All browsers have security issues

ielogo You may have heard in the last day or so about a critical flaw found in Internet Explorer. Microsoft says that “the vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.” The risk is mitigated if you run an account with fewer privileges or if you run IE in the High security mode. As always, you should ensure your machine is up-to-date with all of the latest patches at Microsoft Update (you can also find downloads at the Microsoft Download Center).

Unlike most zero day exploits, this one is actually infecting systems fairly quickly. That’s probably why Microsoft decided to take immediate action. As the Zero Day blog points out:

Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat — especially given the need to support all versions of IE across all platforms and languages.  This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes.

Make sure you update soon! Like right now!

When a vulnerability like this is disclosed, a common suggestion is to install and use a different browser, such as Firefox. That’s not a bad idea, but don’t think that will solve all of your problems! All browsers have security issues. Yesterday, for instance, Opera released an update to address at least seven security vulnerabilities. And today, Firefox released updates to both versions 2 and 3 to patch roughly a dozen security holes. And no, Chrome and Safari are not off the hook – just two days ago, they tied for last place in a test of password security.

Always make sure you’re running the latest version with all patches installed, no matter which browser you’re using. On top of that, be careful, pay attention, and use common sense when clicking links and opening files.

My Tech Days Sessions: ADO.NET Data Services and Internet Explorer 8

I’m in Calgary right now at Microsoft’s new paid conference, Tech Days. Despite being a little critical of the event when I first heard about it, I was asked to speak in Calgary. I figured it would be a great opportunity to get a first-hand look at the event so that I can offer more constructive feedback for future editions of Tech Days, and besides, I love sharing what I know with others!

I did the first two presentations in the Web Developer track – a session on ADO.NET Data Services followed by an introduction to Internet Explorer 8 for developers. I think my presentations went well for the most part, despite a few glitches with the demos. Initial feedback from people in the audience was positive anyway! Here are a few resources.

Goin’ Up to the Data in the Sky: ADO.NET Data Services for Web Developers

Internet Explorer 8 for Developers: What You Need to Know

Thanks to everyone who came to the sessions – feel free to contact me if you have additional questions.

Also, thanks to John Bristowe and the team at Microsoft for the opportunity to be involved with Tech Days. I’m looking forward to the rest of the sessions!

WebKit inside Internet Explorer? No thanks

webkit Inside every web browser is something called a rendering engine. The browsers get most of the glory, but it’s actually the rendering engines that do the heavy lifting. Firefox uses Gecko, Opera uses Presto, Chrome and Safari use WebKit, and Internet Explorer uses Trident. There are a few others as well, but those are the main ones. Gecko and WebKit are open source, Presto and Trident are proprietary.

Much was made of the fact that Google decided to use WebKit inside Chrome instead of building yet another rendering engine. I agree that it was the right move. Should Microsoft follow suit and replace Trident with WebKit? Steve Ballmer made some interesting comments today on the topic:

"There will still be a lot of proprietary innovation in the browser itself so we may need to have a rendering service," Ballmer said, adding, "Open source is interesting. Apple has embraced Webkit and we may look at that, but we will continue to build extensions for IE 8."

That prompted more than a few people to wish for Ballmer’s comments to come true, including Steve Hodson who said:

This idea of IE switching over to using the WebKit engine is interesting on a couple levels. First this would put two main browsers on an equal footing as far as rendering ability which would make for a much easier development cycle. It would also make for a better browsing experience for the users as developers would no longer be forced to program against the vagaries of IE.

I hear that last point all the time and it drives me nuts. Yes, Internet Explorer 6 was a nightmare to code for. But that’s simply not the case for Internet Explorer 7 or the recent Internet Explorer 8 beta. At least not in my experience.

I’d hate to see Microsoft adopt WebKit, for a few reasons:

  • Competition is good, and WebKit needs worthy competitors to continue to push the boundaries.
  • There’s nothing wrong with Trident. Why throw away something that works well and is continually improving? And I’m not just talking about the version of Trident in IE8. Microsoft has had full support for things like contentEditable since IE6, something Mozilla/Gecko still hasn’t gotten right.
  • It’s not like the existing versions of Internet Explorer would magically disappear! This would be yet another browser/rendering engine combo that developers would need to test against.

And there are good reasons that Microsoft won’t adopt WebKit too, not the least of which is licensing. Backwards compatibility is a concern also.

It might sound appealing at first, but I don’t think it would be a good thing if all the major browsers used the same rendering engine.

Tell us about Internet Explorer 8!

Post ImageThe 72-hour conversation that Microsoft likes to call Mix is over tomorrow, and so far, there has been absolutely no news about Internet Explorer 8. As I like to say, the silence has been deafening! Oh there’s been lots of news about Silverlight (Colin has a number of great posts), but nothing about IE8. A quick search shows that Miguel de Icaza (among others, undoubtedly) noticed this as well:

Someone mentioned (and I forget whom it was) that talk about IE8 was strangely missing from the whole conversation. There were no announcements about new upcoming features in IE, no mention of whether IE8 will support what-wg nor any future plans.

It makes sense that Silverlight should have its day to shine, but seriously, IE8 is important! Why not drop even a few tidbits about what to expect? Firefox 3 received a ton of press back in February when it became clear that the nextgen browser would support offline applications.

Maybe Microsoft is keeping quiet about IE8 to let the “we love all platforms and browsers” message permeate the blogosphere.

I should point out that the IE team posted this almost two weeks ago:

We will have more information to share about the next release in the future, but MIX07 is too early yet to discuss specifics.

All I want are tidbits, not specifics!

UPDATE: Mary Jo Foley has written a post describing what was mentioned about IE8 at Mix today. Mostly general stuff, like security being the top priority.

Read: IE Blog

Outlook 2007 HTML rendering is crippled

Post ImageThe more I learn about it, the more Outlook 2007 continues to suck. First it was problems with downloading POP email, and now David Greiner tells us that HTML rendering in Outlook 2007 uses the Word engine rather than Internet Explorer:

Imagine for a second that the new version of IE7 killed off the majority of CSS support and only allowed table based layouts. The web design world would be up in arms! Well, that’s exactly what the new version of Outlook does to email designers.

You can see a full list of what is and isn’t supported at MSDN.

David wonders why Microsoft has done this, and suggests security, consistent rendering, and “they hate us” as possible explanations. I suspect security is the main reason, but like David points out, IE7 is a big step foward in security! They should just require use of IE7’s rendering engine.

So what does this mean for the average user?

All it means is that a lot of HTML emails in Outlook will be garbled and difficult to read. Nothing more, nothing less.

That sucks, especially since IE7 is pretty darn good at CSS rendering. And to be clear, it doesn’t matter if you think the world should only use text-based email. HTML email is not going to go away, and if Outlook is going to render it, I’d rather it do so correctly.

Read: Campaign Monitor

Firefox 2.0

Post ImageI had a chance to install the latest release of Firefox this morning, and I have to admit, it’s pretty sharp looking! The user interface and default theme have both been updated with a fresh, clean look. Here are my favorite new features:

  • The updated user interface of course!
  • The close button for tabs is now on the tab itself, like IE7 and Opera.
  • Session Restore – replaces one of my favorite extensions.
  • The new add-ons manager is easier to use than the old extensions box.
  • You can reorder tabs now!
  • It’s not really a feature, but so far it appears Firefox is using way less memory than it used to.

The obvious question when you install a new browser is – how does it compare to the other browsers? Well, Firefox 2 appears to be a good improvement over Firefox 1.5, that much is clear. Compared to IE7 and Opera 9? They are all so similar now, it is becoming increasingly difficult to say one is better than the other. The installer for Firefox is definitely the best, though I have read some reports of errors when trying to uninstall.

As I mentioned a while ago, I have switched back to IE7 as my main browser, but I’ve always got the three (don’t forget Opera!) installed. If you’re a Firefox user, you should definitely upgrade to 2.0!

Bet you didn’t know: the IE Team at Microsoft sent Firefox guys a cake to celebrate their launch!

Read: Firefox

Internet Explorer 7

Post ImageLate yesterday afternoon, Microsoft released the final version of Internet Explorer 7 for Windows XP. I have updated my desktop and tablet, so I am now running the latest and greatest of the IE family. And I really do like IE7, I think it’s a great browser. Today the IE team announced that starting November 1st, IE7 will be rolled out via auomatic updates:

Of course we want to make sure you are ready to upgrade, so AU will notify you when IE7 is ready to install by presenting a welcome screen. You can choose whether or not to install it; IE7 will not install without your consent.

I also want to remind you that IE7 setup will preserve your current toolbars, home page, search settings, and favorites and will not change your choice of default browser. You will also be able to roll back to IE6 by using Add/Remove Programs. Only a user who is a local administrator will be offered the update.

Not everyone wants the update of course (mainly because it may break proprietary applications inside a company) so Microsoft has a free Blocker Toolkit which organizations can use to block the automatic update. This is a good strategy – companies that really want to block IE7 will use the tool, and those that don’t won’t bother with the toolkit and they’ll be much safer as a result of having a better browser installed.

As much as I like IE7, there are definitely some areas that Microsoft needs to work on (and apparently they have already begun work on IE8):

  • The setup experience needs work. It takes too long and requires two restarts (if you have old versions of IE7 installed, not sure about IE6 users which may require only one). The goal should be to have a setup similar to Firefox or Opera – short and sweet, no restarts required.
  • It may not be as bad as Firefox, but IE7 is still a memory hog. And I think the Firefox team have done some work on this in the 2.0 version, so Microsoft needs to keep up and make IE7 less resource-hungry.
  • There’s just no comparison between IE7 and earlier versions when it comes to standards support, but there’s still room for improvement.
  • It would be great to see something in the way of extensions, a la Firefox. The search builder in Opera is cool too.
  • Inline search! Dammit, I really hate that IE7 still has that archaic find box.

All of that side, I wouldn’t wait for the automatic updates if I were you – download IE7 from Microsoft now!

Read: IE Blog

Internet Explorer 7 RC1

Post ImageInternet Explorer 7 Release Candidate 1 was released today by Microsoft. This is supposed to be the last test release before the final version of IE7 is made public, though more release candidates could be added depending on the feedback Microsoft recieves. I hope someone from Microsoft reads this post.

I just installed the browser, and had nothing but problems. Compared to beta 3, the installation for RC1 was a total nightmare. I downloaded the setup, closed all my programs (knowing I’d have to restart), and launched the setup. It did its thing for a while, then said I needed to restart, so I did. Upon restarting, Windows XP did something in the DOS-like blue window before the login screen, then booted normally. Right after logging in, the setup opened again (which required me to click Yes on the security box because the file came from the Internet). Almost immediately, svchost and the Generic Process Service crashed. I had to kill the setup as it was then stalled (no CPU activity whatsoever), and launch it again. After a second restart, the browser was installed properly.

After the first restart, when the processes crashed, my audio didn’t load (I only noticed because Skype popped up an error message). That was fine after the second restart. Worse though, is that something happened to my external hard drive. Maybe it was just a coincidence that it happened at the same time as the install, maybe not, but Windows thinks the drive needs to be formatted. I am currently running chkdsk on it now, and it’s found a bunch of unreadable segments. I can’t imagine that the IE setup would have touched the drive, but you never know. I didn’t have anything on the drive that I couldn’t afford to lose, but still, it’s very annoying. I’m hoping chkdsk will fix it (it’s fixed a ton of errors so far it appears…and as I type this, I see that chkdsk just encountered an unspecified error…so much for fixing it…).

Other than that, I really like IE7. It does a great job of rendering CSS and the other standards (in my opinion) and RC1 feels much faster at loading pages than beta 3. Perhaps my only complaint right now is the find feature (CRTL-F). Why doesn’t IE7 have the inline search that Firefox and Opera have? That stupid, useless little find box feels so 1996.

Overall though, I quite like IE7.

UPDATE: I ran chkdsk one more time, just for kicks, and it seems to have fixed everything! As I said I didn’t need anything on the drive, but there were a few things I wouldn’t have minded keeping. I am now copying them to network storage, just in case the drive dies again.

Microsoft totally sucks at product names

Post ImageI’ve said it here before, and I’m sure you’ve read it elsewhere, but it needs to be said again: Microsoft completely and totally sucks at naming their products. Possibly the only names from the last year that are really good (IMHO) are Xbox 360 and Windows Vista. Let’s take a look at what I mean.

On Friday, Microsoft announced the official names for IE7:

For Windows XP: “Windows Internet Explorer 7 for Windows XP”
For Windows Vista: “Windows Internet Explorer 7 in Windows Vista”

Now let’s compare that to a product (technically a feature I guess) that Apple announced yesterday:

You back up your system regularly, right? Well, you would. If you had a better way to do it. With Mac OS X Leopard and Time Machine, not only can you back up and preserve everything on your Mac — including priceless digital photos, music, movies, and documents — without lifting a finger, you can go back in time to recover anything you’ve ever backed up.

A backup product named “Time Machine”. You can bet if Microsoft had named the product, it would have been something like “Windows Data Backup Manager” and there would have been a “Premium Edition” and a “Home Edition”, at least. “Time Machine” is simple, inviting, and yet still makes sense as the name of a backup product!

This makes two things on my list of people Microsoft should hire: a professional demo person (like Steve Jobs) and a professional product namer.

Opera plans for version 10

Post ImageJust weeks after officially launching Opera 9, the browser software company has already started sharing plans for the next version. Aside from the usual “we want to take market share from Internet Explorer”, one idea caught my eye:

There is also a big push in the company toward creating developer tools.

“We will be unleashing developer tools, which are still in the planning stages,” Ford said. “We want developers to use Opera as a Web development platform, using open standards. We need to keep the Web ready for open standards.”

I have been using Opera 9 as my primary browser on my tablet for about two weeks now. I find it very fast, and much easier on the memory than either Firefox or IE7. I have also been using Opera 9 on my desktop when developing websites, so any extra tools for web development would much appreciated! Opera is a great browser for testing websites, because if it works in Opera, it’ll likely work elsewhere too.

I would suggest giving Opera a try, just to see what else is out there. The only thing I still can’t get used to is clicking on the address bar to get to the Home button.

Read: CNET