Slashdot

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

Ricky writes "Many wonder why Microsoft doesn't offer nightly builds of Internet Explorer — or at least something more frequent than months-to-years. Ars talks with Microsoft's general manager for IE, who says the IE9 development cycle will look much the same as previous versions. Not a great idea."

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

Barence writes "Microsoft has unveiled the first details of Internet Explorer 9, promising that it will close the performance gap on rival browsers. The major newcomer is a revamped rendering engine that will tap the power of the PC's graphics card to accelerate text and graphics performance. 'We're changing IE to use the DirectX family of Windows APIs to enable many advances for web developers,' explains Internet Explorer's general manager, Dean Hachamovitch. As well as improving performance, Microsoft claims the hardware acceleration will enhance the appearance and readability of fonts on the web, with sub-pixel positioning that eradicates the jagged edges on large typefaces."

Jared sends word of Ars Technica coverage of Net Applications' monthly browser share numbers. What's significant this time is that Firefox has finally passed IE6 in worldwide share. "Internet Explorer remains ahead of the rest of the competition, but since month after month it continues to lose ground to all other browsers, Firefox has now finally surpassed IE6, which is easily the most hated version of Microsoft's browser. ... In October, all browsers except for IE and Opera showed positive growth. Between October and September, Internet Explorer dropped a significant 1.07 percentage points (from 65.71 percent to 64.64 percent) and Firefox moved up a sizeable 0.32 percentage points (from 23.75 percent to 24.07 percent). ... Although IE's decline seems to be unceasing, the real shame is that the old versions have more share than the newer ones (we can only hope that as Windows 7 gains popularity, this trend will reverse)." Ars presents a graph with their own site's browser share picture, and as you might expect it's very different from the general population's.

An anonymous reader writes "A lengthy interview on Groklaw discusses the EU's case against Microsoft. The case is supported by Opera, Google, Mozilla, ECIS, and the Free Software Foundation Europe. The EU has demanded that users be offered a 'ballot screen' to make it easier for users to select other browsers. Microsoft has responded by implementing the ballot screen as a web page inside IE. While this may nominally satisfy EU's demand, it is unlikely to satisfy users who prefer other browsers. In order to select another browser, users must be running IE. Also, users will be shown security warnings when choosing from the ballot. Microsoft's ability to charge patent fees in Europe is also discussed: why are they allowed to charge patent fees where software patents are not recognized?"

CWmike writes "Google hit back at Microsoft on Friday, defending the security of its new Chrome Frame plug-in and claiming that the software actually makes Internet Explorer safer and more secure. 'Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users,' said a Google spokesman today. 'It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months.' On Thursday, Microsoft warned users that they would double their security problems by using Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to Microsoft's browser."

A month after we discussed Google's bringing SVG to IE, several readers let us know that Google is expanding the beachhead by offering Chrome's renderer and speedy Javascript execution in an IE plugin. This effort is in service of allowing IE to participate in Google Wave when that technology's preview is extended in a week's time. The plugin, currently in an early stage of development, is called Google Chrome Frame.

Frequent contributor Bennett Haselton writes with an idea that he thinks could help keep browsing on Microsoft's browser more secure for users — and benefit Microsoft as a result. "Tests show that IE's malware filter performs well against other browsers that use the Safe Browsing blacklist from Google. But wouldn't IE's filter be even more effective if it used both filter lists at the same time? And are the political obstacles to that really so insurmountable?" Read on for the rest of a plan that seems a lot more than half-baked.

stelt writes "Scalable Vector Graphics (SVG) is in most graphical tools. It is used heavily in many big projects, such as KDE and Wikipedia. But Internet Explorer's lack of built-in support for SVG was keeping it away from mainstream use on the web. Google is fixing that now with a JavaScript drop-in named SVGWeb. They've posted a quick, one-minute overview, a longer and more detailed presentation, and you can read about it on the project page."

Jaeden Stormes writes "We just started getting word of a new browser hijack from our sales force. 'Some site called Bing?' they said. Sure enough, since the patches last night, their IE6 and IE7 installations are now routing all NXDOMAINs to Bing. Try it out — put in something like www.DoNotHijackMe.com." We've had mixed results here confirming this: one report that up-to-date IE8 behaves as described. Others tried installing all offered updates to systems running IE6 and IE7 and got no hijacking.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.

An anonymous reader writes "Microsoft wants to see IE6 gone as much as anyone else, but the company isn't going to make the decision for its users anytime soon. The software giant has been pushing IE6 and IE7 users to move to IE8 ever since it arrived in March 2009, but it's still up to the user to make the final decision to upgrade: 'The engineering point of view on IE6 starts as an operating systems supplier. Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product. We keep our commitments. Many people expect what they originally got with their operating system to keep working whatever release cadence particular subsystems have. As engineers, we want people to upgrade to the latest version. We make it as easy as possible for them to upgrade. Ultimately, the choice to upgrade belongs to the person responsible for the PC.'" Of course some big Web sites aren't waiting for Microsoft. Reader Yamir writes, "Google's Orkut, a social networking service popular in Brazil and India, has started warning IE6 users that the browser will no longer be supported. Just last month, YouTube started showing a similar message."

bonch writes "On Friday, Microsoft posted to a mailing list that IE developers are reviewing the HTML 5 standard for future versions of Internet Explorer. They've given some feedback on the current editor's draft, saying that they 'have more questions than answers' and criticizing many of HTML 5's new tags, like <header>, <footer> and <aside>, calling them 'arbitrary' or unnecessary. It remains to be seen whether Microsoft waited too long to try to influence basic parts of the spec that most of their competitors have already adopted."

An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."

A week after Microsoft agreed to include a browser ballot screen in Windows 7 systems sold in Europe, then announced that those systems would initially include no browser at all — specifically, no Internet Explorer — Microsoft has changed its mind again and dropped talk of a European Windows 7 E edition. Here is the official Microsoft blog announcement, which includes a screen shot of the proposed ballot screen. The browsers are listed left-to-right in order of market share, with IE therefore having pride of place. PC Pro notes that, since the ballot screen would not appear if IE were not pre-installed, Microsoft's proposal opens the door for Google to work with PC manufacturers to get Chrome on new machines. Note that the browser ballot screen has not yet been accepted by the EU, though the initial reaction to it was welcoming.

Julie188 writes "Opera Software is, as expected, preening over the forthcoming browser ballot box feature in Windows 7. It will put the Opera name in front of millions of users who probably never heard of it. But that's not the only reason Opera is gloating. CTO Håkon Wium Lie feels that today's decision will force Microsoft to make Internet Explorer do a better job of supporting standards, particularly the Scalable Vector Graphics (SVG). Lie would also like to see Apple and Linux makers follow suit with browser ballot boxes of their own."

Oracle Goddess sends word that YouTube is presenting IE6 users with a banner exhorting them to upgrade to a modern browser, and TechCrunch is reporting that YouTube will be phasing out support for IE6 soon. This Twitter search reflects the jubilation breaking out all over the Net at the imminent demise of this most despised and non-standards-compliant browser. The market share for IE6 is now well down in the single digits.

je ne sais quoi writes "Net Applications normally releases its statistics for browser and operating system usage share on the first of every month. This month, however, the data has not shown up — only a cryptic message stating they are reviewing the data for inexplicable statistical variations and that it will be available soon. Larry Dignan at ZDNet has a blog post that might explain what is happening: Statcounter has released some data that shows a precipitous drop in IE browser use in North America, to the benefit of Firefox, Safari, and Chrome. At the end of May, StatCounter shows IE usage share (for versions 6, 7, and 8 combined) at around 64%; at the beginning of June it is now about 56% — an astounding 8% drop in one month. We should keep in mind the difficulties in estimating browser usage share: this could very well be a change in how browsers report themselves, or some other statistical anomaly. So it will probably be healthy to remain skeptical until trend this is confirmed by other organizations. Have any of you seen drops in IE usage share for Web-sites you administer?"

ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."