Welcome to Internet Explorer Security


The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 20 August 2012

My name is John, and I work on the Internet Explorer team.  It’s a little hard to explain my actual function on the team, but my current official title is “Development Manager”.  I’m also something of an adrenaline junkie.  I’m big into back country and park/pipe  snow boardingsemi-closed circuit rebreather and mixed gas diving, hiking and climbing up and around Mount Rainer, and spelunking into Internet Explorer code and architecture (I’m not sure which of my passions is most challenging).  Frankly, I tend to agree with a lot of the criticism that has accumulated over the past several years and is being voiced on this blog.  The opportunity to make this better is exactly why I love (or is it lust?) to work on the IE team. 

There is something liberating about working on a difficult problem.  I think it removes the fear of failure that freezes a lot of people in their tracks.  It also lets you take bigger, bolder steps forward than you might otherwise take.  For some reason, once a team “gels” under this sort of pressure and becomes motivated to accomplish the impossible, it seems to become unstoppable.  Whatever it is, it definitely is addicting to work in the types of teams that result from facing these sorts of challenges.  IE has always been one of these teams as far back as I can remember. 

The IE team’s most important challenge today, and consequently the area of the team’s largest investment in blood and sweat, is providing our users with a trustworthy browsing experience.  In conventional software development, it is relatively easy to know your competition.  To win, all you have to do is build a better product than they do.  Today, we’ve got a new kind of opponent who is leaner, faster and far more devious and ingenious than any we have encountered in the past. I’m talking about the malicious hackers who lurk in the seedy corners of the Internet. These hackers have learned to turn our own creation against us, and most importantly, they are using this knowledge to do real harm to our users.  This is why my team and I take this challenge very personally, and why we are especially proud of the hard work that we put in to Internet Explorer in XPSP2.  If you haven’t done so all ready, and you care about your computer’s security at all, I strongly encourage you to install and run RC2 today, and the RTM version when it comes out. 

The problem with compatibility (and the rest of the world) is that while we would all like to see things as black and white, they really smear into varying shades of grey.  Different customers have different expectations of the product and different understanding of the specification – sometime so different that they conflict directly with one another.  It’s inevitable that once a product ships, especially an extremely complex and sophisticated platform component like IE, someone will come to depend on behavior that someone else would consider a bug.  Combine this with aggressive security and performance objectives, and you have a nearly impossible challenge before you.  But like I said earlier, the IE team thrives on exactly this sort of challenge.  And, we’re not afraid to move the bar in a thoughtful way when it’s in the best interest of our customers.  Consider this (perhaps poorly titled) article; while we continually strive for compatibility, this author notes some recent issues. 

I apologize up-front for being vague; there are many  real world examples and challenging investigations that I’d love to share the details of with you.  Unfortunately, I can’t disclose details of how my team and I deal with security investigations.  My goal is to find ways to share as much of this information with you as possible.  If it helps, it is our full time job to solve these sorts of issues.  Walking the razor’s edge between security and compatibility is a challenging job, but it’s a job that we love to do, a job that we are passionate about, and a job at which we will not accept failure at any cost.  As I’ve said before, take a hard look at XPSP2; it’s a preview of good things to come from this team. 

A bunch of my teammates and I will be hanging around BlackHat and Defcon this week.  It’s a great conference, and while most of the sessions tend to cater more to the IT Pro crowd, I’ve found a lot of the talks to be really informative.  At the very least, taking a week to step back from the minute details of client side security to try to become immersed in the bigger problem of Internet/Networking Security has been enlightening, and something I want to share with the rest of my team.  It’s also a chance to meet and talk directly to the folks who find security issues and report them.  All in all, I expect this to be a good conference this year, with a lot of opportunity to stay abreast of what is happening in our community.  We’ll be traveling somewhat incognito, but if you happen to be there and think you recognize one of us, feel free to stop and say hello. 

// John

Comments (75)

  1. Anonymous says:

    "The IE team’s most important challenge today, and consequently the area of the team’s largest investment in blood and sweat, is providing our users with a trustworthy browsing experience."

    Let me be honest here. Personally, I can’t say that I’ve been impressed with the rash of security holes in the past as well as recently. It’s going to take a lot of effort to convince me to switch back to using IE again. And I believe there are many people that probably feel the same way. In addition, there are other issues with CSS, but I think that’s been covered many times before.

    It is nice to see this blog and the efforts to communicate to the masses. I don’t think you guys have an easy task ahead of you, but my hats off to you for the uphill battle.

    "…the IE team thrives on exactly this sort of challenge. And, we’re not afraid to move the bar in a thoughtful way when it’s in the best interest of our customers."

    Well, perhaps this blog is the first step then. I hope you’re taking notes of the customer feedback here.

    Good luck.

  2. Anonymous says:

    Love vs. lust, nurture vs nature, questions that can never be solved except with longevity & hopefully wisdom 🙂

    Anyway, thank you for the detailed intro John. I myself am a 20-year old wannabee web designer/developer do the two really need the dimorphism?). So right now I only know what people tell me, and of course what hopefully makes sense.

    Do you guys meet with any other browser makers? Trade tips? Or is it kept very "Men in black–you won’t remember this in 1 second"?

    Questions: have any on the IE team tried to install a certain spyware program with big money backing called COOL WEB SEARCH? A free tool called CWShredder used to stop it, but this program was recently discontinued and now there is no hope left at all for end users who don’t want to deal with randomly named files; the author said he couldn’t keep up with CWS’ comeitmes DAILY "upgrades" (would you like MORE ads? Yes, No, Cancel. Would you like MORE ads? Yes, No, Cancel. Would you like MORE ads? Yes, No, Cancel, etc.). They’re not just hackers, they ahve lotsa lotsa money too, not just photocopied Lincoln-heads 😉

    I wonder why it’s taking a backseat to the spam issues MS & other companies have put forth in the MEDIA!! Spam is non destructive and not really annoying if you don’t post your email every flippin’ where! (this good point was brought up by someone in the c9 forums!)

    Glad, of course, that SP2 (having used it a bit) puts this issue belly-up. Lyricsdomain.com–aka worst scumware site on the web, if there were an "award"–is now neutered. Of course, there’s still Windows 2000, Windows 98…………….

  3. Anonymous says:

    On the subject on W2K (well JP mentioned it), are any of the changes made to IE for SP2 likely to make it back into older versions of Windows, as surely the security issues still apply to W2K?

    Thanks.

  4. Anonymous says:

    Your mark-up in this post is … interesting. Are you sure you wanted the page to look like this (in normal browsers)?

    http://www.monkeyfood.com/thestuff/food/Screenshots/IEBlogLayout.png

  5. Anonymous says:

    I like the new ActiveX options in XP Service Pack 2 (go away and never bother me again rocks!). However, I am dismayed that you are currently only targetting XP – you’ve done a good job with some of the enhancements, and other Windows OS versions deserve them too.

    What I wouldn’t mind seeing here is a list of all the new XP Service Pack 2 features, and then let people rate them on how good they are. You might see a trend towards Security/UI/Addons or Addons/Security/UI – i.e. what is important to most.

    Although security should be a bit more inherent than it has been though…

    Oh yeah, please add Printing to your todo list!

  6. Anonymous says:

    Was something done differently with this post as opposed to the others?

    I read via the RSS syndicated feed, and the page on which I do the reading defaults to white text on a black background – previous posts have shown up with no problems, but this post came through black-on-black …

  7. Anonymous says:

    FYI.

    There were some issues with the layout of this post that I have made an effort to correct. It should look better now.

  8. Anonymous says:

    What about all the Win2K/9x users. Do their secuirty holes stay open?

  9. Anonymous says:

    Yup, would seem like it. IE only gets updated in XP SP2, so I’m guessing the overall politic on this issue is basically to force people to upgrade to XP, thus raking in more cash. Of course, this is obvious enough to have been written about in various places ;-).

  10. Anonymous says:

    how ironic is that – a browser manufacturer that can’t even produce nice markup 😉 even geeks don’t seem to be able to use wysiwyg tools.

    "I’m talking about the malicious hackers who lurk in the seedy corners of the Internet. These hackers have learned to turn our own creation against us, and most importantly, they are using this knowledge to do real harm to our users. This is why my team and I take this challenge very personally"

    only hackers? sorry? whole companies have. and don’t take it personally, that looks like they think they want to harm you and not do anything else.

    you shouldn’t take it personally, be sorry. i’m serious. people have been tricked to spend money (sometimes without noticing) on services they don’t want, because of the bad code that the ie team produced. (bad code as in "if it’s good it doesn’t do anything bad")

  11. Anonymous says:

    Atn: markup hawks – give it up already! I’ve had my fill of hand-coding HTML for blog entries (that being the only option if you use Blogger’s web-based posting form), and it’s more important that the information is communicated than the exact markup of that information.

    These days, I use BlogJet, which appears to be written in Delphi – and uses IE for its editor window. This leads to a few more &nbsps than strictly necessary, but you know what? I can’t be bothered to fix it.

    John’s post was apparently written with Word as the HTML editor which as we all know is oriented towards hacking HTML to work as a good round-trip format for Word primarily and as a down-level viewing format a very poor second.

  12. Anonymous says:

    Ironically, when you posted this:

    "Today, we’ve got a new kind of opponent who is leaner, faster and far more devious and ingenious than any we have encountered in the past."

    I thought you meant firefox! And I’m not kidding… it’s a shame when an independent organization puts out a better quality product than a company of this stature.

    I used to be a print and web designer solely PC — but it seems MS has ignored it’s designers and I made my switch five years ago. I’ve not regretted it… but I have regretted having to write extra work to get my web designs to work on IE. I still find it ironic that this site wasn’t even built with quality design or expert level coding.

    How can you build a quality application when something as simple and lower on the food chain as XHTML/CSS can’t even be served up properly? I just think it’s an obvious expression of the MS community — they care more about their company, than their users and their designers. You’ve shown me nothing else to think otherwise.

  13. Anonymous says:

    Hey Mr Whatever… can you more specific about printing? A change to the defulat template? Are there options that aren’t available that you think are necessary? Bad behavior in how some current options work? I can’t tell….

  14. Anonymous says:

    It’d be nice if Microsoft held their hands up once in a while and said "sorry, yes IE has had flaws which we should’ve fixed, but now we’re fixing them and have learnt from that", it seems to be a continual skirting around the security issue. A lot of people have had their PCs taken over (including me) from either IE having gaping holes, or Media Player, or a technology like ADO. I think (perhaps the MS marketing department wouldn’t agree) that this kind of honesty would be welcomed, the company’s reputation is damaged more, in my view, by the issue being ignored by MS. That gives the impression of arrogance and lack of interest in what their customer’s want (greed perhaps), which sets off these online flaming sessions.

  15. Anonymous says:

    JP: ‘Do you guys meet with any other browser makers? Trade tips? Or is it kept very "Men in black–you won’t remember this in 1 second"?’

    Nah – Microsoft like to do things on their own, rather than work with other browser-makers. (e.g. http://www.mozilla.org/press/mozilla-2004-06-30.html)

  16. Anonymous says:

    Hi Dean,

    Yes, of course.

    The default print settings always lead to the right hand edge of the page being cut off. If I chop the (left and right) margins down to zero, it fits the whole page on just fine – but I have to do this on a per site/page basis. If you want, I can post some screen grabs somewhere for you to look at. It would be excellent for the defaults to be different/configurable by policy, as this gets all of our users everytime.

    btw, thanks for asking this question, says something very good about http://blogs.msdn.com/ie

  17. Anonymous says:

    I want to say welcome on board John since it’s a difficult position you have.

    Your post at first read seems to be good (except for the opponents ; I was believing too it was Mozilla/Safari/Opera!). But I take time to read again and again and sorry but you can’t write using the non disclosure agreement argument and that the bad guys in the corners of Internet are very good is the reason of the security flaws on IE/Windows.

    By the way don’t answer "well IE is run by 95% of people it’s why it’s the target" ; that’s not true. At least 80% of the infrastructure of the Internet is based on tools running on another OS than Windows (DNS, webservers, mail, news…) and of course there are a lot of tries to attack these tools…

    What about your extensions to html standards? (When I write "your" it’s Microsoft I mean, not John of course). I was shocked that it was possible to put a high level of security in IE in local zone (with scripting disabled) and to be allowed to inject javascript code using expression() on a local CSS file. That’s just script kiddies level, not high level engineering as it was/is for SCOB.

    You have three problems:

    – Your extensions to html related standards (and security holes related),

    – The tight integration with the OS,

    – Many intranet applications developped depending on IE "features" which are not "secured" outside an intranet.

    By the way there are also security bugs strictly located in IE or in the WIN32 API you use on IE, but an html renderer/html browser is something *very* complex to do, but you have choose to do a bad implementation of web standards and to put a lot of extensions *without* thinking about security to keep the schedule.

    Best solution: rename Internet Explorer to Intranet Explorer and create a true Internet browser respecting standards and doing only this job the standard way and please tell your web developpers and applications developpers making html tools to make html code:

    http://newsbot.msnbc.msn.com/Default.aspx

    It’s simply a shame to produce this kind of "code", we’re in the 21st century.

    Sorry, I don’t want to be negative but you have just said "wait it will be better" without giving any information or any roadmap on what you plan to do. If it’s for waiting for XAML and this kind of stuff, it will be very hard….

    Again what we want to read – I think – on this blog is a clear roadmap and then some cool technical details on implementation or choices.

    The main question remains: do you want to make an Internet browser based on standards as described by the w3c and the IETF with security in mind and then put your extensions (if needed)?

    I’m not sure of the response and by default I’m promoting Firefox/Safari/Opera because I’m writing an application which use pure CSS (strict separation of semantic and presentation).

    Please free the web.

  18. Anonymous says:

    Hello;

    This is my first comment here. I won’t bother expressing my frustration and aggrevation in using Microsoft (I forgot to put a TM, am I gonna get sued?) Software, I’ll stick to the overall topic of Internet Explorer.

    My issues are concerning Internet Explorer *not* complying with the W3C web standards. The designers process:

    * Design your site in a standards compliant browser

    * Be happy that it views brilliantly in evert other standards compliant browser

    * Spend 5 hours brutalising your (X)HTML and CSS so that it displays well in IE

    …geez, this site doesn’t even validate. Why bother giving it a DTD? Does this not show complete disregard/disrespect for the Standards put fourth by the W3C? On the very blog of the team that produces the world’s most popular web browser?

    Please guys, move forward. Web Standards are now being widely accepted, this isn’t going to slack. IE is the designer’s problem. Fix our problem.

    Thank you.

  19. Anonymous says:

    Re printing issues and Mr Whatever: thanks! yes, if you can point to one or two specifics sites with screengrabs I’d appreciate it. I’m not sure whether I just haven’t noticed the issue (e.g. cut off on the sites I choose to print aren’t significant) or if there’s something more subtle going on.

  20. Anonymous says:

    Since IE 4, I’ve been a big IE fan…no more!!!!! I might as well blow holes in my house and put neon signs on the roof asking would-be thieves to come take my belongings away for me…

    It’s almost comical, calling this post "Internet Explorer Security" – definitely a destination in cyberspace, couldn’t be a real physical location – amusing as it is as an oxymoron, I hope you guys really will take security seriously…your CUSTOMERS want it!!!

    Suggestions for better IE Security:

    1 – don’t ship IE with Alexa – it’s SPYWARE (I know, because I’ve had 4 different spyware programs remove it for me at various times on various machines.)

    2 – COMPLETELY remove IE from the OS…make it a stand-alone product, either free or charge for it if you want (Opera seems able to stay in business while charging.) – it’s just TOO dangerous having IE so deeply tied in with my whole CPU (as an aside, didn’t a judge ORDER Microsoft to do this?)

    3 – hire a dedicated team of employees to ONLY break in to IE, so you can know what to fix, before the "bad guys" on the "outside" you talk about know how to break in – by the way, you’re right, if there weren’t hackers, criminals, whatever, out there writing viruses, etc. this wouldn’t be so much of a problem, but Microsoft has more resources THAN ANYONE ELSE ON THE PLANET to fix IE (and Windows, and Office, and, well…you get the picture), so just for kicks, why not REALLY fix the damn browser? also, if you need, hire the very jerks who break into your software (no kidding!): pay the next hacker/cracker $1,000,000 for a year of his "expertise" – you just might learn something!

    4 – hire a dedicated team of employees to search developer websites, corporate websites, security organization websites, etc., to compile a comprehensive list of security issues that CUSTOMERS find and/or worry about (this blog is fine, but it’s reactive…you need to be proactive) – by being more proactive in searching out problems, you may find more examples like:

    http://www.ecqurity.com/adv/IEstyle.html

    …where they’re not even going to report a problem to you (they probably don’t think you’ll deal with them), so they just recommend switching browsers, which indeed they should – YOU should be wanting to search these things out, and not require all your information to come to you through a blog!

    5 – add a built-in pop-up blocker

    6 – give a monetary reward to each person who finds a security flaw in IE – you put up money to help find criminals (who are NOT your customers), so why not reward your CUSTOMER shareholders as well as your stockowner shareholders, because really these people help you as much as anyone by bringing security issues to your attention

    7 – this is the most important one: this morning I read in Computerworld an interview with Scott Charney, the Microsoft "leader of Trustworthy Computing". Well, it’s damned disheartening to hear the guy in charge say things like, "we have an obligation to shareholders. But security is now good business and very much aligned" – security should ALWAYS have been good business, and it’s just this kind of short-sighted, "react-to-our-momentary-pressures" kind of thinking that people so often associate with Microsoft. This says to all of us CUSTOMERS, "now that you customers are getting so loud, we’ll do what we can to quiet you down." I would think, perhaps naively?, that rock-solid security would be the very BEST investment that Microsoft could offer its stockowner shareholders. Charney further goes on to say, "People understand that security creates a drag on productivity." NO, NO, NO – it is the LACK OF SECURITY that creates a drag on productivity. I work in an organization of around 50,000 employees and many times in the last several years, we’ve had 50,000 employees twiddling their thumbs for days on end while we’ve been "hit" by yet another "security issue" made possible by the friendly folks at Microsoft. Did Microsoft write those viruses or whatever? No. Did Microsoft prevent those viruses or whatever? Again, no.

    The whole world know it’s those "bad guys" who are the real problem… but it better be Microsoft with a new, improved, and HUMBLER attitude that fixes the security problems…your CUSTOMERS are ready to take their business elsewhere.

  21. Anonymous says:

    opensourcing internet explorer will be a very successful move from microsoft. hope you are at least considering it.

    love your work

  22. Anonymous says:

    Thanks for the post John. Happy to hear you agree with most of the IE complaints that have been aired here. One of the sadest tales of the Internet is that Microsoft won the browsers wars years ago and then did nothing, absolutely nothing, to advance Internet Explorer. That decision has increasing alienated web developers and and users alike. Many are just plain mad as I’m sure you can attest too. My advice: move quickly, move decisively and make Interest Explorer a browser folks can trust and web developers don’t have to code so many hacks to work around its many limitations. Surely Microsoft with all its resources can do this. I have faith in your team. Now just do it… quickly.

  23. Anonymous says:

    Nice post John. I’m glad that our comments are taken seriously. Although, if you don’t know which one of your passions is more challenging, I’m also glad that I’m not in your place. :p On a more serious note, your entry reminded me of a couple things I heard over the last couple weeks. I’ll share them as food for thought.

    http://www.nd.edu/~jsmith30/xul/test/spoof.html

    A phishing expoit for Firefox. Awareness is one of the best defenses for this. IE may become vunerable to this kind of stuff in the future. Kinda Scary…

    http://www.eweek.com/article2/0,1759,1628178,00.asp?kc=EWRSS03119TX1K0000594

    "Symantec also said its analysts believe that Zindos is being used as an updating mechanism for the MyDoom worms, which means that their behavior and characteristics could change at any time."

    Illustrates what you said about, "a new kind of opponent." Possibly the scariest thing on the net: a virus with an autoupdate feature. 😐

  24. Anonymous says:

    i wasn’t going to comment… but saying your into "back country" and linking it to a heli-skiing/boarding operation calls your judgement into question.

    Up here in Canada there are alot of backcountry skiers (ie. skins, not $) that would laugh at that combination.

    Or maybe you were just bragging.

  25. Anonymous says:

    I, of course, am the best at every thing I do – including skiing, and everyone is a minion in comparision to my greatness.

  26. Anonymous says:

    ^^^haha, i wonder who posted that? I’m guessing Alex.

    You must be pretty stupid, as my point is that people who brag about heli-skiing/boarding suffer from the exact same attitude that your trying to pass off as mine by posting as me… I didn’t even imply that i did the above sport, or was good at it.

    in other words… FCK YOU! fake realitybath poster.

  27. Anonymous says:

    Found this in the Opera forums today:



    1. Have you recently switched from browsing with Internet Explorer to Opera?

    2. Are you located in the US?

    3. Interested in maybe being contacted by the New York Times?

    If you said yes to ALL three questions.

    Then let us know!

    We are looking for people like you right now!

    By the way, this Post Comment section does not display properly in Opera 7.

  28. Anonymous says:

    realitybath, it is against the rules to post using another person’s name here. The site owners can determine that easily. But since you seem to troll like snowknight and some other idiots, I have added you to the list below. Anybody who wants to omit slashdot idiots comments can do so using the following bookmarklet.

    javascript:(function(){var l=document.getElementsByTagName(‘a’);for (var x=l.length-1;x–;){if (l[x].innerHTML.indexOf(‘Thomas’)!=-1 | l[x].innerHTML.indexOf(‘Jim’)!=-1 | l[x].innerHTML.indexOf(‘realitybath’)!=-1 | l[x].innerHTML.indexOf(‘Debran’)!=-1 | l[x].innerHTML.indexOf(‘The Wolf’)!=-1 | l[x].innerHTML.indexOf(‘snowknight’)!=-1 | l[x].innerHTML.indexOf(‘Wise’)!=-1 | l[x].innerHTML.indexOf(‘I Hate It’)!=-1 ) l[x].parentNode.parentNode.style.display=’none’}})();

    Some of the slashdotters, like snowknight, harass people in their own blogs by posting to their blogs if they don’t like what they hear here. So be aware when you leave your site address here.

  29. Anonymous says:

    Hi Dean,

    I’m not able to post some grabs at this moment in time, but I’ll point you to a site that exposes this problem, and also hints at what the issue is! Ironic…?

    http://csweb2.bournemouth.ac.uk/help.asp

    Look at Print Preview.

    My default left and right margins are 7.5mm.

    By knocking these down to zero (i.e. let the computer pick the smallest possible margin size, ~ 1.75 mm), all content now fits on the page.

    Experienced user’s know all the tips on the page, but it’s not these people who complain 🙂

    Not to rub it in your face, but Firefox automatically seems to handle these situations:

    http://www.nidelven-it.no/articles/introduction_to_firefox_7

  30. Anonymous says:

    It is good to know the IE team is investing a considerable amout of effect into improving it’s security.

    I do afraid however, that those who are sitting "at the big chair" are not providing you as much resources as you should have to fix important security holes on a timely manner.

    The following mozilla security bug, rated by secunia as MC:

    http://secunia.com/advisories/12160/

    The FD occured 2 days ago, as of today, the bug is fixed on closed and fixed on CVS, and it will not be long before binary updates for both offical and unoffical builds appear.

    On the other hand, a more serious bug(as rated by secunia) still remain unfixed for 15 days:

    http://secunia.com/advisories/12048/

    An additional bug is unfixed for almost a month(while fixed in recent mozilla releases, and backported by unoffical vendors)

    http://secunia.com/advisories/11966/

    It’s really a shame your department seems to get less resources than the mozilla.org staff when it comes to security…:-(

  31. Anonymous says:

    Starman,

    The problem with opera can be worked around with a user stylesheet:

    http://blogs.msdn.com/ie/archive/2004/07/23/193152.aspx#193388

  32. Anonymous says:

    Thanks for the tip Jim. I’ll just use IE or Firefox for posting here until someone fixes the blog code. I’m not sure I understand why the IE Team chose .Text when there are many good quality standard complaint blogging systems available with better features.

    More bad news for IE: Sydney Morning Herald article recommends users drop IE and use Firefox.

    http://www.smh.com.au/articles/2004/07/26/1090693888524.htm

    Actual Frontpage (in PDF) http://www.smh.com.au/frontpage/2004/07/27/frontpage.pdf

  33. Anonymous says:

    Security aside, W3C Standards are what it’s all about…until IE (developed by Microsoft, which has the most resources on Earth and, I believe, is a member of that standards-development body) will accept that developers want standards for valid, everyday life reasons (and not just to bash Microsoft), then developers will indeed bash MS.

    Adobe and Macromedia are just two examples of companies that have excellent relations with their customers: Photoshop artists are respected, Dreamweaver developers are courted, etc. – none of us outside of Microsoft need Bill Gates to come do our dishes for us (we’re not asking MS to do *everything*), but the year-after-year, arrogant disregard for what *actual* CUSTOMERS want is beginning to reap its proper rewards.

    A Wish-List for IE?:

    1 – FULL native support for CSS 1, 2, and as much of 3 as possible

    2 – FULL native support for MathML (yes, real people actually do want, and *need*, this) – think scientists, mathematicians, researchers, statisticians, etc.

    3 – FULL native support for PNG

    4 – FULL native support for SVG

    5 – FULL native support for XML *and* XHTML (delivered either as html or xml)

    6 – Tabbed Browsing

    7 – pop-up blocking (customizeable by site)

    8 – NO ActiveX, Smart Tags integration or dependencies

    9 – NO integration with the OS

    10 – NO integration with other Office products

    11 – SMALL Core Footprint, with the ability for plug-in/extension development to provide for more specific features

    12 – DROP Alexa: it’s spyware

    13 – FIX IE’s printing bug, where it prints something like "file://C:DOCUME~1(name)LOCALS`1TempNNL02KNO.htm" instead of simply printing a web page’s actual URL

    Until such time as IE sports some of these *basic*, *necessary* features, here are a few resources that are more useful than the way-out-of-date marketing…opps, sorry, technical, info provided by Microsoft:

    http://www.google.com/search?q=IE%27s+shortcomings&sourceid=firefox&start=0&start=0&ie=utf-8&oe=utf-8

    http://css-discuss.incutio.com/?page=CategoryBrowserBug

    http://www.positioniseverything.net/index.php

    http://www.blooberry.com/indexdot/css/supportkey/syntax.htm

    http://www.quirksmode.org/css/contents.html

    http://westciv.com/style_master/academy/browser_support/index.html

    http://nemesis1.f2o.org/bugs

    http://www.stopdesign.com/log/2004/01/26/ie-factor.html

    http://www.galaxygoo.org/blogs/archives/000528.html

    http://geocities.com/csssite/index.xml

    http://www.mozilla.org/start/1.0/guide/product.html#standards

    http://www.mozilla.org/products/firefox/why/

    http://texturizer.net/firefox/extensions/

    Sorry, but you’ll need Mozilla, Firefox, Netscape 7.1, or other Gecko-based browser to see some of these sites properly, since IE doesn’t fully support standards such as MathML, SVG, PNG, CSS, etc.

    PLEASE, listen to us…some of us actually DO like IE…but it has caused more trouble than any other single piece of software is many of our lives…and I’m not saying that to be mean or make you feel bad.

    I would LOVE to see an IE with incredible standards support and tough-as-nails security…wouldn’t happy developers constitute a small (or maybe not-so-small) army of marketers eager to tout the benefits of such an IE to all *their* customers, if they had a reliable browser from you?

    That just seems like good business.

  34. Anonymous says:

    Have a look at Case Number SRQ040127600097, I already emailed you about it, the base behind the ‘bug’ will boost IE’s security by many miles. Get back at me if you want to see a life working (and free) scenario.

  35. Anonymous says:

    You can’t rip out ActiveX – that would hurt alot of web (okay, intranet) applications.

    Standards are cool – write once, run everywhere, but I think alot of the problems today have come from the fact that at one point, IE was far ahead of what the standards could supply.

    Then development appeared to stop.

    How’s Internet Explorer for Longhorn shaping up like? How much of the IE teams’ time is spent on it?

  36. Anonymous says:

    Item 1 :: I found this statement far too dramatic: "a new kind of opponent who is leaner, faster and far more devious and ingenious than any we have encountered in the past. I’m talking about the malicious hackers who lurk in the seedy corners of the Internet." Isn’t that a little black and white? A bit over-dramatic? I prefer my blog entries to be informative without the hyperbole.

    Item 2 :: Dean, you are seriously not aware that most pages print with their right sides lopped off in IE because it fails to reflow text to fit the page width rather than the set table width (intended for the screen)? I find that staggering. It’s been a problem since….1997 at least. How can the IE team have not used IE often enough to not notice?

  37. Anonymous says:

    "Some of the slashdotters, like snowknight, harass people in their own blogs by posting to their blogs if they don’t like what they hear here. So be aware when you leave your site address here."

    Hold on a minute! Since when have I posted links to "my blog" (which doesn’t exist btw). Unless there has been another "snowknight" pretending to be me, will you stop making baseless accusations?

  38. Anonymous says:

    Hello John… fellow Jon here. 🙂

    Fantastic weblog here. I myself used to live in Olympia and have fond memories of Ranier on the horizon from there. Truly a work of art.

    I’m posting to inquire about the acronym RTM. Does this in fact refer to "Released to Market", or does it have more sinister meanings?

    Obviously, I’m not at all serious in asking the above trivial question, however, doing so hints at an infamous problem in IE that is no doubt under development for Longhorn. You know what it is I’m refering to 🙂

    As one of the hordes of standards proletariat designers (poor and desperate), I am currently in debate with myself on whether to use <abbr> on client’s websites in hopes of future support by IE, or if I should simply use the less semantic <acronym> when marking up abbreviations? Not really a complaint, persay, but a sort of "future-proofing" that I can reference to let other designers know your stance on the situation. Acronyms are far more widespread and need defining 8 times more often than abbreviations, but a little addition would help in the long term.

    Honestly, it’s not as important an issue as some people have made it out to be, but an answer (or at least a subtle hinting) as to the future incorporation of the element without the need for "hackish" techniques would solve mine and others’ relentless internal dialogues.

    Thank you for your involvement in this aspect of development, and I hope to spend many more hours reading this blog.

  39. Anonymous says:

    well look what i did there.

    I got caught up in the mt. Rainer reference and posted the above comment in the wrong article/section.

    I apologize that my above post has no relationship to anything at all having to do with security. Feel free, however, to address the comment if you see fit to.

    Won’t happen again… there’s already too much "qustionable commenting" within this blog as is.

  40. Anonymous says:

    IE Web Team: You might like to review this article:

    http://www.stopdesign.com/articles/throwing_tables/

    The net results of that "samaritan" redesign are:

    Per Jeffery Zeldman (http://www.zeldman.com/daily/0704e.shtml)

    * A 62% reduction in file size (extrapolated to bandwidth savings of 8.5 terabytes per year, estimated conservatively).

    * The delivery of a single site version that works correctly in most modern browsers — versus the two versions Microsoft now maintains: a “good” version for WinIE5.5+, and an aesthetically crippled version for all others.

  41. Anonymous says:

    starman

    The suckerfish menus (link of article) are amazing. Thanks for the great link.

  42. Anonymous says:

    Jon Kennedy,

    Make use of Dean Edwards IE7 script. It corrects for IE6’s lack of <abbr> support.

    http://dean.edwards.name/IE7/

  43. Anonymous says:

    Hello,

    I have to admit I was pretty cynical about the whole ‘IEBlog’ concept to begin with, but you seem to be decent guys, and I appreciate the opportunity to make myself heard.

    I am not particularly computer-literate – I never read slashdot, and can’t program a VCR, let alone a computer. That said, I am fortunate enough to have some very technologically adept friends who switched me to Firefox and who periodically show me neat tricks (ln the same mould as your favorite’s trick).

    Unfortunately, most Internet users are not as fortunate as myself in that they don’t have geek-friends to help them. Most people will use Internet Explorer simply because it’s there, and they know about it.

    I realise that this is a happy position for Microsoft to be in, and I do not know enough about the reasons for this dominance to be overtly criticical, but I will say this: being the default choice for the average Internet user is a responsibility, and one that I feel that the IE team has taken far too lightly. Internet users deserve the best possible browsing experience, and IE has undeniably not been providing this for quite some time. The feature requests already in are fairly comprehensive, and I won’t repeat them, but broadly speaking, it is clear to me that the average web-user suffers because IE does not provide them with properly rendered pages free of clutter and intrusive flash, javascript and the like. There are countless annoying little things that poor or unscrupulous web-designers do that IE (unlike Firefox) cannot compensate for – multiple pages opening in new horrible new windows (often without an address bar or right-click functionality) very quickly make it difficult to browse in a coherent fashion, or to follow a structred line of inquiry.

    I use the web a lot for research, and as a humanities student, that makes me somewhat unusual. The primary reason that many of my peers do not take advantage of this is that Internet Explorer is practically impossible to manage when one has 10-20 windows with relevent information open – one can neither find what you want nor refer back to one’s original searches. Many of my colleagues, though aware of the available sites, simply find ‘net research too cumbersome and are thus denied the immeasurable advantages that access to this vast amount of information should provide.

    As I have said, this is not entirely your fault, and a lot of pages could be designed a lot better, but a browser should be able to compensate for poor design, not exacerbate it.

    You have a difficult task ahead of you, and I think it will be important to remember that your most vociferous critics are not and will never be your core market. Those who know about Firefox already enjoy a better browsing experience. You have obtained a position of such overwhelming dominance in the browser market that most people are simply afraid to consider an alternative. Your duty to these people is to provide them with a browsing experience as good and as secure as they deserve – an up-to date, simple tool that will present the Internet to them in a form that as easily-readable and manageable as a book or a collection of papers.

    Good Luck.

  44. Anonymous says:

    I knew the IE Blog was going to be entertaining. Here’s a recent post, with gives one some insight as to the mentality of the IE when it comes to security….

  45. Anonymous says:

    RTM stands for "released to manufacturing". RC stands for "release candidate".

    Many companies besides Microsoft use these terms.

  46. Anonymous says:

    The title of this post is wrong. The correct name is "Welcome to Internet Explorer inSecurity"

  47. Anonymous says:

    can you fix exploits in 24 hours like firefox?

  48. Anonymous says:

    internet explorer what?

    security?

    best joke this morning!

    lol!

  49. Anonymous says:

    omg, what are you doing all day John? I thought ‘security’ didn’t appear in the MS dictionary.

  50. Anonymous says:

    this site is a HOAX

  51. Anonymous says:

    The big difference between IE and Mozilla is attitude…not only do they fix security problems fast, but they’re VERY into making their browser REALLY secure, and have just implemented an idea that I suggested a few days ago to you guys: pay those who find security problems.

    Check this out:

    http://www.mozilla.org/press/mozilla-2004-08-02.html

  52. Anonymous says:

    One MASSIVE irritation is that even when you tell IE, "NO I DON’T WANT TO LOAD ACTIVE-X CONTROLS ON ANY PAGE EVER" it give your the message: "This page can’t be displayed properly because some active X control couldn’t load"

    How on earth are you meant to roll out that security policy on your network when people give you 10 million support calls when they see that message.

    Fix that and save everyone a head ache.

    Simon.

  53. Anonymous says:

    It is great to see that you SAY you are going to be moving forward, but the harsh reality is that you are echoing the same words that Microsoft has been saying for years; many "new" releases of products that have changed very little from the previous version.

    You have already lost ground because many bad developers have relied on IE’s bugs. This is not something about which I am going to sympothize. The slacking of the IE team in the past is coming back to bite you in the ass, and do not expect to win back your customers easily.

    I am the demographic that you are targetting, and I am moving away from Microsoft because there are better open-source alternatives to just baout every piece of your software. It is shame that it has taken the challenging of Firefox, Opera, Netscape, and more to get you to finally realize that you need to make your customers happy. No longer can you lazy sons of bitches sit back, knowing that there is no alternative, and that you have the monopoly.

  54. Anonymous says:

    Get your ass away from writing blogs and worry about fixing the bugs that forced me away from IE.

    For a development leader you need to be doing some more developing and a little less PR work.

    My browser should not get hijacked because you are an incompetant developer, and it will no more. Good-bye IE.

  55. Anonymous says:

    Hey, Microsoft, you guys do seem to occasionally listen to people. Maybe only when your back are against the wall, but it does happen. I was pleasantly surprised by the improvement in the Pocket PC after the PPCWB ("Mobius Zero") in 2000, for example.

    So I’ll just give you a link to an article I wrote about how *Apple* is beginning to head down the same security waterslide Microsoft got onto seven years ago. Even if Apple doesn’t pay attention, maybe you will and they’ll follow.

    http://www.scarydevil.com/~peter/io/osx-security.html

    Basically, when Microsoft announced they were merging the browser and the desktop back around ’97 (or ’95, or whenever it was) I got my workplace to ban IE and as many internet and email related programs based on the same engine, because I knew this was going to cause big problems. I didn’t know what they would be, I just knew they were on the way.

    When Melissa hit, I looked like a bleeding hero, I did.

    But I was naive. I figured that this was going to be temporary. Microsoft would pull out the various components of IE and make it possible to create a secure browser using them, one that didn’t have its little hooks into dozens (soon to be hundreds) of other programs… none of which had (or should need to have) any way to distinguish between trusted and untrusted requests. I mean, here they were coming out with NT which had a really nice security model, they obviously had people who understood that this was a bad idea.

    So, anyway, have a look at my article, and at least let us know why this huge, gaping, and obvious design flaw is still there, baked into the guts of IE and Windows Explorer…

  56. Anonymous says:

    The truth is that Microsoft has a habit of producing bad software – probably due to being closed sourced and the limited minds can’t produce anything else. It "looks" pretty on the outside, but, that’s as far as the beauty goes.

    Linux is a wonderful product, which is winning the OS war, by the way, despite what you want to believe, because practically the entire world is working on it in some way – it’s open source. The source code for Microsoft products is kept secret and hidden, thus, severly limiting the amount of people who can work on it and, therefore, limiting its quality.

    My suggestions is thus. Open ALL the source code for Microsoft products, thereby allowing more folks to improve it. Or keep it closed and continue to wane until such time as Microsoft products are no longer wanted by the public at all.

    Microsoft Corp. is going to lose the revenue generated by it’s Microsoft Windows OS’s. Either by opening the source code to the public, or by the public demand for the products dying out. Revenue generated by MS Windows OS’s is going to be lost, one way or another.

  57. Anonymous says:

    The truth is that Microsoft has a habit of producing bad software – probably due to being closed sourced and the limited minds can’t produce anything else. It "looks" pretty on the outside, but, that’s as far as the beauty goes.

    Linux is a wonderful product, which is winning the OS war, by the way, despite what you want to believe, because practically the entire world is working on it in some way – it’s open source. The source code for Microsoft products is kept secret and hidden, thus, severly limiting the amount of people who can work on it and, therefore, limiting its quality.

    My suggestions is thus. Open ALL the source code for Microsoft products, thereby allowing more folks to improve it. Or keep it closed and continue to wane until such time as Microsoft products are no longer wanted by the public at all.

    Microsoft Corp. is going to lose the revenue generated by it’s Microsoft Windows OS’s. Either by opening the source code to the public, or by the public demand for the products dying out. Revenue generated by MS Windows OS’s is going to be lost, one way or another.

  58. Anonymous says:

    Ian, please stop spamming.

  59. Anonymous says:

    He’s not spamming; he just hit enter twice. Blame the crappy blog tool. It should not allow you to post again for 15 seconds to avoid that kind of thing.

  60. Anonymous says:

    He’s not spamming; he just hit enter twice. Blame the crappy blog tool. It should not allow you to post again for 15 seconds to avoid that kind of thing.

  61. Anonymous says:

    He’s not spamming; he just hit enter twice. Blame the crappy blog tool. It should not allow you to post again for 15 seconds to avoid that kind of thing.

    Plus the damn thing is getting Slashdotted to all hell and, this site being based on Microsoft technologies, can’t handle the load.

  62. Anonymous says:

    No, he is spamming. He’s copied and pasted the exact same comment onto most of the entries on this blog. I wasn’t referring to the double comment.

  63. Anonymous says:

    I just took a look at the other three IE blogs that you link to, and I get the impression that all of the blogs on blogs.msdn.com are invalid.

  64. Anonymous says:

    where abouts have you been diving? My fav is Sharm El Sheikh

  65. Anonymous says:

    Thanks for having a blog open to the public! 🙂 Very cool. Having said that, I would like to recommend that you guys give a serious ear to what a lot of the developers are saying: IE needs to be more W3C compliant. Microsoft is a member of the W3C, and all quarrels should be taken out and decided there — by shipping a browser that is basically a thumbed nose at web developers everywhere, you are only courting bad sentiments, like the numerous ones listed above.

    Full PNG support, CSS 1,2, and a lot of 3…a return to the "standard" box model. I know that last one is a big deal…but Microsoft has the power and ability to say, "guess what, we’re going to be standards compliant" and every Joe Shmoe and corporate entity will pay their developers for the 5-10 hours it takes to retool their existing website (well, the ones that currently use IE’s flawed box model.) It’s not a big deal.

    Courting developers is also good PR for Microsoft. You want to increase the company profile and esteem in the world? Court web developers (since you are IE team people.) Once you have a product that REDUCES headaches for the developer community, you will instantly deflect amazingly huge amounts of criticism. Also, considering that open source, W3C-raving fanatics are one of the biggest sources of criticism of IE, by implementing the W3C model you 1) instantly defuse their criticism, and 2) increase public estimation of IE, and by extension, Microsoft as a whole. It’s vocal communities like web developers who are ESSENTIAL to court, since they are the ones who are posting online to the world.

    Bottom line: take your disagreements to the W3C counsel meetings and decide them there. Do not ship a product that disagrees with their recommendations, because this only opens you up to criticism.

Skip to main content