget Firefox, and now Microsoft is really feeling the heat. Competition is good, but Microsoft seems to still be moving at a glacial pace.

Re:Good (2, Interesting)

MightyMartian (840721) | more than 5 years ago | (#24062725)

I certainly hope they make IE8 faster. My (admittedly very anecdotal) experience is that IE7 is an absolute dog on startup and in browsing. There's a real lag there, that Firefox simply does not have.

Re:Good (1)

thetoadwarrior (1268702) | more than 5 years ago | (#24063011)

XP or Vista?

I'd say IE7 XP isn't that bad to start up but in Vista it takes forever.

Re:Good (0)

Anonymous Coward | more than 5 years ago | (#24063427)

Weird. Just the opposite here. Slowpoke on XP, pops right up on Vista.

Re:Good (1)

willyhill (965620) | more than 5 years ago | (#24063167)

I honestly don't see the difference between IE7 and IE6 on either XP or Vista. And I think IE is a heck of a lot faster to load and initialize than Firefox. But Firefox seems to render pages slightly faster than IE7.

You might want to check the IE add-ins or whatever they're called. A girl at work started having problems with startup times and some pages that would get stuck when loading in IE7, until she figured out that the Skype ActiveX control was causing it. She disabled it and everything started working fine.

Re:Good (1)

GigaplexNZ (1233886) | more than 5 years ago | (#24063733)

I honestly don't see the difference between IE7 and IE6 on either XP or Vista.

It is pretty easy to notice the difference between IE 6 and IE 7 on Vista. One runs, one does not. Also, how do you not notice the tab support in IE 7?

Please say.. (3, Interesting)

wellingtonsteve (892855) | more than 5 years ago | (#24062631)

..that they will be more usable than the current 'security tools' we get with IE7 which serve the purpose of securing IE by making it so annoying that no-one wants to use it..

I mean that security bar thing that appears below the address bar for example when you want to download something. "Are you sure you want to download this file? It may contain viruses, malware, zombies, ghosts, or even the mother-in-law amongst other Scary Things (tm)?" YES! Why no "Don't ask me again, I'm smart enough to know what I'm downloading thanks" option....

Ahem, rant over sorry.. But please MS, try harder this time..

Re:Please say.. (3, Interesting)

ConceptJunkie (24823) | more than 5 years ago | (#24062943)

It would be nice if Microsoft's biggest security "feature" is asking the user to confirm any operation that could conceivably cause a problem. Oh, well, at least they can blame the user now... after all HE allowed it.

The one time I tried to use IE7 and MSN search (to look up TV remote control codes) MSN search returned a link that hijacked IE7 to a site trying to play porno movies and because of the constant message boxes claiming "Microsoft" found security problems and should I let it install a "fix" (probably Javascript trying to get me to install malware). The message boxes wouldn't go away and I couldn't even shut down the browser without killing the whole app from the task manager. (By the way, I checked the first several pages of Google's results to see if that fake link showed up, and it wasn't there. MSN is useless, too.)

I would have never in a million years thought that IE7 would be that horrible. It's like it's 1998 all over again. Microsoft does nothing but FAIL. I've been using Firefox (with NoScript, AdBlock+, etc) since it was Phoenix 0.4 or so and I had literally forgotten how horrible IE used to be... and still is. In all those years nothing like that has ever happened to me with Firefox.

I'm convinced Microsoft just needs to give up. They have become completely worthless and literally have nothing else to offer.

More details and ranting if you're interested: http://conceptjunkie.blogspot.com/2008/04/microsoft-needs-to-die.html [blogspot.com]

Re:Please say.. (1)

IntlHarvester (11985) | more than 5 years ago | (#24063531)

You could easily create a similar messagebox loop for Firefox, to try to encourage someone into installing a malware Add-On.

Unfortunately, no browser that I know of allows you to kill a javascript without taking out the whole browser.

I thought the same. Microsoft need to learn! (2, Insightful)

QJimbo (779370) | more than 5 years ago | (#24063723)

Annoying the user seems like a running pattern with anything Microsoft try and make secure.

Windows Live messenger: "This file was a security risk and has been removed", User: "BUT IT WAS AN MP3?!?!"

Windows Vista: *download program* IE7: "Are you sure you want to download?" *click yes... wait...* "File downloaded" *click Run* IE7: "Are you sure you want to run this file?" *click yes* Vista Access Control: "This file is a program and may cause bad things to happen! Are you sure?" User: "ARGH FOR THE THIRD TIME YES I'M SURE"

"Better" security for Activex? (1)

alexborges (313924) | more than 5 years ago | (#24062687)

The only good activex is a DEAD activex. Kill it once and for all, for christ sakes.

Re:"Better" security for Activex? (1)

Tweenk (1274968) | more than 5 years ago | (#24062767)

As I commented under the first post it's not that easy. In Korea everything runs on ActiveX (online banking, e-commerce, etc.), it was the preferred way to provide rich client functionality for years. While ActiveX is deprecated, they can't drop it right now because of the giant backlog of legacy ActiveX applications in Korea. This is also one of their most loyal markets, so it would be a shot in the foot.

Re:"Better" security for Activex? (1)

alexborges (313924) | more than 5 years ago | (#24062805)

Fuck Korea, Microsoft and the horse they rode on.

Activex should've died a simple rapid death a decade ago. Microsoft is willing to actually make their stuff standards compliant: that'll mess much more many people up than killing activex off.

In any case, I dont care at all: ive necer used activex and I never will. Hell, i dont even use IE and never will.

Re:"Better" security for Activex? (1)

smitty_one_each (243267) | more than 5 years ago | (#24062821)

It's also at the heart of around a bazillion lines of VB applications and stuff.
While it would in theory be totally smarter to upgrade everything to .Net and use VSTO and the like, the installed base becomes the chief competition for MS.
Even if MS gave away all of the tools and converters to migrate away from all the VB, there would still be a crushing battle with bureaucratic inertia.

Re:"Better" security for Activex? (1)

doktorjayd (469473) | more than 5 years ago | (#24062853)

so kill it,

and make the banks, etc reconsider in their next round of development. its actually pretty easy to adhere to standards that make apps cross-browser happy.

geez, if an online app gets 3 years of production life, its done pretty well, so planning for the next version _without_ activeX should be pretty straight forward.

just looking through my web server logs, theres still plenty of nufties running ie5/6, so killing activeX in ie8 wouldnt be the end of the world overnight - ppl would just have to have an older ie around for a bit longer ( or perhaps install it as an optional add-in to ie8...)

Re:"Better" security for Activex? (1)

LO0G (606364) | more than 5 years ago | (#24063051)

What a great idea.

I do have one question...

If Microsoft kills it's plugin technology (ActiveX) how do you expect people to render video?

Every major browser out there (with the possible exception of Lynx) has a plugin technology that allows things like video rendering to be possible. As long as you allow plugins that have the ability to render arbitrary code, you have an environment that is the functional equivilent of ActiveX.

ActiveX has a bad reputation simply because it is the most popular plugin technology out there. There is absolutely nothing inherently less secure with ActiveX controls than there is in the extension mechanisms used by other browsers.

Does anyone remember the GreaseMonkey vulnerabilities [mozdev.org] ? No ActiveX, but a buggy browser plugin.

Killing ActiveX won't make IE any more secure.

Re:"Better" security for Activex? (1)

Tubal-Cain (1289912) | more than 5 years ago | (#24063117)

If Microsoft kills it's plugin technology (ActiveX) how do you expect people to render video?

How about HTML 5's video tag?

And how does one get the angle brackets to not be parsed when posting? (is "parsed" even the right word?)

Re:"Better" security for Activex? (2, Informative)

MichaelTheDrummer (1130657) | more than 5 years ago | (#24063243)

Typing > will give you >
Typing &lt; will give you <

You have to escape the special html characters. Man I had to preview that 3 times to make sure I had the tags right!

Re:"Better" security for Activex? (1)

nabsltd (1313397) | more than 5 years ago | (#24063285)

And how does one get the angle brackets to not be parsed when posting? (is "parsed" even the right word?)

Either post as plain text, or use the HTML escapes: "&lt;" for left angle bracket (<) and "&gt;" for right angle bracket (>).

Also, to create the "source" in this post, I had to escape the ampersand that starts each sequence by using "&amp;".

I only have one comment..... (2, Interesting)

zappepcs (820751) | more than 5 years ago | (#24062695)

Since IE7 and Vista, I am no longer qualified to comment on the user experience of Windows products. These two products killed off *any* thoughts I might have of using MS products at my personal expense. Still on XP with FF/OOo et al at work. It might^H^H^H^H^H^H will take more to get me to try another MS product than it did to get me to try Ubunutu.

New security tools sounds like a good idea. Hope they do well with that. Everyone has to work to keep the bar high on secure computing development, but I won't be trying it. Yeah, don't bother telling me about how F/OSS has problems too... everything does. I just prefer my problems not be served to me without the lubricant.

I do hope they achieve something good, it will be good for the Internet as a whole.

Re:I only have one comment..... (1)

abshnasko (981657) | more than 5 years ago | (#24063093)

I do hope they achieve something good, it will be good for the Internet as a whole.

And if they don't, that just means more people switching away from MS products and using free software. I can't decide which would be better.

ZZZ (0)

Anonymous Coward | more than 5 years ago | (#24062699)

Its a boot time, heck there should have been a vastly better ver of IE with vista but of course they only care about makeing things pretty now rather then good code. The worst type of malware imbeds itself into IE and is like impossible to remove. For example zone alarms spy blocker bar/other scamware toolbars.

IE8 Features New Improved Backdoors GNAAReport (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24062715)

IE8 Features New Improved Backdoors GNAAReport

GNAA Colon Puncher #007 writes
"Internet Explorer has been a proprietary piece of shit for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Muckrosoft has been trying to get their act together on sodomy, and the new beta of IE 8, due in August, will have a slew of new backdoors, including NSAKey 5.0, a better remote login for spooks and better protection against hackers discovering these remote exploits, which are cleverly worded backdoors."

so.very.broken (0)

Anonymous Coward | more than 5 years ago | (#24062719)

âoeIE8 prevents âoeupsniffâ of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script.â
âoeWe were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type.â

So much for them working towards natively supporting image/svg+xml which allows javascript in SVG files (does this also break Adobeâ(TM)s SVG viewer?)

IE 8? (1)

nx6310 (1150553) | more than 5 years ago | (#24062731)

I still haven't installed IE 7 after the WGA scandal and all the PC's I had to de-WGA for months. IE8 is kind of like "that guy I hate"s kid bro.

But since Vista is WGA infested, I doubt it will ever be mainstream in Developing countries where FOSS strives to compete with Piracy.

Re:IE 8? (0)

Anonymous Coward | more than 5 years ago | (#24062909)

actually you would be surprised how much easier it is to deal with WGA in Vista. Using the OEM BIOS crack I have never even seen a WGA notice, let alone been denied access by one. I had much more trouble with XP. Perhaps this was intended? That would help to explain why the "improved anti-piracy mechanisms" in Vista were so quickly and thoroughly broken even before the official release.

Re:IE 8? (1)

nabsltd (1313397) | more than 5 years ago | (#24063319)

I still haven't installed IE 7 after the WGA scandal and all the PC's I had to de-WGA for months. IE8 is kind of like "that guy I hate"s kid bro.

If you support enough machines, set up Windows Server Update Services on a machine that can be accessed via the Internet, and point all the machines you support to your WSUS for updates (use the "Local Computer Policy" MMC plugin). Then, you can completely control which updates get applied.

WGA isn't approved on the WSUS server I have, and none of my machines have had any problems with any updates (including test installs of IE7 to virtual machines). I'm sure there are some optional things you could download from Microsoft that require WGA, but you could always have one VM that has WGA installed and download using that. I don't know of anything that checks for WGA inside the install file itself, but I wouldn't be surprised if MS started doing that, too.

Sandbox javascript, flash etc ... (3, Insightful)

BlueParrot (965239) | more than 5 years ago | (#24062735)

There isn't any good reason why the javascript engine should run with the same privileges as the browser, and there certainly isn't any good reason why plugins like flash should have as many privileges as they do. Sandboxing those bits should help a lot.

Re:Sandbox javascript, flash etc ... (5, Informative)

Z34107 (925136) | more than 5 years ago | (#24063519)

In IE7 on Vista, those bits (and everything you do, actually) are sandboxed. It's called protected mode [microsoft.com] and like everything well-written and intelligible in life, there's a MSDN article. ~~

If you can get to a Vista machine, boot up Internet Explorer 7. In the bottom-right hand corner, you'll see a "Internet|Protected Mode: On." Internet Explorer, and everything launched in/from IE, run under a low "Integrity Level", which means they only have access to the "Temporary Internet Files\Low" folder and "HKEY_CURRENT_USER\Software\LowRegistry" key.

Any file access is transparently redirected from these points: An ActiveX control trying to create "virus.dll" in "c:\windows\system32" will have it actually created "Temporary Internet Files\Low\C\Windows\System32". (Nothing in this folder is executable.)

Open up task manager. (CTRL+SHIFT+ESC) You'll notice an "ieuser.exe" process - should something need more privileges, like you saving a file to your downloads directory, this process will grant that one action regular, non-admin user privileges. Anything system changing has to pass through an "IEinstal.exe" process, which will trigger a UAC prompt.

My understanding is limited to some Vista beta-era documentation and the MSDN article I linked, but they pretty much sandboxed the entire browser with sub-guest-account privileges. It's relies on some new parts of the Vista kernel (you won't see the same sandboxing on IE7 in XP) but it's still pretty nifty, I think.

Wow! IE 8 to FINALLY include some security tools.. (0, Troll)

KozmoKramer (1117173) | more than 5 years ago | (#24062801)

No wait...to include NEW tools....

When I think of TOOLS, I always think of Microsoft.

By Neruos (1, Informative)

Anonymous Coward | more than 5 years ago | (#24062849)

I've used IE6.x for over 4 years with no ill issues. Though I know how to set security and options and I know when to scan and what websites are allowed to run things(cookies, activex, etc) and which shouldnt.

Not once has my computer been compromised due to IE.

Re:By Neruos (2)

Kangburra (911213) | more than 5 years ago | (#24062993)

Your last statement implies that even though IE was not to blame your computer has still been compromised.

For many years I have been running Linux without any antivirus and my computer has never been compromised.

Just make IE 6 obsolete (0)

Anonymous Coward | more than 5 years ago | (#24062851)

It's a good idea of course, but if Microsoft would actually care(wishful thinking) they would make IE6 absolete already. Their users will be safer, the developers would be happier..

How about we get... (0)

Anonymous Coward | more than 5 years ago | (#24062861)

support for the application/xhtml+xml mime type? It's been several years now, Microsoft. I'm sick of hearing people go on about how the new IE team *cares*, and yet I don't see all that much improvement.

I don't even care about whether IE actually parses xhtml as xhtml or as tag soup. Just accept the damn mime type and then internally parse it with your crappy engine.

So keep using internet exploder 7 'till then, k? (3, Funny)

lastomega7 (1060398) | more than 5 years ago | (#24062869)

We promise you IE8 will be cool.
-MS lackey

PS- Despite what anyone tells you, don't get 'fire fox,' it's probably a virus.

This is a simple job (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24062951)

Just hire decent coder. MS hires total bozos for coder.

Re:This is a simple job (0)

Anonymous Coward | more than 5 years ago | (#24063027)

You know, statements like that don't just piss off Microsoft programmers, it pisses off Firefox coders, Safari coders, Opera coders, et al. It's *not* a simple job. It's an extremely fucking complicated job.

Re:This is a simple job (3, Informative)

pdusen (1146399) | more than 5 years ago | (#24063345)

Actually, MS hires some of the best coders in the world. You're just an idiot.

Re:This is a simple job (0, Informative)

Anonymous Coward | more than 5 years ago | (#24063575)

You're absolutely right, it's the testers fault that these [microsoft.com] things [googlepages.com] happen [xbox-linux.org] so [wikipedia.org] often [microsoft.com] .

Yes, they're old. But the best testers in the world would have noticed the mistakes (?) the best coders in the world made.

In more modern operating systems, it's become well known that MSFT hid the facts [wikipedia.org] about how incredible their coders really are.

Re:This is a simple job (0)

Anonymous Coward | more than 5 years ago | (#24063741)

A good analogy would be.. all the best lysol cans (coders) in the world can't make shit** (m$ products) turn into gold*. (gold being of course open source projects)

**m$ seems to be constipated, normally shit doesn't take 7 years to come out.

*you have to have time to find a lot of gold, but in the end, it's worth it.

Great! Now to re-design everything! (1)

digitalextremist (818027) | more than 5 years ago | (#24062999)

This can only mean that when IE8 comes out there is going to be a massive hit to web designers out there. Gear up for the site re-design fest!

Re:Great! Now to re-design everything! (1)

v.dog (1093949) | more than 5 years ago | (#24063677)

Actually, MS are promising greater support for the W3C standards, so if your site works well in Firefox/Opera/Safari/other, it should work OK in IE8. The only people who should have problems are the developers that design sites to exclusively work in IE6/7, and rightly so.

Security.. Thats all Microsoft knows how to update (0, Flamebait)

trr49378 (1317221) | more than 5 years ago | (#24063029)

Not to diss Microsoft or anything... but seriously they need to get their act together with security updates. Every other day there seems to be a new security updates for MS XP why don't they stop messing with things then you don't need security updates. I'm a mac user and i would have to say mac's barely ever have updates for security, Is that cuz mac's are better?!?!?!?

Re:Security.. Thats all Microsoft knows how to upd (2, Interesting)

metallic (469828) | more than 5 years ago | (#24063163)

I'm a Mac user also and it seems like I install a security update about once a month. OS X is good but it's not that good. Hell, it's a few weeks after details of the huge gaping exploit in ARD was announced and there still isnt a security update. The best you can do is remove ARD.

Re:Security.. Thats all Microsoft knows how to upd (2, Informative)

jfim (1167051) | more than 5 years ago | (#24063333)

No, that's because they batch them in some gigantic 100mb+ update, instead of doing small updates for several applications, which is what Microsoft does.

Seriously, there's no reason why a security update should take several dozens of megabytes [apple.com] . This only ensures that dial up users will not install them and that people are more likely to delay installing patches due to the download time.

Also, most patches on Windows are released every month, on what is called patch Tuesday [wikipedia.org] , which is the second Tuesday of every month. I'm not sure I fully agree with the idea of a fixed patch schedule as it gives the malware authors a one-month window to exploit, although it does give corporate deployments a chance to test patches prior to deployment on a sane schedule.

The most welcome security feature... (2, Funny)

Bwana Geek (1033040) | more than 5 years ago | (#24063031)

Perhaps the most long-awaited security feature of all, the IE8 team promises that it will immediately uninstall itself if someone mistakenly puts it on their PC.

Re:The most welcome security feature... (1)

v.dog (1093949) | more than 5 years ago | (#24063727)

I'd settle for being able to uninstall it, period. If it was an application and not a Windows component, Windows would be more secure, and I'd be more likely to use IE as it would be there by choice.

Now, that sounds familiar! (1)

hdparm (575302) | more than 5 years ago | (#24063061)

Will this turn out to be the same BS from Microsoft, as it was with all the previous IE releases? History tells us - yes. I mean, what real incentive do they have? All they care about is that IE integrates tightly with their other technologies, so already locked-in corporate users are happy.

The side-effect of less or no security introduced by having IE preinstalled on about all of the new consumer PC shipments is not their concern. Nobody pays for it, anyway.

"IE8 will be the most secure version of IE yet" (1)

QuietLagoon (813062) | more than 5 years ago | (#24063075)

Of course, that's not saying much.....

Re:"IE8 will be the most secure version of IE yet" (1)

gmuslera (3436) | more than 5 years ago | (#24063171)

Is saying a lot, in fact, with this is the 8th time that Microsoft about their current next version of web browser.

Ok, even more, they said that for middle versions like IE 5.5 too.

Screw security, give us standards! (1)

Yvan256 (722131) | more than 5 years ago | (#24063081)

I don't care what they do for security, I just want IE8 to support standard CSS stuff like border-radius, box-shadow and text-shadow. That's what people want to see when they sign up for contracts.

Same goes for Firefox (still no box-shadow) and Opera (neither box-shadow or border-radius).

Yada yada yada specs not finished, I don't care. Use the standardized prefixes for non-approved standards, they're here for that (ex: -moz-border-radius, -webkit-border-radius, etc).

Re:Screw security, give us standards! (1)

TheSeer2 (949925) | more than 5 years ago | (#24063337)

So they should implement a not-yet-standardised standard. Then, in the off chance they get scraped (or any other situation where it gets scrapped). Someone, probably the same people who wanted em' to implement it earlier will yell, oh noes, EEE! THEY' RE EXTENDING BLAH.

IE8 Features New Improved Backdoors GNAAReport (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24063089)

IE8 Features New Improved Backdoors GNAAReport

GNAA Colon Puncher #007 writes
"Internet Explorer has been a proprietary piece of shit for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Muckrosoft has been trying to get their act together on sodomy, and the new beta of IE 8, due in August, will have a slew of new backdoors, including NSAKey 5.0, a better remote login for spooks and better protection against hackers discovering these remote exploits, which are cleverly worded backdoors."

!!! Stop the press

Is this that important in the big scheme of things (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24063153)

for as much as you slashfags bitch about religion it's interesting to see how little you bitch about muslims. it must be because of the high number of europeans. because, as we all know, islam has it's dick planted firmly in europe's faggot ass. euros can't stop islam nor are they willing to share their real feelings on the lie known as islam. instead they've bent over and got fucked like a good bitch. they hope this will appease the muslims but the truth is that muslims will take more and more. islam will not be happy until everyone is an allah faggot or everyone is dead.

get your heads out of your asses europe. you're a bitch to islam. keep sucking that mohammad dick until you're force to bow before allah or you'll get a few bullets in your back from a assfag mullah.

oblig. Kingdom of Loathing quote... (1)

MRe_nl (306212) | more than 5 years ago | (#24063279)

The smell of brimstone, the hulking body and dragging claws, the sound of "stfu d00d u r teh suk" -- yup, this must be a flaming troll.

impossible (0, Troll)

Haxx (314221) | more than 5 years ago | (#24063295)

      "But Microsoft has been trying to get their act together on security"

SHHHH! QUIET! You will scare away all the open source people! Even a whisper of a positive spin on Microsoft could shut this site down. As an embedded programmer over here in the Northeast I refuse to accept this as the truth, even if it is true and I see it with my own eyes. No matter how true this might be it still must be false!

You can't fix ActiveX controls in IE. (1)

argent (18001) | more than 5 years ago | (#24063297)

So long as IE is built around the idea that it's possible, even in theory, to create a sandbox that is both leaky and secure, the Microsoft HTML control will continue to be the biggest channel for malware in the world.

We (the security community) have been saying this for a decade, and Microsoft keeps saying "this time for sure".

Don't bet that this time is the last time they say it.

'Fun' toolbars (0)

Anonymous Coward | more than 5 years ago | (#24063387)

For love of God, please include a feature that is a one-stop shop to remove the various crippling toolbars.

Yes, there's the addon screen, but the number of evil toolbars that skip that are certainly the majority. They fall under the category of spyware/adware/trojans but just make it controllable. How hard can it possibly be?!

Every average users computer I've helped fix has always had one or more stubborn toolbars that a mixture of spybot, registry tweaks and detective work. Give the average user some way of managing the crap.

Simply inexcusable.

New interpretation of standards too (0)

Anonymous Coward | more than 5 years ago | (#24063421)

They'll make sure content is rendered completely different from their previous browsers and those of their competitors.

Survey says... (1)

PNutts (199112) | more than 5 years ago | (#24063443)

IE 6 was arguably the least secure browser of all time.

Well, IE6 was released in 2001, pre XP SP2 (over three years before FireFox), and is still in use seven years later. IE 6 has a total of 130 secunia advisories (highest unpatched is Moderately Critical). FF 1-3 have 71 advisories (highest unpatched Highly Critical) since release in 2005 and IE6 had 35 advisories in the same period.

Keeping in mind there are lies, damn lies, and statistics, I'm not going to argue either way and let the fanbois take their browsers into the shower with a ruler.

More than browser vulnerabilities I take issue with the verbiage of the OP. Superlatives are the worst things in the world.

Tools? (0)

Anonymous Coward | more than 5 years ago | (#24063509)

Oh tools, I thought you said holes... or was it trolls...

Technically, IE7 is the most secure browser out... (3, Interesting)

Toreo asesino (951231) | more than 5 years ago | (#24063565)

it's the only one I know that runs with only the following privileges (Vista only)...

"RO to File System"
"RW to user IE temp dir (explicit DENY on execute)"

Everything other browser runs as logged in user I believe.

So even if IE7 gets hosed into the floor, nothing will happen.

That said, it still sucks compared to FireFox 3 in terms of useful functionality, but that's another story.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...