IE8 Released As Critical Update For XP 409
Binestar was one of several readers writing in to note that Microsoft is listing IE8 as a critical update to Windows XP. CNet reported a couple of weeks back that Microsoft would be rolling our IE8 to users in a gradual fashion, and requiring an opt-in before installing it. Opinion has been split as to whether IE8 is worth installing or not. Binestar notes delicately, "For those not interested in upgrading to IE8 at this time, the MSDN released information back in January on how to keep IE8 off your machine."
The sooner the insecure, poor-rendering IE6 dies.. (Score:5, Insightful)
Re:So what (Score:5, Insightful)
I use Firefox as my default browser. Should I care what version of IE is on my (XP) system?
Seeing as how IE is integrated into the OS, having a vulnerable, outdated browser can be a problem. Like when you use windows update.
Re:what's so critical about a web browser? (Score:2, Insightful)
They don't want to maintain more than one operating system version.... You seriously expect them to maintain more than web browser, especially on multiple OS versions?
Re:what's so critical about a web browser? (Score:1, Insightful)
If Microsoft is gonna upgrade their XP apps instead of merely patching them, then why should I move to Vista or 7?
Re:what's so critical about a web browser? (Score:5, Insightful)
How is microsoft abandoning patching IE6 any different than Mozilla abandoning patches for Firefox 2?
Seriously.
IE6 has some root code that is insecure and patching is merely chasing the tail of the dragon when it comes to security exploits.
So abandoning it, and moving users to an inherently more secure browser that also happens to be more inline with modern browser standards is a good move, not a bad one.
Software companies (all of them) abandon old code for new code all the time, and when they do, they stop issueing security updates and patches for the old code.
It's common, and happens all the time.
This is good news for web developers. (Score:5, Insightful)
As of today, IE6 still has significant market penetration. My guess is that corporate users keep that number high.
Re:what's so critical about a web browser? (Score:5, Insightful)
shouldn't they patch the version XP shipped with instead?
They did. The patch is called "IE8".
Re:This is good news for web developers. (Score:5, Insightful)
Corporate users wont be switching away from IE6 anytime soon. Not whilst PHBs continue to be worried about some tiny little funky feature that no-one uses on some corporate intranet site breaks as a result of the switch.
Re:Still using IE6 (Score:4, Insightful)
I'm the same. I use Opera and Firefox for almost all sites and use IE6 only for those sites that do not work with Opera or FF.
Re:what's so critical about a web browser? (Score:1, Insightful)
IE6 is the biggest headache of web developers in this world.
IE6 probably causes most loss of productivity due shitty support for standards
IE6 probably causes most loss of productivity due CSS bugs
IE6 drives web developers mad
Everyone who uses IE6 is a fucking idiot
If you dont wan't to upgrade, stay fucking out of the internet.
A Good Move (Score:5, Insightful)
IE might have a bad reputation, and not at all unfairly much of the time, but no matter how much you hate IE, IE8 brings a lot to the table; even if what it brings is long overdue. Improved security, much better standards support, and even some genuine innovative features.
The debate can rage on about the ethics and legality of bundling the browser with and integrating it into the OS, but the reality is this is the case, and the security benefits alone make the upgrade sensible in my view.
However, the upgrade should be done in the background and in no way alter any preferences. Provided no configuration settings the user has set are changed (in particular, default browser), then the background benefits are gained, and the user can check out IE8 at their leisure if they wish, or ignore it completely.
Oh, and finally, this helps to kill off IE6, which really does need to FOAD [urbandictionary.com].
You're all in the wrong headspace (Score:2, Insightful)
Re:what's so critical about a web browser? (Score:5, Insightful)
How is microsoft abandoning patching IE6 any different than Mozilla abandoning patches for Firefox 2?
Firefox 2 wasn't forced down our throats as a supposedly integral part of the operating system. If IE6 was a critical part of the operating system, shouldn't it get critical updates for the life of the operating system? Shouldn't corporate customers who bought in with the promise that they'd have a stable platform for however many years actually be able to use that platform, with all its knotholes, for that long?
Not that I mind seeing it go, but it kind of acknowledges the emperor's lack of clothes.
Re:The sooner the insecure, poor-rendering IE6 die (Score:5, Insightful)
My thoughts too, initially. But the people that use automatic updates will already have been forced to install IE7. Whether or not IE8 is forced will do very little about IE6.
The 20-30% of computers that still use IE6 either have updates turned off, or they are in some company that won't switch to IE7 yet, because of outdated intranet software, or just an incompetent IT staff.
Re:what's so critical about a web browser? (Score:5, Insightful)
If IE6 was a critical part of the operating system, shouldn't it get critical updates for the life of the operating system?
IE6 is getting critical updates for the life of the operating system, but the problem is that the operating system is at its end of life. Microsoft have put it into extended support, where XP (and therefor IE6) gets security updates for the next 5 years.
Shouldn't corporate customers who bought in with the promise that they'd have a stable platform for however many years actually be able to use that platform, with all its knotholes, for that long?
By the time MS stops security patches for XP, they will have supported the platform for 13 years. How much longer do you want a stable platform?
Re:what's so critical about a web browser? (Score:4, Insightful)
You have to read these with caution, though. Microsoft has been trying to get the vulnerability count down, and one way of doing this is merging several vulnerabilities into one. It looks good on paper, but it does not make the product any more secure.
Perhaps you would look with caution, too? You are talking about advisories or bulletins. They are often aggregated. However, secunia lists a count for actual vulnerabilities. And those were the numbers I quoted.
And even in Microsofts own bulletins (not the advance notices) the individual vulnerabilities are clearly listed and identified with CVE references. CVEs are not aggregated, not from Microsoft and not from anyone else.
That being said, the recent product certainly show improvements. They absolutely beat Java and Acrobat, when it comes to security. I think the comparison with Firefox may be uneven, though, because the Firefox guys class just about anything as a potential security issue, just to be on the safe side.
So does Microsoft. An uncontrolled browser crash is a potential vuln. But you're right, if the bug is handled in a controlled fashion (i.e. caught exception) it is probably not classified as a vuln but rather a bug. I am not aware that Mozilla would do it any other way.
I haven't tallied by the the severities of the vulnerabilities. Theoretically all of the FF vulns could be "less critical" whereas all of the IE ones could be "highly critical". But I doubt it. Anyway, it's food for thought. I don't think we should give Microsoft nor Mozilla free passes.
Re:So what (Score:2, Insightful)
Re:what's so critical about a web browser? (Score:5, Insightful)
You need to relearn [wikipedia.org] the difference between full disclosure [wikipedia.org] and responsible disclosure [wikipedia.org], know that MS doesn't even follow RD guidelines [zdnet.com], then go and rewrite your post. You can't compare numbers of vulns when one of the projects doesn't disclose them.
"They may delay publication in a responsible disclosure ...." Yes. They delay it until a patch is available or a vulnerability is in the wild.
Re:Didn't XP ship with 6? (Score:3, Insightful)
Wow nice interpretation of history dude.
I bet if some people actually looked up their facts, they'd be shocked at how unbalanced popular opinion is and how completely messed up media reports about the middle east really are in both directions.
PS, there's no justification for hiding military equipment or personnel in "holy sites" or apartment complexes to avoid attack and force your enemy to cause huge civilian casualties, no matter how much you believe in your cause.
Re:what's so critical about a web browser? (Score:5, Insightful)
Since the parent got moderated as a troll because some moderator didn't understand the point, if you don't disclose and immediately start patching, you don't allow the public any ability to defend themselves against the vulnerability in question.
So long as Microsoft holds their head in the sand about a reported vulnerability, you can go and work on a well-thought-out exploit that will take over the Internet, whereas a reported exploit in a full-disclosure or even responsible disclosure group will cause a patch or reasonable response within a much shorter time frame.
To all those who don't get it, go look up "time unpatched" for each of IE's vulnerabilities. That is, time from when they were reported to time when they were patched. That's the time Microsoft left you swinging in the wind.
Hah no more slashdot render error! (Score:2, Insightful)
Re:what's so critical about a web browser? (Score:5, Insightful)
With IE being closed source, we will never know how many "quiet" vulnerabilities there are, and "quietly fixed" too. Maybe none. Maybe lots.
But you know what? None of that matters. What matters is how vulnerable you are just using your machine in a normal way.
The fact is, Windows machines are compromised more frequently and by more vectors than any other OS. And that includes IE - using it is more risky. It's an undeniable fact.