IE8 May Be End of the Line For Internet Explorer 380
snydeq writes "InfoWorld's Randall Kennedy reports on rumors that IE8 may be Internet Explorer's swan song: 'IE8 is the last version of the Internet Explorer Web browser,' Kennedy writes. 'It seems that Microsoft is preparing to throw in the towel on its Internet Explorer engine once and for all.' And what will replace it? Some are still claiming that Microsoft will go with WebKit, which is used by Safari and Chrome. The WebKit story, Kennedy contends, could be a feint and that Microsoft will instead adopt Gazelle, Microsoft Research's brand-new engine that thinks like an OS. 'This new engine will supposedly be more secure than Firefox or even Chrome, making copious use of sandboxing to keep its myriad plug-ins isolated and the overall browser process model protected.'" The sticking point will be what Microsoft does about compatibility for ActiveX apps.
Re:Nope, not webkit... (Score:3, Informative)
It was renamed IceCat
Re:Please kill ActiveX (Score:4, Informative)
In my experience ActiveX seems to be used most often in internal business applications (intranets). When you're on a homogeneous environment it's easy to build for the specific platform. Using ActiveX often allowed for continual updates without deployment issues. Thankfully it doesn't appear to be popular for new projects, but there's a lot of old business systems out there.
Re:Misleading headline, and ActiveX (Score:5, Informative)
Hypothetical news? (Score:5, Informative)
The author is effectively saying his story is not credible! Slashdot is supposed to run with a hypothetical situation about IE8 demise instead of commenting on real news? It should be fun scanning through these comments to find out who bites (not the big one
Re:Coming full circle? (Score:5, Informative)
Meanwhile, Linux user seem to be content pointing and laughing at Microsoft's efforts and pointing out that Linux is so much more secure.
Because it is. There. I said it.
The relatively simple, understandable Unix security model has a very long history, and has grown gracefully as the strength, power, speed, and ability of the individual computers have. Everything is a file, and all files have the three permissions: Users, Groups, and Other. Each of these can have read, write, and execute permissions. Simple, understandable, easy to enforce. It's so taken for granted as such that it's routinely used in embedded devices (such as routers) where updates are few and far between, yet they are rarely, if ever, compromised.
Compare/contrast that with the Windows security model, where there are actually alternate file spaces within the existing file system. With the Windows API, it's trivial to save a file that's in an alternate namespace and thus cannot be found with *any* normal Windows system call. There are many examples of strangeness like this!
There was a recent article I read about the confessions of a grey-hat programmer... he describes Windows as incredibly complex, labyrinthine, and basically impossible to secure well. He laughed at so-called "security vendors" like anti-virus.
Re:Misleading headline, and ActiveX (Score:5, Informative)
A lot of people seem to have little-to-no understanding as to what ActiveX is. It is a plug-in infrastructure based on COM, nothing more, nothing less. It allows for a library to provide a visual component that can be loaded by another application to display content. That plug-in infrastructure was used in Internet Explorer to load browser plug-ins. Those plug-ins run within the browser process under the current user security context. There is absolutely no functional difference between ActiveX in Internet Explorer on Windows or an XPCOM plug-in for Firefox on Linux.
The problem is that in both cases those plug-ins have to have a fairly wide amount of functionality. If that plug-in is intended to display video then it has to be able to work with the video API of the platform in question. As such these plug-ins generally cannot be sandboxed too tightly otherwise they would no longer be able to function and their usefulness of being able to extend the functionality of the browser is lost.
https://addons.mozilla.org/en-US/firefox/browse/type:7 [mozilla.org]
This website lists the XPCOM plug-ins available for Firefox. There are quite a few more if you follow the link to the bottom. If a vulnerability is identified in ANY of those plug-ins a successful exploit will be fully capable of trashing the profile of the current user and there is nothing that Firefox can do to stop it, even on Linux.
Re:Please kill ActiveX (Score:2, Informative)
Re:Misleading headline, and ActiveX (Score:3, Informative)
When my daughter came home from first day of computer class in kindergarten, she sat down at her computer (iMac G4) she poked around for a few minutes and then burst in to tears. She had a new website she wanted to show us but couldn't find the 'blue e' to get to it. I explained how web sites could be viewed by any web browser. She already had Firefox and Safari in the dock and once I showed her how to type in the web addy, she was good to go. Only have to explain a concept once to a kid, if you catch them early enough. She now (2nd grade) totally gets application/instruction file/data file concept.
Wish more of my users did.
Re:Misleading headline, and ActiveX (Score:5, Informative)
Ever been to Windows update? That's an ActiveX control. How does it get so much information about your computer? By it's deep connection to the OS. ActiveX CANNOT be sandboxed because it needs too many things to be accessible in the OS. Almost all ActiveX components make use of that integration.
XP has not relied on the browser-based Windows Update for several years. I imagine the OS-side Windows Update/Microsoft Update may very well be based on the same code; but it's certainly not being triggered by a visit in a web browser to an external website for goodness sake.
ActiveX needs to die, plain and simple - the past decade has shown how fundamentally flawed the ActiveX concept is. Just think about all the horrible security exploits that wouldn't have happened over the past decade if ActiveX had never existed.
Re:Misleading headline, and ActiveX (Score:5, Informative)
Exactly..and Moore's law isn't exatly as reliable as it was 15 years ago when talking about a direct improvement to the desktop computers speed.
Especially since it never was about speed, only the density of transistors on a chip. Which, through clever architecture, smart compilers, and good programming can result in more speed.
Re:Coming full circle? (Score:5, Informative)
Everything is a file, and all files have the three permissions: Users, Groups, and Other.
Don't forget the sticky bit! Much as one might like to, let's not forget that the "simple Unix permissions" included one Hell of an egregious security flaw.
there are actually alternate file spaces within the existing file system. With the Windows API, it's trivial to save a file that's in an alternate namespace and thus cannot be found with *any* normal Windows system call.
There is no alternative namespace, there are merely alternate streams in a file - named locations for storing meta data. The file is right there in the filesystem, obvious to all. The file data may be a bit hidden, requiring normal Windows system calls to read (just like one uses normal Windows system calls to create alernate data streams), instead of Notepad. Oh, wait, you can read them with Notepad too. What a bunch of FUD.
he describes Windows as incredibly complex, labyrinthine, and basically impossible to secure well.
Vista clearly lost the thread, going for security through complexity, but any OS that doesn't have a read-only kernel is impossible to secure. Any OS that does have a read-only kernel is impossible to patch. No OS can secure itself. Scanning for modifications to kernel bits from a hardware-protected hypervisor is the only way, but as long as "Trusted Computing" is used for evil, we can't get there.
Re:Misleading headline, and ActiveX (Score:4, Informative)
Needing information and having full control over the system are two different things. If all activex needs is the information, then let it have read only access.
Which is already enough to be a humongous security breach.
Re:Doesn't microsoft say this about everything? (Score:3, Informative)
Gazelle [microsoft.com] is from Microsoft Research, and their paper discusses the details of the security model - it's not just a marketing claim.
The idea is that every 'origin' (basically a domain name, which is used as the basis for access control in all modern browsers) is separated into its own sandboxed process. If a page on your domain embeds an iframe from an advertiser's domain, the iframe is rendered in a separate process, and all communication is handled through a Browser Kernel which enforces the security constraints (e.g. preventing the advert from touching or rendering anything outside its iframe box, even if an attacker can find a way to execute arbitrary code in it). Plugins are handled in the same way.
Chrome's security model doesn't handle that kind of separation of multiple sites within a single page. But Gazelle sacrifices some backward compatibility (e.g. it removes the document.domain attribute, and it requires all plugins to be rewritten to use the Browser Kernel instead of directly accessing the network or filesystem), which is unlikely to be acceptable in practice.
And Gazelle is certainly not a replacement for the IE engine - it's built on the existing IE7 components for parsing, rendering, scripting, etc. It's research, and the value is its ideas, some of which could perhaps be integrated into current browser engines to improve security. It's not meant to be a real browser engine, but it seems successful as a research experiment.
Mobile computing educates them (Score:5, Informative)
Do you know what hit them very seriously? I mean the coders laughing to vendors like Opera for struggling not to code CPU and speed dependent stuff?
Mobile computing. It is like ultimate punishment for them. Do you remember those fanatics calling people to ''buy more RAM'' no matter what their issue with memory is? Top of the line smart phone comes with 512MB RAM or something and 400 Mhz ARM CPU. Opera ships 9.5 beta which runs the exact same engine as Desktop version to 256MB RAM having, 200Mhz CPU UIQ3 devices with zero vendor support.
I know some professional OS X developers keeping a G4 Mac Mini no matter how many xeons they have, just to make sure their application runs on low end computers fine. So far, thanks to their wise decision, their software gets good feedback not just from low end but very high end computers too. If it works on low end, it will rock on high end. Trust me, some of the ''cool guys'' out there still couldn't figure this basic rule.
When Webkit proved to work on Nokia S60 Symbian devices and got very good feedback from users, I said Webkit is the future. What mattered was, can the code run under 128MB RAM, completely alien OS? S60 browser proved it.
Re:"myriad plug-ins" Heh, yeah right (Score:1, Informative)
http://www.ieaddons.com/en/ [ieaddons.com]