The information published in this post is now out-of-date.

—IEBlog Editor, 12 September 2012

There’s a new security update for IE available. You can find the security bulletin here  

and the Knowledge Base article here

Candidly, I’d like to write in depth about the vulnerability, different approaches we thought of in defending against it and the compatibility issues (site and application) that each approach entailed, and how we chose the one that we released.

The main reason I can’t is that folks who want to find security holes and hurt Windows customers look at every single communication that comes out from Microsoft for anything that will help their effort. I don’t want to give it to them. No, I’m not happy about this. Yes, this frustrates me too. The longer I work with the Microsoft Security Response Center, and the more I see of both responsible and irresponsible disclosure of security issues, the more I respect their judgment on this one.

I am trying to figure out if there is something (instead of nothing) that we can say publicly about the changes. I hope to have an answer next week. If nothing else, I’m glad we were able to release this today given the interest with press, customers, and developers that this vulnerability generated.

In the meantime, I’ll answer a question that bothered me for a long time. Is the numbering scheme for these releases totally random?

Despite appearances to the contrary, no. Security update numbering starts with the two digit year of the release (yes, I look forward to the posts about our Y2100 issues) and then are sequential. The first security update each year from Microsoft is 001, then 002, etc. When you look at just IE’s (the way I do), the numbers are all over the map. We actually don’t know the number while we’re working on the release because we can’t make assumptions about when we’ll release versus other security work that’s going on.


Comments (76)

  1. Anonymous says:

    Is one of the fears about releasing information because there might be parts missed? Or is it a matter of "When we say what we fixed, some luser will code to the unfixed part, and hammer the multitude of dimwits out there that don’t patch"?

  2. Anonymous says:

    for me it’s intersting to see just how much you guys will get to say on this blog. I’m already surprisd from a markting standpoint that you allow such open comments. I mean dag…people are posting links to alternative browsers!

  3. Anonymous says:

    Much respect anyway. If you ever leave Microsoft, be sure to explain in further detail for us curious types. 🙂

  4. Anonymous says:

    This might be real simpleton like, as I’m no sys admin, but I don’t know where else to go with it. I use wi-fi a lot. Today I was plugging along happy as can be, and then received the critical update notice. I downloaded the files to install. Message said I needed to reboot. I rebooted. No Wi-Fi connection from that point on, and still not working.

    I’ve scoured my Wi-Fi configuration. The signal is there, strong and clear, but there’s no connection to the internet. I’m f***ing sitting here at Kinkos now, hoping that I could find something about whether or not this download was the culprit, because it just seems too much of a correlation to be coincidental. Is it possible this update has interfered somehow? By the way, I not only can’t use IE, but any other browser either. It’s as if there’s no connection to the Internet at all via Wi-Fi.

  5. Anonymous says:

    Brian, I think one of the concerns is that many people don’t patch right away. Whenever Microsoft releases a patch (be it in IE or some other component), hackers scramble to reverse engineer it in order to locate flaws that were fixed but not publicly disclosed. They then try to take advantage of the time window between the time the patch was issued and the time most people are patched in order to cause trouble.

    Hashim, AFAIK it isn’t marketing or trying to give users a warm, fuzzy feeling that will restrict content on this blog. It’s about helping keep users safe and sometimes, unfortunately, a bit of "walking on egshells" due to legal concerns.

    I think it’ll take a little bit of time, but eventually we’ll be able to open up a lot more on this blog. 🙂

  6. Anonymous says:

    No, more bugs…

  7. Anonymous says:

    Where is the fix for XPSP2???????

  8. Anonymous says:

    XP SP2 already includes the patch.


    Important Users of Windows XP Service Pack 2 Release Candidate 2 (Windows XP SP2 RC2) are not at risk.

  9. Anonymous says:

    Nice link… I have posted it on my site.

  10. Anonymous says:

    Well it’s not that hackers look for every hole, it’s just that they are there. Microsoft is all about integrating it’s products all together so they all have a level of interactivity (for instance, they can all call each other from a shell command).

    This is bad. Not because of the convenience, convenience is a good thing. But let me describe this using a metaphor…

    Imagine your computer like a house with one window and one door. That door is to let people in and can be locked. The windows is to let air in and can also be locked. Both locks can be picked but it is difficult. Now let’s say I build an addition to the house and add a couple more windows, another door, a skylight, and an underground tunnel. You see where I’m going with this.

    The more that is integrated into a system where all the products are integrated, it creates more potential security holes.

    Now… since IE is used by nearly EVERY windows application, what do you think is going to be the main target of attacks? Since IE is used to surf the web and access tons of other servers, what do you think is going to be the main entry point into someone elses system?

    The integration of IE into the system was a poor idea that they are now paying for. Allowing all the othr apps to calls all the other apps via a shell command is a mistake they are now paying for. Trying to create their own version of cometitors products and then integrating them into their browser is a mistake they are now paying for.

    But isn’t integration a good thing? Isn’t that where it will eventually go? Yes… eventually but we are nowhere near close enough to start doing that. In a system where it isn’t integrated, you can always blame the manufacturer of the product rather than the creator of the OS. But by integrating the product, more fingers point to you. Eventually all fingers point the blame to you.

    Do people remember the good things MS does for them. No but they sure as hell remember the bad things.

    Microsoft didn’t always use to be an evil company, they brought IBM to it’s knees once. But now they are the IBM and their tactics are less than palatable. But they are a bit worse because with IBM, at least we had security. Microsoft will not have security until they unbundle everything and give the consumer a choice again.

    And in a sense, hackers are trying to force their hand. And quite frankly, they are doing an AWESOME job! You should try Mozilla sometime.

  11. Anonymous says:

    Jon Kennedy,

    It’s going to be a long, long time before it would be safe to write about the topics Dean can’t write about today.

    Think about it. It’s not just a matter of technically violating an NDA, it’s a matter of how much information the black hats have.


    Having read the linked information about this particular set of patches, I’d leave the "evil Microsoft" hobby horse sitting quietly in the corner. The functions getting patched are "navigation" (in the sense of what pages on a given host can do with resources on other hosts), the GIF reader and the BMP reader. It’s not like they’re patching the DR-DOS detector or something.

    Is a browser "over integrated with the system" if it supports these file formats? I’m pretty sure Mozilla supports at least one of those formats.

  12. Anonymous says:

    Seems Mozilla has a serious problem also.

    start quote:


    A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.

    The problem is that Mozilla and Mozilla Firefox don’t restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

    The Mozilla user interface is built using XUL files.

    A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.

    This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.

    NOTE: This issue appears to be the same as Mozilla Bug 244965.

    end quote

    Apparently from what I read following a Slashdot link this bug was first reported five (!) years ago.

    start quote


    1999-12-20: Original discovery by

    2004-7-18: I independently stumbled on the problem (while trying to tech myself enough XUL to write a browser extension, actually)

    2004-7-19: I published to MozillaZine and, later, to Bugzilla.

    2004-7-30: The press, astute as always, catches wind of the matter.

    end quote


  13. Anonymous says:

    One of the things that the Mozilla Fondation now faces are the exposing of all these older flaws that, at the time, they failed to fix. I’m sure, over the coming months/years, we are bound to see an increase in the security issues that are found within the Gecko engine and the Mozilla/Firefox browsers. Even Opera, which is now in it’s 7th go, suffers from exploits. There will never be a way to lock down the browser enough to make it useful; however, the teams behind these will end up making the difference.

    Microsoft, obviously, has the money to put back into their browser and make it safer and better for all of us. This is, after all, a good thing indeed. We realize that it took sometime for them to get around to doing it, but until recently there hasn’t been a major need for these features. Everyone was happy with what they had and many still are. Now the question remains, can the Mozilla Fondation support their browsers for the long run? After all, it’s only a year old and has yet to be tested to any length. We are just starting to see it and so far they are doing a fairly decent job, but nothing that the IE team hasn’t accomplished before.

    One of the things that, I think, people tend to overlook about Microsoft is their ability to approve when under fire. Right now, even with market lead, their browser is behind and falling farther and farther each day. However, I’m quite amazed at the improvement in SP2 and I think that the IE Team, as it stands, are set to pull of some pretty impressive things as time moves on.

  14. Anonymous says:

    What has been/is the reason ie 5.5 sp1 has been forgotten for so long? sp2 is no longer available for download and I don’t like ie 6, ie = ie, or is 5.5 sp1 no longer ie anymore?

  15. Anonymous says:


    it’s not really a serious security problem. Have you never seen some popups having the look and feel of Windows interface in IE? This "exploit" works only if you don’t force opening of a new window in a tab, if you have not changed the default theme, if your localization is in english, if you have no visible extension installed…


    security is not about obscurity, trying to hide things is not a solution ; by the way a big part of the exploits are documented at code level with test cases and it’s not so hard to find these informations.

  16. Anonymous says:

    ‘…both responsible and irresponsible disclosure of security issues…’

    As a user, and occasional bug finder, I wondered whether you’d like to elaborate (it might also be quite interesting too!) Perhaps you could say how to disclose bugs, and then also just give a few examples of how not to do it. Perhaps if more people knew how to disclose the bugs properly, then they we’d have fewer issues?

  17. Anonymous says:

    The big difference between IE and Mozilla is attitude. The people working on Mozilla are far more comitted to working on security, and making a secure browser than the IE people. If you don’t believe me, have a look here:

    I never intend to switch back to IE, which is not an insult, just a reality that for me, and many, many others, the Gecko based browsers are so much better.

  18. Anonymous says:

    Mozilla have a detailed bug tracking database that anyone can access. This database contains details of all known bugs and flaws, as well as what progress if any has been made with regard to fixing these bugs. Furthermore, when a bug is fixed, full details of that fix are often available. In any circumstance the complete source code of the product is always available for any knowledgeable person to peruse.

    Despite all this (from the viewpoint of the Microsoft Security Response Centre) <em>perilous</em> disclosure, we see little malign software attacking gecko based browsers. And when security flaws crop up in Mozilla they are typically fixed with admirable speed.

    It makes for an interesting contrast of approaches between Microsoft and Mozilla. Perhaps Microsoft could learn something.

  19. Anonymous says:

    That should have read:

    *perilous* disclosure

    As this blog doesn’t seem to allow html in comments.

  20. Anonymous says:

    Turnip is right…the big difference between IE and Mozilla is attitude.

    Not only do they fix security problems fast, but they’re VERY into making their browser REALLY secure, and have just implemented an idea that I suggested a few days ago to you guys: pay those who find security problems.

    Check this out:

  21. Anonymous says:


    That is so true. If you tell the Mozilla foundation of a security problem, it is often fixed before anyone even hears of it. One ever so recent error was fixed before it even hit the web. 🙂

    IE on the other hand stands behind Microsoft’s security record; mention the security problem 3 months ago and they won’t fix it until an exploit comes out that usurps a couple thousands machines. That’s not very responsible.

    But the boys and girls at Mozilla take security very serious. In fact, they are the ones who announced the latest security flaws which existed prior to the Mozilla project in the codebase that came from Netscape. 🙂

    Oh and for those of you wanted to remove IE from your system all together (and still have windows update work). check out the ongoing series at…

    Part 1: Removing it Manually

    Part 2: Microsofts Response and additional tweaks

    Part 3: More info and additional tweaks

    This will make it so you never have to worry about it again. 🙂

  22. Anonymous says:

    I am somewhat amused by the fact that pretty much everyone posting on the IEBlog uses Gecko browsers ;).

    I don’t want to remove IE, I have to test my websites on it, which I might add, is a *nightmare*. It’s estimates that the "IE Factor" takes up 10% of the time it takes to make a website:

    And also, Microsoft could save themselves *329 terabytes* of bandwidth per year if only they went on a web design course:

    That certainly amused me.

    Personally, I think it’s too late for IE. If the IE team can turn the browser around and make it a secure, standards compliant piece of software, all credit to them, but it it were me, I’d be ashamed to be on the IE team.

  23. Anonymous says:

    "Mozilla have a detailed bug tracking database that anyone can access."

    Anyone can access it, but not everyone can see every bug in the database, as described at

    "This database contains details of all known bugs and flaws, as well as what progress if any has been made with regard to fixing these bugs."

    But with no guarantee that most people can see it. It may be hidden. For obvious reasons.

    "Furthermore, when a bug is fixed, full details of that fix are often available."

    Unless they’re not, of course. Whilst bugs may lose their security-sensitive attribute, it’s not mandatory.

    "In any circumstance the complete source code of the product is always available for any knowledgeable person to peruse. "

    True. But looking through diffs to determine whether security holes have been fixed is a far cry from "full disclosure".

    MS clearly feels some sense of responsibility for the users of even old, obsolete, buggy versions of its browsers, and so attempts to offer them a little protection. The Mozilla group clearly don’t. I wonder if their views might change when a reasonable number of people use Mozilla (and hence users of obsolete versions are more widespread). At present I imagine they have the luxury of relatively well educated users and hence relatively few users of obsolete versions. IE certainly doesn’t.

  24. Anonymous says:

    Dr Pizza,

    While it is true that some bug descriptions are not made available before a new public release occurs you may have access to this information on numerous security lists and you can search the source code for comments; something you cannot do on Microsoft products. But your comment on the users is very interesting and I think you make the point, but now alternative browsers are no more a geek attribute! If we compare side by side the Mozilla project and Microsoft on the approach of security it’s really interesting:


    – multi-platform

    – almost real time public disclosure of security flaws

    – very fast reactivity

    – communication with users

    – ask (and pay now) for security problems to correct them


    – tight integration with the OS

    – few information on the nature of security flaws

    – slow reactivity (when they react)

    – no communication (well it seems to have change but don’t see the effect right now)

    – pay for arresting virus writers

    I think we all know that security is a full time work and an endless subject but the lack of update of Internet Explorer these last years (rendering bugs, standard support and security) is a shame. I really hope things will change, but correcting security flaws for a product which have 75%+ of the market seems to be an obligation, at least ethical.

  25. Anonymous says:

    Dr Pizza,

    Mozilla makes the effort for people to see the vast majority of bug notices and let’s them see the progress made. What does Microsoft offer? Can I see the outstanding bugs in their system? Can I see when they were submitted and what they pertain too? No. This is something only open source communities do because they live under an ideal where they have nothing to hide.

    One of the more recent Microsoft bugs was in existence for 3 years! And they knew about it because it was fixed back in IE 4.0!

    Anyone can criticize but when you compare to what it currently out there, you have to admit that it is a more open model and a better model for development.

  26. Anonymous says:

    Two thumbs up on the response, as long as your blog post is part of that response. The whole good cop, bad cop thing.

    Before posting this comment I really did try and read all the previous posts from day 1 of the blog. I feel my sanity started to slip somewhere around post 390ish. When I started thinking that perhaps the Courtney Love analogy is a bit off. After much consoderation, I’m sure IE is Madonna, and Firefox is Paris Hilton or Brittney Spears.

    Anyway I don’t think these idea’s for improving IE security more than 100 times yet…so here goes.

    1. Sandbox IE. Have an IE_User almost exactly like IUSR_MachineName is for IIS. Turn the security equation around, web sites are users on my system, and lock it down that way. I do this with Firefox myself currently. It’s quite nice being absolutely sure that even if a site takes over my browser, it can’t do anything no matter how many patches I haven’t downloaded yet.

    2. Disable script (js,vbs,etc) by default. Just do it, no compromises…web sites and the people behind them must be given explicit permission before executing any code on my system. This will promote the migration of web apps move away from html into Avalon and friends naturally as well.

    Honestly, I can say if I worked at MS I’d be printing 50′ banners and hanging them all over the campus trying to make sure this stuff got done. You guys need to realize you aren’t just designing an HTML browser…you are shaping the way in which the world communicates. Power to the people and so on….seriously.

  27. Anonymous says:

    I like the number 1 that you said, that sounds good, but I dislike number 2 to an extent.

    Fine, disable VBS, any web designer that uses that client side is a fool, it’s only useful for server side scripting. But don’t disable JS. I huge lot of sites use JS, and frankly, there are too many stupid internet users out there that wouldn’t know how to switch it back on. That’s a reality, not an insult. Having JS off by default would be a mistake in my opinion.

  28. Anonymous says:

    red avni,

    You’re new analogy doesn’t work. Madonna seems to be aging gracefully.

  29. Anonymous says:

    Red Avni,

    Good idea. Sandboxing IE. That’s the way it should have been done all along. But I’d go a step further and say IE should have NEVER been built into the OS. That’s just asking for trouble and Microsoft is now realizing this. But I seriously doubt they will or CAN do anything about it at this point. It’s a downward spiral from here on out and they are trying to pull up out of a nosedive.

    In other news, Mozilla is nearing 20% of the market (when you count all browsers that use the Mozilla codebase). I know people still THINK that IE has 98% but that hasn’t been the case for a LOOOONG time. People are switching to browsers that are stable, secure, support open standards, do not try to create their own standards away from the W3C, browsers that support CSS2, SVG, and other open formats.

    They have alot of catching up and learning to do. Unfortunately, they still can’t win as the OS still costs money, trys to lock you in, does not work well with other or work with industry standards, is not creoss platform compliant, etc etc.

    Man, one could make a list of all this stuff and Microsoft would still continue on a doomsday like path.

  30. Anonymous says:

    "Richardson said Microsoft is aware of all these requests and is considering them, except for including MSN Messenger in Windows Update part. Messenger users will have to continue downloading updates for the IM client separately from updates for Windows, she says.

    "Our customers are not only Windows customers and they are also not only Windows XP customers. That is why we have our own update mechanism in place–we need it," she says."

  31. Anonymous says:

    Did you say hanging out with with or HANG him? I’d be for the second.

    But seriously, this companies entire concept of locking people in has been their downfall and why people hate them. They want to replace all options with only Microsoft options. They want all choices to be for Microsoft and then lock you in so you can’t make choices anymore… they make them for you!

    Here’s a classic example… I work for a Microsoft vendor as their web developer. Naturally I use the web server that the VAST majority of the web community uses… Apache! Plus I use other open source tools as well. Anyway, I have a windows into my office that people can see in through and I’d often get Microsofties coming in to try and tell me that I should use Microsoft for EVERYTHING!

    Well one day I’m sitting in my office not bothering anyone when I get a knock on my door and in walks Billy Anders, principal consultant for Microsoft. He tells me that he saw the PHP, MySQL and Apache books on my desk and asks why I’m using them instead of Microsoft. I tell him rather bluntly security, reliability, community, cost, cross platform capatibility, standard compliant, portability, scalability, etc.

    He doesn’t believe a word of it. So since I am sitting in front on my computer, I show him. I show how Apache has fewer bugs, better reliability and a larger community. He sits there stunned. I then show him how PHP is scalable, faster than ASP.NET (by far) and more popular than C# (which currently is about as popular than COBOL according to the Tiobe Index). I can see at this point that he is having problems getting his mind around this because he then turns to me and says ‘But WHY NOT use Microsoft?’

    You see… I told him and somehow he didn’t get it. Even when I laid it out all bare for him and showed him ‘the facts’. So now I am hearing from another Microsoft person that they hear us and are going to try and give us what we want???

    They heard us all right… but I seriously doubt they’ll give us what we want. Instead, they’ll give us what THEY want and try to make it seem like what we want.

  32. Anonymous says:

    I think saying that Gecko based browsers have 20% market share is slightly optimistic. My estimate (from web statistics) would be that it is between 5% and 10%. It is definitely growing rapidly though. I think the IE market share *is* around 80% though, possibly a bit higher.

  33. Anonymous says:

    As Owen demonstrates in "Hanging Brooke" above, Microsoft has an almost inhuman capacity to tell its CUSTOMERS what it is they need and what it is they want – it doesn’t really seem to matter to Microsoft what we say or do, we’re *just* revenue stream…oops, sorry, CUSTOMERS!

    Really…it is sad, but Microsoft will find out, like so many organizations, governments, power-holders, etc. throughout history, that real people are far more intelligent, discriminating, and opinionated than they may appear when they are just slaves, servants, peasants, or customers…Real people can see how much their thoughts, beliefs, and needs count for powerful entities like Microsoft – they’re really not so stupid as Microsoft would think.

    As Owen says, you guys may try to force on us what you want (clothing it in what we "want" or "need"), but Microsoft’s credibility is shot…I do hope you guys are able to salvage it by giving your CUSTOMERS what they ask for: security, standards, interoperability, flexibility – all non-proprietary qualities.

  34. Anonymous says:


    It’s true. Even 5% of Microsoft traffic is using Mozilla… internally!! As for the NEARING 20%, take a look here:

    These are the stats for the beginning of last month, the beginning of the month where the Dept of Homeland Security told people to stop using IE. You can see the instantaneous jump to Mozilla of an additional 2%!! But if you add in Netscape 6+ to the stats (as Netscape is a Mozilla browser believe it or not), you get 15.1%.

    Mozilla has continuously had about 1% growth every month for the last year and assuming at a bare minimum that this months growth is an additional 1%, this would put Mozilla’s market share at 16.1%!!

    Of course, I’m willing to bet another 2% jump again because of recent issues with the security of the browser.

    On a more interesting note, this is the first time the percentage of IE user has EVER dropped!! Kind of tells you something there. Could be a trend we would be happy to see flourish.

  35. Anonymous says:


    I am aware of the W3Schools stats, and I have looked at other stats as well, which is how I made my estimate. It is important to realise that W3Schools attracts a "special" audience of web developers, and web developers (plus developers in general) probably make up a significant percentage of Mozilla users as a whole.

    I’d suggest you have a look at other stats too, some go as low as 2% Mozilla.

  36. Anonymous says:


    Those aren’t stats specific to W3schools, those are stats that used to be maintained by the W3C… the World Wide Web Consortium! They have since moved to there (I can’t recall why) and give the most accurate and unbiased measure of browser usage and trends. The stats are from a variety of sources, compiled and recalculated monthly (which is why it’s not up yet as I assume they are still getting all the data in).

    So yes, these stats are the most accurate reflection of current browser trends. And I would imagine those sites you mention that have a Mozilla usage of around 2% use ActiveX heavily and are pretty unsecure as a result. In fact the majority of the web uses these stats regularly for judging browser usage.

    And like I said before even 5% of Microsoft’s internal employees use Mozilla… so saying the world outside of Microsoft is going to be equal or less isn’t realistic.

    I know it’s hard to swallow but while Microsoft slept, the world has changed. And open source slowly started replacing Microsoft by being better, faster, more secure, more reliable, cross platform compatible, compliant with open standards, etc.

  37. Anonymous says:


    I checked out a couple others sites that report stats from multiple sites and they have Mozilla as low as 4% and as high as 29% from 5 different sources. When they average out, it’s still about 16% so I tend to agree with Owen.

    Microsoft ever so recently stated that they would not be coming out with a new version of IE prior to Longhorn (which won’t come out til 2008). But after the recent security problems, Microsoft has started HIRING to the IE development team, started this blog and started development on IE again.

    Why did they change their minds so suddenly? Because the browser is an integral part of their monopoly. If they lose that, they lose everything.

    So I understand why you don’t want to believe these stats but from everything I’ve seen, these are pretty accurate.

  38. Anonymous says:

    I’d agree that IE is an integral part of Microsoft’s overall strategy (wouldn’t call it a monopoly) for Windows and the Internet and having integrated it into the OS a lot does ride on its continuing success. Not only for Microsoft but for thousands of developers who have built applications with its various components. Microsoft desparately needs a culture change so that it can see with a new set of eyes. They can still be great competitors and innovators while fully supporting web standards. As I’ve stated before, it is such a sad tale that having won the browsers wars, Microsoft then stopped advancing and improving Internet Explorer and by having done so has limited the advancement of the Internet. Microsoft did at one time help advance the web but you simply cannot stop dead in your tracks. Why oh why did they do it? That decision has come back to hurt them and I think the decision to not release a more standards compliant IE before Longhorn will hurt them too.

    Side note: I think Longhorn is due out in 2006 not 2008. I believe a beta will be available sometime next year, if not to everyone, to a select group of corporate users and developers.

  39. Anonymous says:

    Well I will give this to Microsoft… when they have competition, they rise to the occasion but once they have crushed the competition, they just rest on their laurels. I remember the original reason why I switched from Netscape to IE; because IE just got better!

    It’s the same for all their products. Microsoft is a competitor and without anyone to compete against, they quickly sink into suckiness. Unfortunately, now they have established a track record of being unreliable and unsecure. That plus competing with open source which has easily 3 times the number of developers on ANY product and they are giving it away makes this Microsofts biggest battle yet.

    I’ll admit that I’d like to see Microsoft taken down a notch but I don’t want them to go away. I think they have alot to offer but they need to work WITH the community rather than acting like they ARE the community and everyone should be thankful to work with them.

    Perhaps the best thing they ever did was take IBM and all the others down a notch. They got a little perspective as a result. Now it’s Microsofts turn to gain perspective. I just hope they do it on their own for a change. But with all the FUD coming out of Redmond (‘Get The Facts’, Alexis De Tocqueville, etc), I seriously doubt they are ready to play ball.

    We’ll just have to wait and see…

  40. Anonymous says:

    Oh and Longhorn is due in 2007 as of last mention but Microsoft has mentioned that it could get pushed back as far as 2008. That’s how I got the number.

  41. Anonymous says:

    I’m suspecting that MS04-25 has hosed a 2K server booting off an IBM FASt T SAN. Even more interestingly/irritatingly, it seems to have done something to the chunk of disk space on the SAN as a fresh install of 2K won’t work as it complains about partition errors or fails to copy key install files. Things were fine before MS04-25 was applied and it was the only patch applied.

  42. Anonymous says:

    Yet another quality product from Microsoft

  43. Anonymous says:

    Mozilla patched a bunch of flaws today for all of it’s products. Download your new copies guys.

  44. Anonymous says:

    I agree with the fact that competition allowed IE to become the best browser at the time , and this helped the "internet user experience" to improve. Then, with no commercial competition, IE has slowed this whole process. Fortunately Mozilla is around …. I too believe it is the best browser at the moment especially from a developer’s perpective.


  45. Anonymous says:


    The W3Schools is not a part of the W3C. I quote from the bottom of

    "The statistics above are extracted from W3Schools’ log-files, but we are also monitoring other sources around the Internet to assure the quality of these figures"

    Whilst this says that they are monitoring other sources, the *actual* figures are from the W3Schools’ log files, which *does* attract a a special audience.

    Probably the most accurate a broad study of browser market share is done at

    They comment:

    "Gecko-Based Browsers (AOL-Compuserve, AOL for OS X, Mozilla, Netscape 6+, etc.): • The reported percentage of users varies a lot, likely in large part because many stats sources (a) are not properly identifying non-Netscape Gecko browsers, and (b) may wrongly identify Opera or Safari as a Gecko browser. • I suggest that ~6% typically use Gecko browsers, with this number growing as IE and Netscape 4 users switch."

    I would probably go slightly higher myself, and say that I think it’s nearer the 10% mark, but I still think that >15% is a bit optimistic.

  46. Anonymous says:

    ?? – ??????

  47. Anonymous says:

    IE suxx

  48. Anonymous says:

    owen you talk a lot of crap. is miles faster than php and has been proven by ms and non-ms studies. It’s an interpreted scripting language you bafoon, not a strongly typed compiled language.

    As for mySQL, all I need say is triggers, stored procedures, fail safe shutdown, custom datatypes, functions.

    I worked with LAMP for 3 years and found it incredibly slow to develop with, and slower than .net/sql server.

    The only thing it had on windows environments was Apache, and still does. The rest are technologies for teenagers to write their phpnuke websites with.

  49. Anonymous says:


    Duh. Of course they aren’t part of the W3… did you ever hear me say they were? Hmmm? Don’t think you did. Think you imagined it. In fact what was said was that the W3C originally maintained these stats and that they no longer do and instead the stats are housed here. And of course they use their own stats in the mix… who wouldn’t? You mean to tell me that you thought that they just took into consideration stats from all those other sites and would just ignore their own?!!! HAHAHAHAHAHAHAHAHAHAHA! You make me laugh.

    And anon,

    Yes, sorry. ASP.NET is not faster. It cannot be compiled as a module and thus has a slower call time, C# is not a compiled language believe it or not (C and C++ are compiled… java and c# use an their engine; they may be CALLED compiled but they are not the same thing), COM calls slow it down, etc etc. The list goes on and regardless of your claims, PHP is still #4 on the TIOBE index while C# ever so recently fell off and is rated around COBOL. 🙂

    As for MySQL, it has those abilities, you just haven’t use them or used a VERY old version. Try educating yourself on the product… it comes in handy. In fact, you can support foreign keys and cascading but it slows it down and the big benefit of MySQL is speed. In other RDBMS’s you can’t shut that off; the functionality is ALWAYS on. MySQL took a different approach and supports both. It’s nice to have that Flexibility isn’t it? This way I get to make choices about my setup rather than defaulting to the vendors whims and wishes 🙂

    And I’m sorry you lack the skill and expertise to be able to configure a simple LAMP architecture to run correctly. It’s all that time with GUI’s that has rotted your brain. It’s pretty simple really. You see, there are these things called config files which open in any text editor. You change some of the values and POOF! It runs how you want it to! Amazing!

    Benchmarks don’t lie Anon… get the facts.

  50. Anonymous says:

    Uh-oh… What the heck is happening here? Mozilla gaining in popularity STILL? But you guys issued a patch? Wasn’t that enough??

  51. Anonymous says:

    Haha! Let the flamewares commence yet again. Haven’t had this much fun since you guys posted ‘I Love This Browser’. I swear this entire blog is just an excuse to start a flamewar…heh.

    Seriously though. Owen, chill. No one likes to have other technologies forced down their throat. And Turnip, sorry but he’s right. There is a reason why Apache is better: speed and reliability. Same goes for PHP and MySQL: speed and reliability. You can search just about anyplace online and find PHP being faster than ASP and ASP.NET. The reason being is that PHP can be run as an Apache module which saves extra calls. That and it doesn’t use COM which is inherently slower. Take that into consideration with all the extras like accelrators and even it’s own compiler (yes someone actually built one) and PHP still outstrips ASP.NET.

    So now that we are all cool and playing nice again, can we stay on topic… that being browsers and why IE sucks? 🙂

  52. Anonymous says:

    Ok but one last thing. Just so there are no questions (though I’m sure there still will be), here are more sites that do web stats…

    Here are stats on engineering students around the world (13% use Gecko/Mozilla based browsers). Probably even higher since 12% falls under the OTHER category.

  53. Anonymous says:

    Just wanted to let the author know that on my system anyway, HP Systems Insight Manager 4.1 on Windows 2003, fails to load with the new patch.

    The first windows patch I have come across that breaks something I use…

  54. Anonymous says:

    Will people stop posting web stats that have just been culled from httpd logs? Log files are not accurate. They never have been. HTTP just isn’t designed that way.

    The only way of getting accurate browser statistics is the good old-fashioned method of actually asking people.

  55. Anonymous says:

    hi i’m a troll with no life

  56. Anonymous says:

    Owen: Whatever, statistics vary, and can never show what everyone is doing. You have to make your own judgement, and I have to make mine. I’m sorry that you felt the need to flame me for having a different opinion to you.

  57. Anonymous says:

    Just to let you know, your blog suffers from the "hey-in-windows-our-font-engine-is-kinda-screwy-so-lets-put-rediculously-small-font-sizes-on-our-webpage-and-only-test-it-in-IE" syndrome, a.k.a. the "whats-mozilla?" disease.

  58. Anonymous says:

    Hi I’m a pussy who likes to pose as other people but whose too much of a coward to post as myself. You can call me ‘Bill’

  59. Anonymous says:

    Dex, I’m on Firefox, and it’s fine for me.

  60. Anonymous says:


    If pages do not use CSS, it will default to your browsers fonts. Just change your font settings in Mozilla and you should be good.

    I too am using Firefox (and use Mozilla at home) and both render the page fine… just have to change the font settings.

    If that doesn’t work, let me know and I’ll see if I can help further.

  61. Anonymous says:

    Please please PLEASE make the next version of IE STANDARDS COMPLIANT! I am so tired of coding little exceptions for IE. Web developers should not need to worry about browser detection, CSS fixes, and the like… especially not for the most popular browser out there. PLEASE FIX IE!

  62. Anonymous says:

    The truth is that Microsoft has a habit of producing bad software – probably due to being closed sourced and the limited minds can’t produce anything else. It "looks" pretty on the outside, but, that’s as far as the beauty goes.

    Linux is a wonderful product, which is winning the OS war, by the way, despite what you want to believe, because practically the entire world is working on it in some way – it’s open source. The source code for Microsoft products is kept secret and hidden, thus, severly limiting the amount of people who can work on it and, therefore, limiting its quality.

    My suggestions is thus. Open ALL the source code for Microsoft products, thereby allowing more folks to improve it. Or keep it closed and continue to wane until such time as Microsoft products are no longer wanted by the public at all.

    Microsoft Corp. is going to lose the revenue generated by it’s Microsoft Windows OS’s. Either by opening the source code to the public, or by the public demand for the products dying out. Revenue generated by MS Windows OS’s is going to be lost, one way or another.

  63. Anonymous says:


    I’m with you 100% but that’s asking ALOT. While I fully support open source, I also think that proprietary can live alongside it.

    Though Microsoft is not a good example of this though. I’d at least like them to make their products standards compliant and cross platform compatible.

  64. Anonymous says:

    It would be AWESOME if an update to IE was released prior to Longhorn addressing some of the things we have mentioned in this blog.

    Please oh please let this be true……

  65. Anonymous says:

    It doesn’t matter what they do… it’s still integrated into the system and uses ActiveX so it would be impossible to make completely secure. It’s a security nightmare.

    The only way they can make it secure is to stop doing those two things… and because so many of their other apps depend on it, it’s impossible to do without tripling their workforce and upgrading EVERY Microsoft app. Aside from that, they would also have to get all other companies that develop for Windows to update their software that depends on IE being built into the system.

    In other words, to make it safe, they would have to break 70% of all apps that run on Windows! Do you see that happening? I don’t.

    Use Firefox… it’s far safer more reliable, faster, more standard compliant, more support, more features, etc etc etc.

  66. Anonymous says:

    "I then show him how PHP is scalable, faster than ASP.NET (by far)"


    You must be joking.

  67. Anonymous says:

    Dr Pizza,

    Sorry to say it but it’s yet another Microsoft ‘Get The Facts’ myth that ASP.Net is faster. Many an article by on slashdot has even stated its more scalable than PERL. And in benchmark after benchmark (conducted by independent researchers rather than paid by Microsoft researchers) it continues to outperform

    Sorry to have to be the one to break the news to you. Maybe you can use those C# books as a door stop 🙂

  68. Anonymous says:

    An update that addresses the quirky CSS would be far more welcome.

    btw: People who think the Perl, PHP etc are faster and more scalable than .NET (and crucially, more suited to sound programming methodologies!) have never tried .NET, which knocks both of them into a cocked hat. I know, I’ve used them all…you’ve just got sour grapes because object-orientation in both of them is an afterthought. You could at least code some Java instead!

  69. Anonymous says:


    I work for a large shop that uses PHP4 for every project we can get our mittens on, mostly intranet building for SMEs. However, our R&D team have been playing with the last few months and it’s by miles faster in just about every keystone test we perform. It’s best coupled with something like SQL Server, which is expensive, true, but the $5000 USD cost we pay on the platform and software is no more than we’d pay for two or three decent racked *Nix boxes.

    To quote from the technical brief issued to us:-

    " has some advantages of PHP4 and it’s descendant PHP5 that we cannot ignore, as our workload increases and the demands on the projects we create soar ever higher. Understanding how .NET can achieve higher performance would help the team when making design considerations, and Richard has summarized it as follows:-

    You write the code on any given machine just like PHP, but this time you should compile (C# offers pre-compile code-behind (library writing) or live aspx compilation and caching) the code. No matter the target platform (NT, 2K, 2k3 series), the end result will execute the same, and pretty fast at it, since the .dll/aspx files are converted upon use using a just-in-time compiler to turn the Java style platform-independant/managed code into high performance native code, saving the result for more efficient re-use.

    Given this indifference on where it’s compiled, we can carry on using the Unix workstations during any transition period, since the compiler can be easily configured for activation by remote by the support team."

  70. Anonymous says:


    You either have it compiled wrong or your code is bad. Here’s a nice quote from Oracle that compares the two:


    Speed and efficiency. As I mentioned earlier, ASP.NET is a framework allowing you to use various programming languages. In addition, it is touted as having a great object-oriented model. All this is true, but it becomes a detriment as far as speed is concerned. For all that advantage, there is a lot more code to run through to execute the same ASP page than you have to execute in the PHP engine for an equivalent PHP page. PHP is the quick-and-dirty type of solution, the one to get the job done. And though a lot of robustness has been added to it since its 2.0 and 3.0 days, it still retains that core optimized high-speed approach.

    Speed is not the only consideration. Memory usage is also important.


    Aside from that, C# uses COM calls. Every COM call slows the process down further. PHP doesn’t have this. PHP can be added as a module to Apache therefore saving systems calls; C# has that with mod_mono but it still isn’t as fast as PHP.

    And finally, PHP can be used with an accelerator and even be COMP{ILED (REALLY compiled)! Making it up to 2 times faster!

    Plus, it’s stable. I can’t tell you how many times this site has had problems over the last week. Sure one can say it’s due to a Slashdotting but I got Slashdotted a while back and my site built in PHP kept spitting out the requests. 🙂

    For a nice unbiased comparison, I suggest going to the Oracle page:

  71. Anonymous says:


    Here’s another nice tidbit from the article Roger put up:

    But what you gain in robustness, you pay for in efficiency. ASP.NET is expensive with respect to memory usage and execution time, which is due in large part to a longer code path. For Web-based applications, these limitations can be a serious problem, because on the Web, your application is likely to scale to thousands and thousands of users per second. Memory usage can also become an issue on your Web server.

  72. Anonymous says:

    Hye guys, this is server-side stuff, and IE doesn’t come into that.

    Can’t we just talk about how crap IE is?

  73. Anonymous says:

    The Orcale thing is debatable at best, I even wrote them a long reply a few months back when it was featured on Slashdot, refuting each and every point. The only reply I got back was from someone else who said that the article was not definitive, and was purely a cursory overview and should be taken as that. Just like I don’t take Microsoft studies at face value, is it wise of anyone to take a rivals remarks at face value either? Orcale makes its cash on corporate solutions based around PHP and Perl, so they’re not likely to be banging a drum and screaming’s praises. Anyone who did half-hours history at high school would learn the merits of source attribution.

    Real-world performance tests conducted by just about everyone outside of the MS and big-company circles place C# fairly close behind C++, not in line with by a long shot, but by far it’s code execution is easily able to pace, and then out-pace PHP. It absolutely decimates Java on raw performance numbers, especially with filesystem operations, or any hardware/network interactions.

    As for the argument about longer code paths, lets face it, your point is relatively bollocks. While C# does use a managed runtime, this runtimes performance is no different syntactically to that of languages such as C++ or anything else that uses a runtime support on Windows. The dual-layers of compiling do a lot to help mitigate the ficticious performance drop you seem to salivate over, leaving us with a fast language suited to high level, rapid development.

    We’ve got several quad-cpu rackmounts at the office running PHP with compilation as a test platform, and while the performance boost raises it above PHP, it does not do much to touch C#, and the boost is substantially less than you make it out to be. If you want to say Hello World!, you’ll get your 2x boost, but you wont see anything like it for large data oriented loads.


    The article above, like I previously stated, contains a bucket of inaccuracies, factual omissions and truth bending, which Orcale sales representatives will actually conceed in a lengthy and pointed discussion. As for memory usage, We did an attack run on our .NET dev cluster with 2000 hits to the application in a random pattern every second. Taking that as an average, I dont think any client would be disatisfied with 172,800,000 theoertical hits per day =)

    When you write your code in an appropriate fashion and stay away from obvious ram hogs and bottlenecks, you can do a lot more than would seem obvious. Its not like everyone who writes industrial PHP uses the weaker features to base large apps on, so why should be judged in a fashion akin to this? 🙂

  74. Anonymous says:

    The only tests I have seen that support your ‘theory’ are those paid for by Microsoft. Maybe they need to ‘Get The Facts’ straight. 🙂

    You say their are inaccuracies and factual but fail to mention what they are. Rather convenient.

    Maybe you’re right. Maybe Oracle does have a secret agenda to support PHP… a scripting language that they have no involvement in. Yep, there must be a conspiracy here somewhere. Keep looking. I’m sure you’ll find one 🙂

    And just to make Turnip happy, IE 5UX0RZ!!!! 🙂

  75. Anonymous says:

    Oh thank you 🙂