Welcome to Internet Explorer Security

The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 20 August 2012

My name is John, and I work on the Internet Explorer team. It's a little hard to explain my actual function on the team, but my current official title is "Development Manager". I'm also something of an adrenaline junkie. I'm big into back country and park/pipe snow boarding, semi-closed circuit rebreather and mixed gas diving, hiking and climbing up and around Mount Rainer, and spelunking into Internet Explorer code and architecture (I’m not sure which of my passions is most challenging). Frankly, I tend to agree with a lot of the criticism that has accumulated over the past several years and is being voiced on this blog. The opportunity to make this better is exactly why I love (or is it lust?) to work on the IE team. 

There is something liberating about working on a difficult problem. I think it removes the fear of failure that freezes a lot of people in their tracks. It also lets you take bigger, bolder steps forward than you might otherwise take. For some reason, once a team "gels" under this sort of pressure and becomes motivated to accomplish the impossible, it seems to become unstoppable. Whatever it is, it definitely is addicting to work in the types of teams that result from facing these sorts of challenges. IE has always been one of these teams as far back as I can remember.

The IE team's most important challenge today, and consequently the area of the team's largest investment in blood and sweat, is providing our users with a trustworthy browsing experience. In conventional software development, it is relatively easy to know your competition. To win, all you have to do is build a better product than they do. Today, we've got a new kind of opponent who is leaner, faster and far more devious and ingenious than any we have encountered in the past. I’m talking about the malicious hackers who lurk in the seedy corners of the Internet. These hackers have learned to turn our own creation against us, and most importantly, they are using this knowledge to do real harm to our users. This is why my team and I take this challenge very personally, and why we are especially proud of the hard work that we put in to Internet Explorer in XPSP2. If you haven't done so all ready, and you care about your computer's security at all, I strongly encourage you to install and run RC2 today, and the RTM version when it comes out. 

The problem with compatibility (and the rest of the world) is that while we would all like to see things as black and white, they really smear into varying shades of grey. Different customers have different expectations of the product and different understanding of the specification - sometime so different that they conflict directly with one another. It's inevitable that once a product ships, especially an extremely complex and sophisticated platform component like IE, someone will come to depend on behavior that someone else would consider a bug. Combine this with aggressive security and performance objectives, and you have a nearly impossible challenge before you. But like I said earlier, the IE team thrives on exactly this sort of challenge. And, we're not afraid to move the bar in a thoughtful way when it's in the best interest of our customers. Consider this (perhaps poorly titled) article; while we continually strive for compatibility, this author notes some recent issues. 

I apologize up-front for being vague; there are many real world examples and challenging investigations that I'd love to share the details of with you. Unfortunately, I can't disclose details of how my team and I deal with security investigations. My goal is to find ways to share as much of this information with you as possible. If it helps, it is our full time job to solve these sorts of issues. Walking the razor's edge between security and compatibility is a challenging job, but it's a job that we love to do, a job that we are passionate about, and a job at which we will not accept failure at any cost. As I've said before, take a hard look at XPSP2; it's a preview of good things to come from this team. 

A bunch of my teammates and I will be hanging around BlackHat and Defcon this week. It's a great conference, and while most of the sessions tend to cater more to the IT Pro crowd, I've found a lot of the talks to be really informative. At the very least, taking a week to step back from the minute details of client side security to try to become immersed in the bigger problem of Internet/Networking Security has been enlightening, and something I want to share with the rest of my team. It's also a chance to meet and talk directly to the folks who find security issues and report them. All in all, I expect this to be a good conference this year, with a lot of opportunity to stay abreast of what is happening in our community. We'll be traveling somewhat incognito, but if you happen to be there and think you recognize one of us, feel free to stop and say hello. 

// John