IE in Windows XP SP2


Hi, I’m Tony Chor, the Group Program Manager for the Internet Explorer team. As you may know, we’ve been working hard on IE for Windows XP Service Pack 2, and we signed off on it last week. You can get a very detailed description of the changes on MSDN. (This is lovingly referred to internally as the Book of Springboard – Springboard was the codename for XP SP2.) However, I thought I’d give a high level description of the kinds of changes we made and why.

 

First, as with any project, we set our goals and scoped the project; we couldn’t possibly do everything we wanted to in this timeframe. Therefore, across Windows, we focused on security, specifically in preventing users from having their machines taken over by malicious code. There were a bunch of other good things that happened, but security was clearly the focus.

 

Specifically for IE, we had two big buckets. The first were architectural changes to help prevent attackers from getting through the barriers that protect users and their computers. The second were a set of changes to help users make better decisions about what sites and downloads to trust.

 

Architectural Changes

To understand the architectural changes, let me first describe the security model for IE (parts apply to all browsers.) First, IE permits web pages to do different things depending on how much you trust them. IE bases that trust decision on where the page came from. Files from the Internet, for instance, cannot directly access files on your hard drive. Files that are already on your hard drive, by comparison, can. IE divides the world into five zones (shown from least privileged to most privileged) – Restricted, Internet, Intranet, Trusted, and Local Machine Zone (LMZ). Attacks that allow malicious sites to move from zones of lower privilege to one of higher privilege are known as zone elevation attacks.

 

Second, IE puts up walls between domains (like microsoft.com) so that the script and controls from one site cannot access the information on another site. This is important so evil.com cannot get your username and password from mybank.com, for instance. Attacks that break through this barrier are known as cross domain attacks.

 

In XP SP2, we strengthened the barriers between zones and between domains. This makes it much harder for hackers to get access to your computer. Perhaps more significantly, even if an attacker gets through the new barriers and gets into the LMZ, s/he will encounter yet another barrier. We give the user an opportunity to stop the attack by blocking active behaviors in the LMZ and thereby stop the attackers from really utilizing the capabilities of the LMZ.

 

Basically, consider this real world analogy: we have improved the fences and doors that separate your yard from the street and your yard to your house. If someone manages to get through the barriers, s/he will find your valuables locked in a safe inside the house. We have made it harder to break in and less interesting if you do.

 

User Experience Changes

Despite the architectural changes we’ve made, users will still need to make decisions whether to trust a site or a download. To do this, the user needs good, understandable information. For IE in XP SP2, we had two primary design principles around our UI. First, users need accurate information to make trust decisions. Second, users should have more control over their web browsing experience.

 

To help users make better trust decisions, we made it harder for malicious sites to spoof IE’s UI and provided clearer dialogs around key activities like installing software. For instance, some bad guys today cover the IE UI like the address bar or prompt dialogs with a chromeless window (an IE window with no window frame). They then make the UI look like it said something else, like a different URL or “This is totally safe. Install it now!” In XP SP2 IE windows cannot cover IE UI nor is it as easy to create chromeless windows.

 

We give users more control over their browsing experience in a few ways. First, we block most things from coming up without some user action; for instance, pages can no longer automatically start a download unless the user clicks a link or accepts the download via our new Information Bar UI. We also came up with a very original idea – popup blocking. J Sites can now no longer open windows except when the user clicks a link or button to initiate it. Similarly, sites cannot change your home page without a user click as well.

 

To reuse my house analogy, with our user experience changes, we have made it easier for you to identify who is at the door so you can decide whether to open it, and we took the doorknob off the outside of the door, so you can only open it from the inside.

 

There are a whole lot of other changes around reliability, Group Policy support, and a myriad of others, but those are the big themes for our work in Windows XP SP2. IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser. We’re really excited about it, and hope you will be too.

 

For those who don’t have XP SP2 yet, the easiest way to get it is to follow the instructions for turning on Automatic Updates on http://www.microsoft.com/athome/security/protect/default.aspx.

 

For those who are already running XP SP2, tell us what you think!

 

Thanks,

 Tony

 

Comments (174)

  1. Anonymous says:

    Very interesting summary. Thanks for the info and good luck with IE!

  2. Anonymous says:

    "We also came up with a very original idea – popup blocking" … So know you invented popup blocking?

  3. Anonymous says:

    Yes… and it’s very original. :)

    Microsoft… proving once again that they are innovative after the fact. Heh.

    Ok folks, start placing your bets on when the next major exploit will be found. I’m giving it 30 days. :)

  4. Anonymous says:

    Gotta love people who doesn’t get it 😉

  5. Anonymous says:

    I’m running XP SP2 right now, and to use your house metaphor, it’s like a nosey neighbor peeking in through all my windows seeing what I’m doing or asking if I want to run a program or visit a site. In short, it’s a pain in the ass and should be toned down in some way (if I wanted this many intrusions, I’d install ZoneAlarm); surely there’s a way to offer the same level of protection without so many dialog boxes popping up.

    I mean it even asked me twice if I wanted to run Mozilla Firefox after I clicked yes. Sheesh.

  6. Anonymous says:

    " We also came up with a very original idea – popup blocking." – I assume this is a joke.

    "IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser." – I assume this isn’t a joke, so back this up please.

  7. Anonymous says:

    We gave it a download test on one of our XP boxes here at work, and it seems stable — though it is quite invasive. Even after all of this, I still don’t trust microsoft… almost for the same reasons we left QuarkXpress for our designers. Now that you’ve taken hold of the industry, all these updates only come out when critical and absolutely needed — no improvements otherwise! I see that any other update will take just as long to fix… and that’s not good enough anymore when free options are out there much faster and much more reliable.

    Because of this, I’ve removed all IE from our PC’s (except this test one) and have installed Firefox and Opera for the user to pick and choose.

    I know that you say the regular consumer doesn’t care about things like standards and improved browsing — but your business clients do… and those that pay a lot of money for websites for their company do.

    If a non-profit can provide security as well as improved browser experience for free, then they have my business.

    I will try the update on one of the XP’s without IE, and see if it causes any problems to open Mozilla or Opera builds. If I find MS is trying to block their launch, I’ll be an extremely unhappy client.

  8. Anonymous says:

    I haven’t played with SP 2 yet so I’m not qualified to comment, but since that never seems to stop anyone around here…

    My biggest concern about all of this is that users simply don’t read. If something pops up while they’re trying to accomplish a task, they’ll hit ‘OK’ without reading the dialog box. For this reason, I’m highly skeptical of any security measure that relies on prompting users to continue – because anecdotal experience shows that it won’t make any difference.

    I’d love to know what kind of user-psychology driven decisions were made during the design of SP 2. It would certainly make an interesting blog entry.

  9. Anonymous says:

    If you are just about to be one of those that adds another ‘I can’t believe Microsoft is to have invented the popup blocker’ comment, then don’t.

    He was j-o-k-i-n-g !

  10. Anonymous says:

    OK, firstly, yeah it’s great that you guys think you have got security worked out, but shouldn’t it be secure on first release, rather than the second service pack?

    And this:

    "IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser."

    I would call it bull-somethingorother but this comment would be deleted.

    Firstly, Microsoft hardly have a good track record when it comes to security, and secondly, tell me about the critical exploits available to the hacker in other browsers? Hmmmmm? I thought so.

    Other browser manufacturers are far more committed to security than Microsoft. They program their browsers so that the security exploits don’t happen in the first place. And when they do, there is an excellent response time in getting the problem sorted.

    Yes, I’m talking about Mozilla.

    Example:

    Bug 251382 (http://bugzilla.mozilla.org/show_bug.cgi?id=251381) is reported at 2004-07-14 08:10. It is a major security issue. Fixed? 2004-08-03. See http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2

    Another major security issue:

    Bug 250180 (http://bugzilla.mozilla.org/show_bug.cgi?id=250180) is reported at 2004-07-07 06:46. Its a major security issue about the shell protocol handler. FIXED THE SAME DAY. See http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.1

    I rest my case.

  11. Anonymous says:

    I’ve installed SP2 on two machines at work (Dell GX270) and the whole process was very smooth. All my software is still working great (Opera 7.54, Firefox 0.09+, Mozilla 1.8a2, FeedDemon, Homesite+, Slimbrowser, Maxthon, etc). It is good to finally have a built in popup blocker in IE and the Add On Manager is a good (and needed) feature too. The only software that created a warning dialog that I had to respond to was WS FTP LE. One click at it was working as good as before.

  12. Anonymous says:

    Turnip, this serious spoofing vunerability hasn’t been fixed in Mozilla for FIVE years: http://secunia.com/advisories/12188/

    Quote

    description:

    A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.

    The problem is that Mozilla and Mozilla Firefox don’t restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

    The Mozilla user interface is built using XUL files.

    A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.

    This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.

    NOTE: This issue appears to be the same as Mozilla Bug 244965.

    end quote

    Proof of concept: http://www.nd.edu/~jsmith30/xul/test/spoof.html (if using Mozilla or Firefox)

  13. Anonymous says:

    Starman, maybe its been fixed in 0.9.3 b/c the "exploit" is quite obvious to me. My menubar and location bar appeared as they should directly above the fake ones.

  14. Anonymous says:

    Starman,

    Omigod! I can’t believe you are talking about the limited number of Mozilla bugs when IE has had them for YEARS! I can’t even count the number of SSL exploits in IE! And one of the recent exploits to Mozilla was due to the underlying architecture of Windows being inherently insecure; the bug did not affect other systems.

    They followed Windows development guidelines and POOF… insecure! Why?!! Because Windows has an inherently insecure way of handling system calls. That bundled with a browser that’s built into the system makes IE Windows worst security nightmare!

    Oh and by the way, they patched those exploits already. One of them was patched the same day it was found. In fact, they work to patch all security holes as soon as possible. Is this the same with Microsoft? HELL NO!

    Many a time a security expert has notified Microsoft of errors in their browser only to have Microsoft ignore them time and again. When do they fix it? When millions of machines start going down!

    Mozilla fixes it before it even happens and usually in a period of 24 hours.

    You are dreaming if you think IE can even compare on security with Mozilla. But don’t worry… we’ve sent Microsoft a wakeup call. :)

  15. Anonymous says:

    Glad to see these changes…but I’ll only consider IE to be secure once it’s separated from the OS (completely! as in, I can remove it from my computer and my computer will still do everything else other than browsing with IE)…I don’t *want* a browser tucked into the OS – I just want an OS…

    …and once I see the future fixes (and there *will* be future fixes) being turned around in a Mozilla-like timeframe…it just shouldn’t take Microsoft being pushed to the "edge of the cliff" to make it get up and do what should have been done from the beginning.

    If these 2 things happen, I might even *choose* to download and install a future IE :)

  16. Anonymous says:

    For the record, I was joking about our "innovation" around popup blocking. I know we’re late to this party, although I do think our implementation is very good.

    With respect to whether IE in XP SP2 is more secure than other browsers, it is truly my belief that at this point in time, we are. It’s certainly likely that someone, some day will find a critical vulnerability in XP SP2; I would not be so arrogant to believe otherwise. But today, we don’t have any known open critical vulnerabilities. In any case, it’s definitely the most secure browser we’ve ever built and has innovations that our competitors deem worthy of copying (e.g. the cloning of our Information Bar in Firefox.)

    Should we have been more secure from the beginning? Sure, it’s easy to say that now. When IE was first developed, compatibility and user experience were more important; whether this was the right choice is somewhat academic and unimportant now. We are absolute dead serious about security now. It’s permeated everything we do, and we’re willing to impinge on the user experience and app compat if needed. Our work in XP SP2 is the first real demonstration of this new mindset.

    Anyway, it’s good to see people are reading this blog… :)

  17. Anonymous says:

    Just saw this article on Neowin: "Firefox has more security holes than Internet Explorer?"

    http://www.neowin.net/comments.php?id=23124&category=main&zx=2542c9d0deeb1f09140206854

  18. Anonymous says:

    Tony, I don’t think looking at past decisions is "academic and unimportant now."

    Microsoft has taken what used to be credibility and good will with its customers and has run them both into deep sh*t…

    …this SP2 spectacle is a great start, and I applaud you, but Microsoft has gone so far for so long, that every one of your business customers is looking at you with an intensity unparalled in the past…your *future* decisionmaking processes better be better than those in the past…so it is anything but "academic and unimportant now" to see what was a long series of mistakes, and to do better with your customers, FOR your customers, in the future.

  19. Anonymous says:

    Yep, 10 but not all severe. Microsofts were ALL severe. And naturally you are going to find more security holes in a product where everyone can look at the source. That’s half the point; getting everyone to look at the code and find those holes so they can be shored up early on… instead of hiding your flaws in proprietary code that no one can look at only to find out that there were perhaps hundreds of exploits and flaws.

    More eyes on it makes for a better product.

  20. Anonymous says:

    Hi Tony, good to read this, so now users of Windows XP SP2 may be confident for sometime on Internet Explorer, OK but I’m using Windows 2000 at work … (and I don’t use Internet Explorer) so what’s the roadmap? And what’s planned next: web standards? Truly? Really?

  21. Anonymous says:

    The IE weblog makes me laugh <Anne’s Weblog about Markup & Style>

  22. Anonymous says:

    "and has innovations that our competitors deem worthy of copying (e.g. the cloning of our Information Bar in Firefox.)"

    I find this funny coming from a Microsoft employee. Microsoft has only ever been about taking other people’s ideas. And if other people’s ideas aren’t up for the taking, Microsoft buys them out.

    Example:

    http://joelonsoftware.com/items/2004/07/19.html

  23. Anonymous says:

    This is all enormous conspiracy of capitalists to scare workers from internet.

    According to the comments I read on this blog, Microsoft is filled with really stupid and lazy people who somehow pull off one of the most brilliant and well-executed conspiracies to dupe the world.

    In the meantime, a small set of hobbyists, in their spare time, with no concern for app compat or even people who they deem too stupid to understand how good their work is, are going to save the world.

  24. Anonymous says:

    Tony,

    Thank you for the hard work you’ve done with SP2!

    It’s a big relief that everyone can recommend IE again regarding security and privacy. Sure it will take a while until people and media will fully trust IE again, but even hardcore Mozilla users will have to admit that you have done a fantastic job with SP2.

    As a company that builds research tools solely based on Internet Explorer (www.contentsaver.com), we’re very happy that the platform we rely on now is finally secure and updated again. We’re looking forward to future IE improvements like the superbly designed and implemented pop-up blocker in SP2. Our users and all IE users in general will love it!

    Thank you and congratulations!

    Roland

  25. Anonymous says:

    However for those using Win 2k, your out of luck. Keep downloading patches, and for critical stuff IE ain’t going to be your browser.

    Yeah I have another box on XP and yes I will be adding SP 2 for it.

  26. Anonymous says:

    Oooh… small set of hobbyists? Hmmm… from latest accounts from analysts from within and outside the open source movement, the number of people working on popular open source projects at any time usually is 3-5 times that of Microsoft developers.

    So unless Microsoft has people who can do the work of 3-5 people, their product is always going to be crap.

    Oh but they are geniuses you say? So… so are alot of developers. It’s why they go into this field because everything else is boring as hell!

    Let’s remind you that the number one web server on the market right now is STILL Apache (with 70% of the market). Is it unsecure and unstable because it’s done by hobbyists? Hell no. In fact Microsofts IIS is known to be one of the buggiest and unsecure web servers out there.

    Hmmm… leading me to believe that yes, maybe you are right. Maybe their developers ARE all lazy and stupid. After all, a multi billion dollar company like Microsoft (with unlimited resources) cannot even beat a web server created by HOBBYISTS??

    Hang your heads in shame Microsoft. Beaten by a bunch of silly hobbyists :)

  27. Anonymous says:

    Thoughts from Joe Firefox-User:

    "I don’t use IE, so IE security updates, such as SP2, don’t apply to me. I won’t bother installing them."

    This is why web browsers should not be integrated with the operating system.

    Also, does this thing show PNGs properly yet?

  28. Anonymous says:

    Owen,

    Since my WIN2K machine doesn’t get a patch to IE, I’m going to leave it up in hopes it becomes a zombie and starts DDOSing Microsoft. :)

    It’s also funny that whenever they get hit by DDOS attacks, that they have to rely on Linux; the second large DDOS attacks hit Microsoft, they tell Akamai to act as a gateway and all of Akamais machines run Linux.

    Yet another example of how ‘hobbyists’ make a better product. Hell, one could say that it’s the hobbyists that are pulling Microsoft butt out of the fire time and time again. Which reminds me, when did they switch all their hotmail servers off of Linux?

  29. Anonymous says:

    Wasn’t the world wide web a hobby project by Sir Tim Berners Lee. After all, he gave that away for free. Damn hobbyists… always out thinking Microsoft. :)

  30. Anonymous says:

    "We also came up with a very original idea – popup blocking." Tihi. IE-bloggen gir ikke bare en kikk inn…

  31. Anonymous says:

    Call me a cynic, but I don’t think that "popup blocking" remark was intended as a joke until it had to be defended. The context conveys it was serious, and many folks who don’t know anything about alternative browsers will take that seriously (which could actually be misconstrued as a form of false advertising).

    Altho, I admit it cracked me up better than a 7.9 earthquake.

  32. Anonymous says:

    It’s also funny how Microsoft see these hobbyists as their biggest competitors.

  33. Anonymous says:

    I installed SP2 already, no real problems encountered yet. Apart from my firewall (kerio) and my antivirus (kaspersky) not being recognized by security center. But judging by the ‘firewall’ you haven’t got a clue about security. You just don’t get it. This is not a firewall. This is intrusion detection. Which seems to work ok, apart from an open ident port (113). But there is no control of outgoing connections. Furthermore, applications can control the firewall and change exception rules. So once a trojan is inside, it can do virtually anything. It can switch off the firewall. But more sneakily, it can change the exception rules. So it can easily turn my computer into a zombie spam server, for example. With windows blissfully unaware of ANYTHING.

  34. Anonymous says:

    This has to be one of the most insulting posts I’ve read in a long time, and I hope it’s not indicative of the general attidue within Microsoft. Writing off open source developers as "hobbyists" (I wouldn’t call the engineering staff of the Netscape lineage "hobbyists"), claiming invention over pop-up blocking (if that comment was made in jest or with tongue in cheek, then the author really needs to learn how to emote better using only text) … I think it’s time Microsoft learnt some humility. Or don’t they remember how many staff they had to pull off Longhorn to get this service pack out of the door with some measure of security built into it …

  35. Anonymous says:

    Thanks Tony for the update. Like François I’m interested as to what the direction of the IE team is going to be now. Any enlightenment forthcoming/

  36. Anonymous says:

    "If you are just about to be one of those that adds another ‘I can’t believe Microsoft is to have invented the popup blocker’ comment, then don’t.

    He was j-o-k-i-n-g ! "

    And it was a completely lame, retarded, distasteful, and inappropriate joke for anyone to make within Microsoft.

    These posts continue to be pathetic and show know signs of any understanding.

    That’s the point. IE has gotten so bad it’s not funny. Tony should be apologizing, humbly asking for our business, not making assinine jokes.

    And I and many others don’t give a sh!t about SP2… We won’t run it for many months on XP and many of us still run 2000. We don’t like you rolling necessary fixes into an OS "fix."

    Get some humility, IE team, or all of your efforts will still be reviled.

  37. Anonymous says:

    > Call me a cynic, but I don’t think that "popup blocking" remark was intended as a joke until it had to be defended.

    If you look carefully, there is an errant ‘J’ after that statement. Check the source code. What Tony/this weblog’s software has done is include a letter J, and pick the Wingdings font to try and convert it into a smiley. That’s an utterly stupid hack that often doesn’t work.

    What Tony/this weblog’s software _should_ have done is use the actual smiley character, U+263A, which lets browsers pick a smiley from any available font, and isn’t the letter J at all.

    So the entire tone of the sentence has changed because they couldn’t write correct HTML. So people flame Tony for blatantly lying. Meanwhile, those people that actually saw the smiley see people flaming Tony for trying to make a lighthearted joke.

    You see why writing correct HTML and having browsers interpret it correctly is important?

  38. Anonymous says:

    Jim,

    Heh. Preaching to the choir Jim. I think we’d all like the IE developers to support W3C standards for pretty much everything. But will it happen? Dountful. I’ll believe it when I see SVG in IE.

  39. Anonymous says:

    Good catch Jim.

  40. Anonymous says:

    Service packs and security releases will come and go, but it’s the thought process that needs to change. The font-face fiasco is a symptom of a much larger problem. Learn how intelligent developers make wise choices to ensure interoperability:

    http://bugzilla.mozilla.org/show_bug.cgi?id=194560

  41. Anonymous says:

    Glad the SP is done and released I love it and who really cares who invented popup blockers (thats infantile) I am still analyzing all the changes and improvements (yup improvements) but, I will say this is definately the best SP Microsoft has released. Too bad for the crakware, hackware, rubbishware that won’t work for a while (or perhaps forever in some case I hope so) they are no loss and some is software I have protested against people installing. Everything I have and use is working just fine and I can feel a little more confortable using IE again thats a bonus!

  42. Anonymous says:

    Off Topic – Tony I read today on ZDnet.

    http://zdnet.com.com/2100-1104_2-5304259.html

    Since you cannot respond – atleast consider this:

    Considering the long wait between XP (2001), and Longhorn (I don’t want to admit it – 2007), is it truly reasonable to wait 6 years for a new browser, and then have to wait another 4 to start relying on the features from the Longhorn install base (assuming IE is Longhorn only). That’s 10 YEARS.

    1) Is this a truly reasonable proposition for ASP.net developers?

    2) Would this be a reasonable proposition for any other Microsoft product?

    3) Why are development products such as Whidbey and Longhorn made public, but IE development is closed. (Not withstanding this blog – which is great).

    4) Why do any comments made by MS regarding IE like in the article above consider only the ‘clients’ point of view and not the devleopers?

    I could go on and on and on. I’m guessing that IE on Longhorn will rely much on the major security enhancements and new infracstructure (Avalon) to achieve most upgrades in rendering. I know that porting backwards would be very difficult. That’s understandable. However, if you don’t port backwards to XP (I can understand backporting to ONLY XP – thats reasonable) – your not helping us at all. Considering XAML apps and their web friendly nature – helping web devlopers is probably not in your best longterm interest anyway. How easy would it be for us to jump to XAML in practice – but not in deployment.

    Why should I type another line. It’s like voting. It doesn’t matter.

  43. Anonymous says:

    "And one of the recent exploits to Mozilla was due to the underlying architecture of Windows being inherently insecure; the bug did not affect other systems."

    So you’re saying the URI RFC is inherently insecure? That’s probably true (more like, it’s not concerned with security), but it’s still not an excuse for Mozilla to just pass unknown URI’s to a different context.

    "Microsoft has only ever been about taking other people’s ideas. And if other people’s ideas aren’t up for the taking, Microsoft buys them out. (Example of Lookout posted)"

    Pretty much all software companies these days take ideas from their competitors. As for Lookout, obviously the idea _was_ up for the taking if the owners agreed to the buyout. One of the co-owners is now part of the company.

    "but I’ll only consider IE to be secure once it’s separated from the OS (completely! as in, I can remove it from my computer and my computer will still do everything else other than browsing with IE)…"

    First of all, I assume you’re expert enough about IE to know what separating it from the OS would mean? But please explain to me how that will increase its security. Honestly curious, I don’t consider myself an expert.

    Second of all, it’d be impossible to remove it now without breaking thousands of apps which rely on IE for html rendering. Unless those fine people at Mozilla can write their own version of mshtml.dll (that would actually be neat).

  44. Anonymous says:

    Domovoi,

    You know… I would TOTALLY be up for a Mozilla version of mshtml. That’s a fantastic idea. It’d keep me on Windows a bit longer, that’s for sure.

  45. Anonymous says:

    If you’re hankering to understand the changes introduced by Windows XP Service Pack 2, you might want to take a look at the TechNet document dissecting the update, and also spend some time reading Tony Chor’s higher-level description. (Chor is…

  46. Anonymous says:

    Domovoi,

    Allow me to explain how separating IE from the OS increases security:

    1. IE (or at least the render engine) is used by a variety of programs.

    2. IE is built into the system.

    3. IE has unrestricted system access

    4. IE is just about everyones main interface with the web/internet

    Do you see the insecurity yet? But wait… I’m not done. When you add ActiveX into the mix, a Microsoft standard that allows IE greater access to your system, you are playing with fire.

    But to be more precise, allow me to quote this online article (amongst 20 that are saying the exact same thing):

    "….That exploit — Adodb.stream — has not been viewed as particularly dangerous, since it only works when the file containing the code is present on the user’s hard disk. The problem comes in the fact that the Help file initially opened is assumed to be safe since it is a local file and so has minimal security restrictions.

    By using the unknown exploits, code is installed within the help file window, all security efforts are bypassed, and the Adodb.stream exploit is then used to download files on the Internet direct to the hard disk.

    What this means in reality is that if you click on a malicious link in an email or on the Internet, a malicious user can very quickly have complete control of your PC. And there is no patch available… "

    Microsoft DID issue a patch but it did little good as all it took was changing 5 characters in the code to get it working better than before.

    The latest version of IE has certainly accumulated an impressive record of holes: 153 since 18 April 2001. Now even spyware creators are making use of these flaws! It’s gotten to the point that Microsoft cannot patch them as fast as they come in and when they patch them, they create all new holes to walk through.

    In fact, the zero day vulnerability was a MYTH until IE proved it feasible!

  47. Anonymous says:

    Tony Chor, the Group Program Manager for the IE team, writes: We also came up with a very original idea popup blocking. The idea was so ridiculous I knew it had to be a joke. And it was, when…

  48. Anonymous says:

    The Internet Explorer team at Microsoft has a blog. It’s not too active yet. Still it’s an example of why I like blogs so much. I mean: how else and where else could I get up to the minute information about what’s going on with a product that affects me a lot? It’s great!…

  49. Anonymous says:

    That popup blocking thing is just funny. I think I put popup blocking in Juice about 1 1/2 year ago and in the Opencola browser more than 2 years ago. And there was a few blocker blockers even before then.

  50. Anonymous says:

    Reading this weblog has rendered me into a state of hysteria.

    It just gets better when they claim that popup blocking is an original idea. And don’t tell me that that was a joke. Everything else in that paragraph was very serious. (or maybe it wasn’t, I mean, who ever thought IE doesn’t allow "sites [to] change your home page without a user click?")

    The idea of a virus that installs real browsers on computers(, etc.) is a damn good idea.

  51. Anonymous says:

    "In any case, it’s definitely the most secure browser we’ve ever built and has innovations that our competitors deem worthy of copying (e.g. the cloning of our Information Bar in Firefox.) "

    Oops… I had forgotten about that. I take back what I said about "useful innovation" in one of the older blog entries. You guys are indeed innovating once again.

    Wait a minute. That’s only in the nightly builds. I guess you guys are keeping an eye on the firefox development too, right? :)

  52. Anonymous says:

    Any changes to html/css parser?

  53. Anonymous says:

    Nudes vs. Prudes: westerners demand Baltic resorts cover up. [:(]<br>
    "Trying to play God with your bowels": 60 second time limit in ladies’ toilets. [:o]<br>
    Windows SP 2: IE changes in brief, All changes [BX :(]<br>
    Lost Virgina Woolf essay… for the Good Housekeeping magazine…

  54. Anonymous says:

    > Off Topic – Tony I read today on ZDnet.

    >

    > http://zdnet.com.com/2100-1104_2-5304259.html

    >

    > Why should I type another line. It’s like voting. It doesn’t matter.

    > lynn eriksen

    Exactly, all we seem to do here will end up in longhorn and maybe xp, the rest of us don’t matter to MS anymore. We’ve paid way too much for windows 95, windows 98 and windows 2000 that a free secure IE costs too much for mister $billions.

  55. Anonymous says:

    Quote:

    "And it was a completely lame, retarded, distasteful, and inappropriate joke for anyone to make within Microsoft.

    These posts continue to be pathetic and show know signs of any understanding.

    That’s the point. IE has gotten so bad it’s not funny. Tony should be apologizing, humbly asking for our business, not making assinine jokes. "

    I think Microsoft should be more tongue in cheek about things like their pop-up blocking!

    Did anyone see the Skoda adverts (shown in England over the past 2 years or so)?

    One example was someone working in a factory with the job of putting a Skoda badge on the front of a car…and refusing to do it because he thought it was an insult to the car.

    Until Microsoft comes up with similar advertising, they will always be stuck with this image of producing bad software. (oh and until they stop producing bad software as well!)

    Who else is up for “my wife uses Mozilla” or “my other browser is GPL” bumper stickers?!

  56. Anonymous says:

    Microsoft is playing catchup with security, and they are still WAY behind. If you want a browser that IS secure and truly innovative, and that doesn’t do sneaky things behind your back ("index.dat" anyone?), then try (or at least LOOK at) Mozilla Firefox: http://www.GetFirefox.com 😉

  57. Anonymous says:

    >Who else is up for “my wife uses Mozilla” or “my other browser is GPL” bumper stickers?!

    Hell yes :)

  58. Anonymous says:

    Quote:

    "IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser"

    Oh, please. A browser which is embedded deep into the operating system is infinitely more vulnerable than a browser which runs as a normal program in a normal user context. That’s a no-brainer, surely.

    How long do you think it will be before a new ‘critical exploit’ is discovered? Also, how many exploits are *still unpatched* but not categorised as ‘critical’?

    I see you used the phrase ‘pretty much any other browser’. I take it you must mean ‘more secure than IE4, IE5, IE5.5 and IE6 SP1′ because Mozilla browsers (e.g. Firefox) have inherently better security than IE and offer users a much greater level of protection and control over their privacy.

    Stuart

  59. Anonymous says:

    Heh. What about Windows 2000 users? What about Windows 98 users? It’s just a joke. IE doesn’t support the HTML, XHTML, CSS standards quite enough.

    Is this without security holes, all "critical" security holes are closed? It’s a joke again, because threre are a lot of really critical hole, that Microsoft hide, and says they’re not critical.

    It’s a nice step, but nothing really useful.

  60. Anonymous says:

    "We also came up with a very original idea – popup blocking"

    I got pointed to this bit of nonsense by someone else. First reaction: "What the heck?" Second reaction: "What the heck?"

    Please, don’t post this nonsense. Other browsers have had this for a while already. It’s nothing new and any decent browser should have it. … hmmm, decent browser: no wonder IE didn’t have it yet 😀 😀 😀

    And I agree on the security stuff: IE will not be more secure than any other browser, ever. Unless you make it unable to go on the net, that’ll help.

  61. Anonymous says:

    I want tab browing in IE and also defult popup blocker.

  62. Anonymous says:

    > Oh, please. A browser which is embedded deep into the operating system is infinitely more vulnerable than a browser which runs as a normal program in a normal user context.

    Did I miss something here? IE runs as the local user, not "embedded deep into the operating system". Select something other than explorer.exe for your shell, run no programs that use IE’s services, and IE will never load. Exploits on IE’s side are mostly serious because you insist on running as local Administrator, not as a limited user account. No IE exploit is ever going to result in a local privilege elevation.

    There’s nothing ‘inherent’ in Firefox or Opera that make them more secure than IE. Once Firefox reaches a critical mass, the hackers will go to work on them, just as they have for Linux.

    SP2 is really nice, and I wouldn’t go back. The security updates are more than welcome. If you elect to use Firefox/Opera, that’s your choice; for the rest of us, I think some praise for closing these holes is in order.

    Now, for an encore, how about CSS?

  63. Anonymous says:

    > > Oh, please. A browser which is embedded deep into the

    > > operating system is infinitely more vulnerable than a browser

    > > which runs as a normal program in a normal user context.

    > Did I miss something here? IE runs as the local user, not

    > "embedded deep into the operating system".

    Yes you did. IE runs if you use Windows Help & Support, Windows Media Player, and Outlook, Outlook Express among others – and all of these have had critical vulnerabilities because of IE.

    > run no programs that use IE’s services, and IE will never load.

    Easy for you, less so for Jane User. Or don’t ordinary users count?

    > Select something other than explorer.exe for your shell

    Ah, I see. And this is easier than using a secure browser, is it?

    > Exploits on IE’s side are mostly serious because you insist

    > on running as local Administrator, not as a limited user

    > account.

    Well, I don’t. But then I don’t use IE, for the same reason.

    > No IE exploit is ever going to result in a local privilege

    > elevation.

    Brave words!

    > There’s nothing ‘inherent’ in Firefox or Opera

    > that make them more secure than IE

    There is – they do not support ActiveX.

    > Once Firefox reaches a critical mass, the hackers

    > will go to work on them, just as they have for Linux.

    Bring it on.

    > Now, for an encore, how about CSS?

    Dream on. If you wanted MSCSS on the other hand..

  64. Anonymous says:

    Well Mozilla is moving towards replacing ActiveX altogether by being the first to implement the W3C’s Xforms standard into their browser

    http://www.mozilla.org/press/mozilla-2004-08-10.html

    Of course, all Microsofties may say that ActiveX does far more than that… and it does. But XForms replaces only what it NEEDS to do as far as the browser is concerned. It’s a little thing that we people outside of Microsoft call security… but I don’t expect Microsofties to get it.

  65. Anonymous says:

    responding to Domovoi:

    No, I’m not an expert, but for me the issue is equally about *choice*. Right now I get IE shoved down my throat if I buy Windows (and if you’re in the market for a "consumer" computer, you’re going to find a hell of a lot of Windows machines offered). I cannot remove IE, if I choose to, I cannot go to the Windows Update site except with IE, as a consumer I cannot protect myself from IE: I’m stuck with ActiveX, whether or not I like it, etc.

    On the other hand, I *CHOOSE* to use Firefox, to use Mozilla, to use Opera, etc. and having the *CHOICE* is what *real* competition is all about! At least 2 non-Microsoft entities have been able to write capable, feature-rich browsers that *DO NOT* toy with the entire computer.

    Are they perfect? No. Do they also have security issues? Yes…but generally speaking, these 2 entities (with FAR less resources than Microsoft) manage to close holes within an astoundingly short period of time, and do a much better job of advertising their security issues and fixes to the *general* public than does Microsoft.

    As far as breaking thousands of apps that rely on IE, well not to sound uncaring, but…that’s not my problem. I am able to do my online banking entirely with Firefox, because my bank has coded its secure site correctly – it’s not just tied in with the proprietary financial self-interest of large corporations such as Microsoft…it seems just plain shortsighted, from a purely business point-of-view, to code *ONLY* for IE, because nothing on this Earth lasts forever, not even IE – for every app that relies on IE, there *will* come a day when its reliance on any single browsing platform (be it IE or otherwise) will come back to bite it in the…(well, you get the idea) – that’s the beauty of *STANDARDS* (a somewhat foreign concept to the folks at Microsoft)

    For more info on IE *in*security from someone who obviously knows more than I do, see Owen’s comments responding to you.

    I should say, in the interest of fairness, that I *like* how IE displays pages, and I wish I could trust it more than I do…but it’s just too difficult to deal with from so many different points of view…it’s sad…

  66. Anonymous says:

    "IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser."

    Amazingly arrogant :(, to the point of unbelievable.

    You people (IE team) keep saying this, that it`s becoming really annoying. The sentence above should have read "…heck of a lot more secure then any other version of IE". That is all you can claim.

    Other than that, congrats on new version. It’s good to see that IE is back in development, no matter what it is.

  67. Anonymous says:

    > Yes you did. IE runs if you use Windows Help & Support, Windows Media Player, and Outlook, Outlook Express among others – and all of these have had critical vulnerabilities because of IE.

    IE provides a HTML rendering and browsing environment to these applications. If you replaced IE in these applications with, say, Gecko, you merely exchange one set of vulnerabilities for another. If you want to rage against the trend for using HTML in applications, this is not the place; if you wanted to argue that IE was inherently bad, you failed.

    > Ah, I see. And this is easier than using a secure browser, is it?

    Your point was that IE was not running under the logged-in user’s context. I don’t recommend replacing your shell; I merely pointed out that you were wrong in that respect.

    > Brave words!

    Think about it before you reply next time. How do you get a local privilege elevation without a) a vulnerability in a service or b) a bug in the OS security subsystem, not an application?

    > There is – they do not support ActiveX.

    ActiveX is not inherently insecure, any more than DHTML or Java is, and I don’t see you recommending we switch to Lynx. Some ActiveX controls have vulnerabilities; there have existed vulnerabilities in IE’s implementation of the ActiveX interfaces – but in and of itself, ActiveX is orthogonal to security. It’s not necessarily the best solution to the problem, but IE supporting ActiveX doesn’t make it insecure.

  68. Anonymous says:

    >SP2 is really nice, and I wouldn’t go back. The security updates

    >are more than welcome. If you elect to use Firefox/Opera,

    >that’s your choice; for the rest of us, I think some praise for

    >closing these holes is in order.

    Why should we praise them for closing the security holes? They should’ve never been there in the first place. Ok, I know, it’s practically impossible to have a totally secure program, so it comes down to judgement about whether they made a proper effort with security in the first place, but most people think not.

    And it seems that Tony Chor agrees:

    "Should we have been more secure from the beginning? Sure, it’s easy to say that now. When IE was first developed, compatibility and user experience were more important"

    I’ll just let that quote speak for it’s self.

  69. Anonymous says:

    Sunlight,

    Gecko is better because it doesn’t use activeX, has more developer eyes on the code at all times so it is more likely exploits will be found and patched quicker and isn’t called by EVER single Microsoft App.

    Active X is inherently more insecure because it adds a layer to the browser that gives greater access to the machine itself and applications on the machine. And Javascript and Java have this potential too but because they are open standards, they can be controlled more easily that a closed standard that isn’t use or supported by the W3C.

    The problem is this… Microsoft doesn’t like to stick to industry standards; they like to create their own (or their own little versions) and then try to muscle everyone into using their versions. Since Microsoft is known for it’s security (or lack thereof) no one adopts their standards. If all Microsoft products were so great, how come C# is so low on the Tiobe Programming index (and sinking fast too I might add).

    The fact is that Microsoft started off as a desktop company and will always be a desktop company. They your desktop to run everything, have everything built into the system and have everything interact. That’s just one giant recipe for disaster. They have the right idea, but VERY VERY poor implementation.

    Just last month Microsoft Money crashed and people couldn’t access their bank accounts from their systems for 4 days! That and the fact that IE was sharing financial information with unknown sources should make everyone scared about how Microsoft handles security.

    And contrary to popular belief, they have still yet to patch download.ject exploit… and won’t be able to without causing half the programs that run on Windows to break; it works through a shell call.

  70. Anonymous says:

    I hope it is striking to Microsoft that so many smart people with smart arguments discount their efforts, strategies, and products. Even with the natural dogpile that looms when Company #1 makes an announcement, there is much that has been articulated here that demands a meaningful response. I gather the meaningful response is an OS and a couple of years away.

    At my office I’m seen as some sort of sorcerer just for pointing people toward Firefox. When people find that IE alternatives exist, in my experience they simply leave IE and feel great relief that their life has been made easier.

    I’m not putting IE in the trash folder – dumb acceptance of users can mean dumb acceptance by web designers – but it’s a web-page or two away from total worthlessness to my life and productivity.

  71. Anonymous says:

    Great browser – excellent improvements in SP2. I’m typing this on Firefox, but IE is now (finally) a safe browser to browse with. Perhaps, can Microsoft use the Gecko engine, though? It’s a bit frustrating when pages don’t load properly on Internet Explorer.

  72. Anonymous says:

    i use the Microsoft.XMLHTTP object extensively in client-side scripting. is this control unsigned? is there any particular reason that it is unsafe and disabled by default?

  73. Anonymous says:

    Heh. I think you just answered your own question with ‘disabled by default’. :)

  74. Anonymous says:

    Chun,

    Um… hate to tell you this but the download.ject exploit still isn’t patched; in fact it can’t be patched without causing 50% of Microsoft apps to fail.

  75. Anonymous says:

    Oops… I’m sorry. I mean the SCOB exploit. Get those two confused because they were used in conjunction with each other in the latest series of attacks to grab financial information and credit card info off of home users systems.

  76. Anonymous says:

    Hi Sunlight

    > > I said:

    > > IE runs if you use Windows Help & Support,

    > > Windows Media Player, and Outlook, Outlook Express

    > You said:

    > IE provides a HTML rendering and browsing environment to

    > these applications. If you replaced IE in these applications

    > with, say, Gecko, you merely exchange one set of

    > vulnerabilities for another.

    But that’s not the case – these applications use the IE webbrowser control to script (possibly instantiate?) ActiveX objects. That is not ‘HTML rendering’. If all IE did was render HTML there would be far fewer problems, don’t you think?.

    These two vulnerabilities, for example, are old IE vulnerabilities which were (and probably are still) used to propogate viruses through Outlook/OE without user interaction:

    http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

    http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx

    Best wishes,

    Stuart

  77. Anonymous says:

    The SP2 version of Internet Explorer 6 blocks my local start page JavaScript and a secondary page I have embedded via an OBJECT element, so my menus are broken and I can’t see all of my own content every time I load the page.

    It might be nice if I could permanently authorize these pages without authorizing all potentially threatening local content. Until then, Internet Explorer now annoys me 100% of the time I start it before I even get past my start page.

  78. Anonymous says:

    Sure IE has issues but does it do you or the IE team any good to express your problems with rage or hostility? No.

    I guess the word civil in civilization no longer has any merit or meaning in America?

    I have problems with the IE browser and I will admit it. I don’t like the incompatibility with standards and much of the things already harped about here. Will the IE team accept my response if I yell about it, or will they be more open if I simply talk about it in a calm manner? I think if I were on the other side of the fence I would choose door #2.

    You also have to understand the way things work in a company like Microsoft. Mozilla’s only function is to work on it’s browser. They don’t deal with things like OS security, or deal with the OS on a deep level. This keeps their coders focused on one thing and one thing only: one product.

    Microsoft on the other hand is working dilegantly on Longhorn. The majority of their programmers are hard at work making that the best Windows platform yet (and it will be comparibly). This means that while you have say 50 or so people working on the SAME VERSION of Mozilla you have x number of people at Microsoft working on the NEXT VERSION of IE. You compare apples and oranges if you try to compare the 2 camps this way.

    Now let’s get personal a minute. Say you have a company that is hard at work on version 2 of their product. You find out that you need a ton of security fixes pronto for version 1 of the product. Your coders have been doing so much work on version 2 that it’s a learning curve to try and rethink how to update version 1. You don’t have the resources to have a version 1 team AND a version 2 team so what do you do? You pull your coders off of version 2 to work on version 1 but you realize that there’s a lot of work to go into making version 1 the best it can be. You do as much as you can knowing there could be more done and you move on in hopes that possibly version 1.5 or 2 will blow the pants off version 1.

    I’ll give you another analogy. Should you be pissed at the private who is following orders or the General who gave the order to burn the village? The majority of people posting to this blog and using it from the IE team are privates in Microsoft’s army. There are generals who have given them orders and they are the ones you should be frustrated with, if you really think being angry does any good to anyone.

    IE Team: Keep up the good work guys. Get some sleep, you deserve it.

  79. Anonymous says:

    A bit further up the page Mr Scoble wrote:

    "Just saw this article on Neowin: "Firefox has more security holes than Internet Explorer?"

    http://www.neowin.net/comments.php?id=23124&category=main&zx=2542c9d0deeb1f09140206854&quot;

    I just had to respond 😉 I hope Robert that you took the time to read the responses, particularly down as far as the one that pointed out that in terms of criticality IE was much worse. It must have taken a lot of effort to find that 4 month period because taken over a 12 month period IE does not fair so well – in fact if IE were not a Microsoft product the company producing it might well have gone bust (isn’t that what happens after years of neglecting a product – for small companies anyway).

    Slightly OT:

    I was tempted to hint that if Microsoft released the IE source code under a reasonable open license that a lot of the missing features would be added very very quickly – but having thought about it a little more I came to the conclusion that if Microsoft has trouble finding people brave enough to face the IE source then nobody is going to volunteer their own time to do it. I don’t mean to cause offense to the new IE team, I think you’ve got a great opportunity lined up for you here but ignoring older Windows OS’ and concentrating on a product 2 years in the future will not do you any favours.

    While I believe a lot of the reactions here are a little severe you MUST be able to understand *why* people are reacting the way they do. If you are honest with yourselves as developers how long does it *REALLY* take to add proper support for PNG? Yes I know it’s very optimized but does that really make it impossible? If Microsoft has sense, and there is some reason to believe there is a little in there somewhere, J, :), it will release 6.5 before or just after Christmas this year which is when I reckon the loss of desktops using IE will become really noticeable (unless that’s the plan – let it die without losing face).

    😉

  80. Anonymous says:

    There are several Trojans named SCOB, including one that is more commonly called Download.Ject. See the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549">CAN-2004-059 advisory</a> for details.

    See Secunia for more details on <a href="http://secunia.com/virus_information/10628/">variations</a&gt; and on the original <a href="http://secunia.com/advisories/11793/">zero-day exploit</a>.

    Microsoft is reporting that Download.Ject / CAN-2004-059 is fixed by the <a href="http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx">MS04-025 security update</a>.

    If you think Download.Ject isn’t fixed by MS04-25, can you give a link that backs you up?

  81. Anonymous says:

    I use Firefox and I’m happy.

  82. Anonymous says:

    Mozilla Rulez …

  83. Anonymous says:

    Yes, very original. Like other Microsoft inventions.

  84. Anonymous says:

    Tony Chor is the Group Program Manager for Internet Explorer. I’d imagine he has a team of at least 20-30…

  85. Anonymous says:

    We also came up with a very original idea – popup blocking. <– haahah look at me I’m so funny!!!

    Bet you could have fixed a couple of important (X)HTML/CSS issues in the same time you wrote this article…

  86. Anonymous says:

    Was just looking at a web site that Sammiches recommended on the basis of a quite cool strikeout feature for links you’ve visited, when I can across this blog by Tony Chur, Group Program Manager for IE team, which contains…

  87. Anonymous says:

    unbelievable as this may sound, for many of the ie blog comment trolls, a lot of people who use computers don’t read ./ everyday, haven’t got the time or inclination to learn what css or xhtml is. They want to browse the internet. And these aren’t just gran + grandpas, these are lawyers, doctors, professors, people who aren’t technical, but are equally and more intelligent than people proclaiming the answer lies in open source.

    These people aren’t going to find bugs by looking at source code. Nor will they be getting nightly builds or getting the latest source from cvs.

    So I fail to see how the open source model will be our hero for browsers. The problem is partly from MS not updating regularly enough, but mainly from people who haven’t updated their OS.

    And on the subject of ‘hobbyists’…all but the profitable open source projects are done in people’s spare time (which probably means around 6-8 hours a week of programming). That’s a lot fewer people working fulltime on open source than the 30,000 or so MS developers/programmers. Plus those 3rd party companies who rely on MS products for their business… When you program for a living (which clearly Owen doesn’t) you have 35-40 hours a week, and you have the concept of time to market (okay MS don’t really pay much attention this) and return on investment. And paying the rent. And buying food + beer.

  88. Anonymous says:

    owen – i missed the humor in your response. (?)

    to anyone else interested, XMLHTTP is not disabled but ‘blocked’ and only if run from your local machine. it is not blocked if run from the internet in the default security zone. it may be unblocked locally in source by adding a ‘mark of the web’ comment as shown here:

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx

  89. Anonymous says:

    Hw’s that anti trust thing coming along in Germany?

    http://www.groklaw.net/article.php?story=20040812083831427

    Any better than the anti trust thing in Japan?

    http://slashdot.org/article.pl?sid=04/08/11/1832241&tid=109&tid=155&tid=17

    Looks like the lite version of XP isn’t going to help matters any… especially when it only runs 3 apps at a time.

    http://news.bbc.co.uk/1/hi/business/3554084.stm

    When is MS going to just give consumers what they want and stop trying to give them what Microsoft wants? You are only pissing off the people who buy your product and right now, there are other choices out there…

    http://www.technologyreview.com/articles/04/09/roush0904.asp

  90. Anonymous says:

    testing moderation :)

  91. Anonymous says:

    Why does SP2 break SSL connectivity with products like Netscreen and Firepass ? Not sure if this is IE specific but I’m curious if you can clarify what happened here. Thanks

  92. Anonymous says:

    Nice. I like the way this is now moderated to avoid anyone seeing what everyone thinks of IE. :)

  93. Anonymous says:

    טוני צ’ור, מנהל הפרוייקט של אינטרנט אקספלורר במיקרוסופט. מפרט בבלוג הרשמי של אקספלורר מהם השינויים שנעשו בגירסת האקספלורר שמגיעה עם ה-service pack 2 של חלונות XP. אם ציפיתם לשיפור בתמיכת ה-css של אקספלורר מן הסתם תתאכזבו (אין כאלו). אך עם…

  94. Anonymous says:

    I must admit, these IE changes do make it seem more secure (although knowing M$, it is only a matter of time before the critical vulnerabilities start pouring in again). but without standards support, IE is still a pile of crap, and it is _still_ holding back the web.

    Companies demanding decent websites are still being forced to use tables for everything, and the broken IE scripting code makes it very hard to support other browsers (sounds intentional to me) and IE without ugly sniffing. This attitude sucks. the web was created to make sharing information easy, so that no matter what people use, it would work.

    It’s just a pity that a company with so much power refuses to accept the responsibility that comes with it. sure, you made a bit more secure for a while, but your standards support – the thing that actually holds the web together – still sucks.

    That’s my 2c – feel free to argue to your hearts content

  95. Anonymous says:

    I’m trying to understand why SP2 breaks SSL gateways like Netscreen’s and F5’s Firepass. Can anyone enlighten me?

  96. Anonymous says:

    Here is a good article titled "WinXP2: Stop Moaning and Start Downloading"

    http://www.theregister.co.uk/2004/08/12/winxp_sp2_stop_moaning/

  97. Anonymous says:

    Here is a good article titled "WinXP2: Stop Moaning and Start Downloading"

    http://www.theregister.co.uk/2004/08/12/winxp_sp2_stop_moaning/

  98. Anonymous says:

    Here is a good article titled "WinXP2: Stop Moaning and Start Downloading"

    http://www.theregister.co.uk/2004/08/12/winxp_sp2_stop_moaning/

  99. Anonymous says:

    I think MS is Just loosing market place looking toward to gain some more from the pie with advertisement and trade tricks :)

  100. Anonymous says:

    I’d been sick of constantly getting the CWS.Searchx spyware variant. So being an MSDN member, I downloaded the released SP2 and installed. Should have know to stop when I get an error going through the install that it couldn’t copy the file "dsound3d.dl_" even though I could copy it to another folder and have the install read it correctly from there. Then there was the missing "firewall.cp_" that I had to do the same. Once installed, I couldn’t get the Security Center to open and the shortcut looked bad. Shutting down my machine hung the computer.

    Just a warning to others that you best wait and let others blindly install and fall on their face before you do.

    On a happy note, the uninstall seemed to work and didn’t have to resort to my Restore Point.

    Jeff

  101. Anonymous says:

    If it could read the file from one place and not the normal download location, sounds like a hardware problem to me. Same with missing the firewall CPL.

    Not everyone is advising to avoid XP SP2.

    Russ Cooper from NTBugTraq says:

    http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0408&L=ntbugtraq&F=P&S=&P=850

    Date: Tue, 10 Aug 2004 02:36:37 -0400

    Reply-To: Windows NTBugtraq Mailing List <NTBUGTRAQ:nospam.LISTSERV.NTBUGTRAQ.COM>

    Sender: Windows NTBugtraq Mailing List <NTBUGTRAQ:nospam.LISTSERV.NTBUGTRAQ.COM>

    From: Russ <Russ.Cooper:nospam.RC.ON.CA>

    Subject: XP SP2 – Statement of the NTBugtraq list

    Content-Type: text/plain; charset="iso-8859-1"

    Ok, so I feel like I need to do this, hopefully its understandable.

    1. XP SP2 is the most significant security effort Microsoft has ever produced. Granted, it may not be a "silver bullet", or solve all problems, but it is significant in so many ways that we as a security community cannot fail to acknowledge it. I admire "discoverers" as much as the next, but before XP SP2 can be written off it will take many, many, vulnerability announcements.

    a) IMO, this is the first time that Microsoft has put security over existing, and frequently used, features.

    b) IMO, this is the first time that Microsoft has accepted the fact that their choice is going to lead to "some" incompatibilities.

    c) IMO, this is the first time that Microsoft has taken a stand against ISV who are definitely making money out of some features they (MS) made available to them.

    2. I, at least, as NTBugtraq Editor, believe we, as the NTBugtraq community, need to stand behind Microsoft’s efforts. That means we need to continue to endorse XP SP2 despite what problems have arisen or may arise (within obvious reason.) The media is only going to state the problems. They cannot appreciate, nor do they believe their customers are willing to pay for, stories about XP SP2 successes.

    So, I want to hear from you, every one of you, regarding XP SP2 success or failure. Obviously, I want those stories in as much detail as you can provide.

    There are, no doubt, some (many?) applications which will not be compatible with XP SP2. I say they represent Vendors who are not prepared to accept the responsibilities we’ve always felt they should have as reasonably security-minded Vendors. They’ve had lots of time to figure out how to make their apps compatible, and have *chosen* not to.

    I offer any Vendor who feels Microsoft left them "in the lurch", regarding their problems with XP SP2. a forum to express their problems.

    Equally, I offer all NTBugtraq subscribers a place to state the problems they are encountering with an ISV application.

    It is extremely important for corporate environments to get XP SP2 deployed to all home systems running XP. Let’s make sure the media has the right information.

    Cheers,

    Russ – NTBugtraq Editor

  102. Anonymous says:

    "sites cannot change your home page without a user click as well."

    Wow – This amazes me – you allow your browser to change users’ preferences from a loaded page? Why? It sounds like a recipe for disaster.

    I’m surprised you didn’t remove that "feature" altogether.

  103. Anonymous says:

    Funny how I paid for my copy of Windows 2000 after XP was released and I still can’t get an update for their shitty browser.?

  104. Anonymous says:

    Diggory, that was to do with security. Many, many variants of spyware were able to change your home page, add BHOs, and put executables onto your computer. It wasn’t a feature, it was Microsoft’s lax security.

  105. Anonymous says:

    If this version is really more secure, great, but we will have to give it a month or two to see if this claim is true. But Tony- is ANY work being done on standards support? This is a huge issue and from all I’ve read it sounds like nothing is being done with regards to standards support.

  106. Anonymous says:

    That’s not an accurate statement.

    The ability for a webpage to set the homepage is a feature. It wasn’t done without user consent – a dialog box would pop asking the user "Do you want to set your home page to …."

    At first glance, sounds like a fair tradeoff. For a while, a lot of sites (Amazon, Yahoo, MSN, Google) had "Make Google your home page" links. And the world was fine.

    Unfortunately, along came deceptive web page authors would put this into a loop (check home page, if not my start page, prompt to change, repeat until the user finally clicks OK). And they do much worse than that.

    A quick Google on sethomepage gives Jeff Devis’s (an IE developer) blog entry as the first hit, plenty of details here: http://blogs.msdn.com/jeffdav/archive/2004/04/13/112632.aspx

    And this has nothing to do with BHOs or putting executables on your machine. Any of those can easily change the homepage just by changing the regkey that stores it.

  107. Anonymous says:

    The Wingdings smiley-face J showed up fine in my browser. Obviously the popup blocking sentence was an attempt at a joke.

    Obviously, too, it failed…

    Bill

  108. Anonymous says:

    > These people aren’t going to find bugs by looking at source code. Nor will they be getting nightly builds or getting the latest source from cvs.

    > So I fail to see how the open source model will be our hero for browsers.

    That’s not how the open-source model works; the security benefit is not derived from end-users looking at code at all. If you want to know why open-source software tends to be more secure, I suggest you read Eric Raymond’s writings on the subject, it’s not something that is easily summarised in a short comment here.

  109. Anonymous says:

    Look here, on this very line —> :)

    A cross-browser, standards compliant smily! Only invented some 22 years ago (19 September, 1982)… You should try it sometime

  110. Anonymous says:

    This is in response to "bob":

    Why do people continue to prove their ignorance by claiming that support for CSS and XHTML is pointless? Saying that the average users "haven’t got the time or inclination to learn what css or xhtml are" doesn’t mean that MS should ignore the technology.

    CSS and XHTML, because they provide proper content / layout separation, make the following possible:

    * completely redesigning the layout of content driven sites

    * building sites which degrade garcefully in older browsers

    * making JAWS friendly sites for the blind

    * having visual options to increase accessibility for disabled people generally, e.g. allowing the user to change the font size, color and face within the page without going into the top menus

    * doing complex DOM interaction

    And that’s just the start. If MS isn’t going to view these things as important, then they should remove their name from all W3C documents. I have faith in them, though. I’m no MS-hater, I just make websites.

    So I’m an IE-hater :)

  111. Anonymous says:

    I’ll never load this spawn of satan on my machine. My next OS will be *nix.

  112. Anonymous says:

    IE is an incredible tool? I am torn between it staying the same and seeing it improve. The web designers I work with average twelve web applications a year. With the tools I am building I expect to create 100,000 per developer. I wanted an AI that did not require an application or plug-in. Motorola’s approach of using a windows application to control IE is safer, but it requires more code than can be realistically created. I like how the AI can walk through fences, but it also creates a problem. To have a semantic web requires balancing the power between using the OS and security to protect the user.

  113. Anonymous says:

    >>nor is it as easy to create chromeless windows.<<

    WHY allow this at all?

    I’ve been at the anti-virus and security game for years. The biggest reason MS has security and virus issues is because they try to make using a computer easy for idiots and in doing so, make it really simple for smart people to create the bugs I fight daily.

    Quit making things so bloody automatic, quit dumbing down the OS and browser. Don’t allow anything to happen unless it’s safe – period.

    I must argue a point – there are countless "bars", "add-ins" and "home page changes" that take place simply upon visiting a web site – ever heard of creating a browser window with coordinates where you can’t see it – with a prompt just waiting for you to press a key, BAM, you have their software. Yes, you pressed a key, but unknowing that you were OKing the download – because MS makes it so EASY to move, customize, hide, etc.

    I can use a simple script to create a browser you can’t see, just waiting for you to press nearly any key to ok a download. This should not be allowed.

    Microsoft – please quit making Windows so simple and friendly – that’s what’s causing us all the problems.

    Standards – professional web masters and coders hate IE because it doesn’t adhere to standards. We develop for Mozilla, especially Firefox, and if compliant and standard code, it will work. If it doesn’t work in IE, we must use IE hacks. Why? So MS can make the browser fun and exciting – but that kills it for business use.

    Fancy colored scrollbars? Why. It’s not standard. Justy try to VALIDATE code written for IE. Code written for Firefox almost certainly can be validated. Allow us to use MODERN CSS to simplify our HTML pages.

    And what about all that junk code Word puts in a file when you export a SIMPLE half page of text to HTML.

    What is that all about?

    The answers are simple – quit trying to invent new standards, use the good safe standards and computing WILL be fun again, even with standards based browsers.

  114. Anonymous says:

    Hello,

    most of the applications i design are running as a so called "web application" in a chromeless popup windows. Usually our customers add our domains into the trusted site for vbscript security reasons and therefore i took a deeper look at the changes to zones coming with SP2:

    When i read the first articles about SP2 i wasn’t amused to read that windows can’t be real chromeless anymore and new "in page" warnings for e.g. blocked activex will be introduced – this will probably bring up some customers discussion why the design of their popups changed without their permission. Anyway, the argument that user should always be aware of the currently active zone is so strong that i finally considered it a good to always force a status bar.

    After i installed the SP2 final i recognized that the default configuration allows to create chromeless popup windows (without a status bar) via scripting if the script is running in a trusted site – regardless of the zone of the url you open. You can even open a restricted site without a status bar if you open it from a trusted site! The restricted site can spoof a status bar just like in SP1 times.

    This behavior seems to be by design because the SP2 only introduces a restriction to the window.open() and similar methods and does not introduce a feature like "always enable the status bar if not in a zone that explecitly allows to disable it".

    I fear this behavior will lead to the following results:

    1. Most users of XP2 will use the default IE settings because they do not know what most of the new IE configs mean. Especially because they are not labeled clearly (at least in my german version). e.g. You need to know that restricting the size of a popup window implies to restriction for the status bar.

    2. People will get used to the situation that trusted sites can opened chromeless windows. Probably they will add specific sites to the trusted zone just to get rid of the status bar and other chromes for layout reasons. Especially "web applications" are mostly opened in popup windows to create "pixel exact" layouts. Some lazy companies will probably tell their customers to add to trusted zone to get rid of the "layout issues" – and not tell their customers they are also allowing dozens of other things while trusting that host.

    While most companies will not exploit the fact their application is trusted, their customers can run into several issues when they leave the trusted site by clicking an a link inside the trusted site, opening another window from there or invoke the some browser window by clicking a link on the desktop: in all cases they will reach an potentially untrusted site in a chromeless window!

    Not only they do not see the zone info – they will think its trusted because it has no chromes: they assume "only trusted sites can open chromeless windows" is equal to "only trusted sites can be chromeless" – but it’s not!. It’s true for most workflows and "click ways", but it’s only a rule of thumb and not a security feature you can trust.

    I really think this SP2 "restriction" should be changed into an active "feature" like "window.onload = function() { if(!window.statusCanBeDisabled) window.status=true }" – not in JScript of course 😉

    BTW, why did you decide to enable chromless windows by default in trusted zones in contradiction to your "Book of Springboard" that says: "The status bar is always visible for all Internet Explorer windows." Maybe you could add the line "expect in trusted zones" to the documentation at that specific point. I know, if you read the entire text the concept of enabling/disapling SP2 restrictions per zone are explained – but most web developers will only read the quoted keyphrase.

    Kind regards,

    Michael

  115. Anonymous says:

    The thing most people choose to forget is that MS is a constant target whereas apple and any other non MS company are usually not.

    Also, anyone saying that these things should have been caught in SP1 don’t understand human evolutiuon or software design at all. There is never going to be a perfect OS or a version that has no follow up releases. Everytime any software version is created there will be someone who finds out how to crack it or exploit it, where do you think innovation comes from? This is true for all software, why do you think it’s so easy to find pirated versions of EVERY software application? Obviously, developers have been incorporating changes to fix known hacks but it’s a never ending battle and because of it we continue to get new and better software.

    SP2 may not be perfect, but it represents a fix for what has been exploited in the past. There’s no holy grail in software so stop looking, just keep innovating towards that perfect dream…

  116. Anonymous says:

    In response to Bill on Chromeless windows, there is a great need for this. We create sofware for schools that are browser based, and you want to get rid of the chrome to minimize the risk of the student going off to ther places, etc. It also allows you to use more of the screen, and when a lot of schools still have 640×480, you need every possible bit of the screen to try to minimize scrolling. It is not uncommon on shared systems at schools to find 5 or more toolbars installed, insuring non of that is there, allows the application to do its thing.

    These changes are going to be tricky for us since the timing of this is right when school is starting, and we will have to educate users on how this will impact them or even worse, potentially force them to go visit desktops to adjust settings.

  117. Anonymous says:

    Nice to know it’s secure before I install it!

    Don’t need the "my wife uses Mozilla" bumpersticker… could use "I moved my hubby to Milla" though… anyone got a spare?

  118. Anonymous says:

    but ie seems to not follow explorer’s view settings for my pictures. explorer opens the folder in details view (which is what i want), but when i save picture as with the context menu in ie, i get a thumbnail view of my pictures.

    there’s GOTTA be a switch somewhere to turn this off.

  119. Anonymous says:

    Peabody’s Cre8tive Flow: Deep Linking from the Desk of Bluebert G. Peabody

  120. Anonymous says:

    Peabody’s Cre8tive Flow: Deep Linking from the Desk of Bluebert G. Peabody

  121. Anonymous says:

    I updated Xp to SP2. Now it’s IE version 6.0.2900.2180.xpsp_sp2rtm.0408032158IC.

    Fine, but the http://v5.windowsupdate.microsoft.com page loads with all kind of errors. Of course there is no Windows Update Software loaded. No patch available. Luckly there is Ghost.

  122. Anonymous says:

    XP SP2 blocks all IE !

    I had to unload SP2 to get IE back.

  123. Anonymous says:

    Depois de ver o site dos Amish, não há dúvidas que está mesmo tudo na Internet No entanto, não deixa de ser um mistério como é que se publica uma página sem electricidade. Um acre (cerca de 4000m2) na Lua,…

  124. Anonymous says:

    Okay, IE with SP2 sucks. Thanks for the heightened security, but it just chugs any and all connections I have to any site. I can tolerate some delay, but please…three to four additional seconds to any page? Ridiculous. Even on my local server I have the same delay. Even lowering all the security levels to low doesn’t help. I was never a fan of Mozilla b/c most of my clients’ users run IE, but I’m working with it now.

  125. Anonymous says:

    Nice work, but this is it??? At three years, version 6 is getting pretty long in the tooth. What happened to "innovation"? Do we have to have significant share moving to Firefox or Opera before MS awakes from its slumber?

  126. Anonymous says:

    Hello, I understand that Microsoft has many enemies and opposers, and I am sure many have good reasons for their position(s). Still, I would like an answer to the following question. If I am running XP Home, am I better off with or without SP2? Thank You!

  127. Anonymous says:

    Hello Folks, I have two machines running 98SE that are always connected to the net. I use AVG AV(free), I have a NATs type HW firewall employed in an inexpensive 4 port router, and of course, I make somewhat informed decisions about what I open or download, in addition I run updated versions of Spybot S&D(Free), and Ad-Aware(Free). I travel all over the net, checking links clients send me(to see if they are safe), and my PC never gets sick, hijacked, or otherwise exploited. Oh sure, I have had attacks attempted, but AVG or one of the others stops them in their tracks(My internet experiance remains complete/seemingly unrestricted). My question is, could not simular methods protect most folks’ PCs regardless of browser or OS? Thank You for responding. -Mixmode

  128. Anonymous says:

    Hi,

    I am using ‘Custom’ security settings,

    as I have been doing for many years.

    Most settings are configured to ‘Prompt’,

    which is neccessary for me in my work,

    for safety & security reasons.

    1) With the above mentioned settings,

    when a link is launched via a href in OE,

    ‘Run ActiveX Controls and Plugins’ alert

    prompts often go underneath their own

    IE window. The page often will not even

    load until you (growl) minimise *all* of

    the open windows, to get to the hidden

    script alert prompt. Sometimes you still

    just get a blank IE window without even

    the address that you’ve clicked, even after

    finding & ‘OK’ing the scripts to execute.

    These script alert prompts need to be

    *forced* to ‘Stay On Top’

    as they were Pre-XP_SP2.

    2) A *Really Annoying* issue:

    IE & OE prompting for their own

    *internal* scripting etc when the

    ‘Active Scripting’ is set to ‘Prompt’,

    not just prompting for the external

    scripts found in emails, news posts

    & web pages.

    Pre SP2, IE & OE were both

    able to ‘Prompt’ before running

    each & every individual script in

    emails / news posts / web pages

    with no major problems at all,

    & you didn’t get prompted for

    these programs own internal

    scripting, which gets rediculous,

    especially when you can’t turn

    it off without disabling the other

    promping which I still DO need

    for safety & security reasons.

    Being able to load an unknown

    web page, email or news post

    without letting a script execute

    when prompted by a security

    alert, has saved my computer

    from malicious scripts on

    *numerous* occasions…

    I trust that these IE & OE security

    functionalities will return ASAP.

  129. Anonymous says:

    Hi Tony and nice blog on IE changes. Any chance you guys will develop a tabbed interface?

    "I only pressed OK.."

  130. Anonymous says:

    I just installed Win XP SP2 and it’s great. However, I noticed that my internet connection constantly drops. I’ve tried both IE and firefox and it’s not the browser settings. I turned the firewall off and changes some other settings, but to no avail. I was just wondering if anyone else had this problem and if there is a way to fix it? Thanks

  131. Anonymous says:

    Does XP SP2 fix all the vulnerabilities in the PIVX list?

    http://web.archive.org/web/20030801093943/http://www.pivx.com/larholm/unpatched/

  132. Anonymous says:

    Dear Tony,

    Great sense of humour! I am impressed with the new security measures. I have always been annoyed with Internet Explorer’s automatic download feature via Active X controls. It appears that has been corrected. In the past, I had to disable "File Download", which corrected the problem, but average citizens most likely did not know how to deal with the issue. I sure did not originally.

    I will need to test this at some of the pornography sites to see if "Adult Links" and other goodies are no longer autoinstalled.

    I have to admit that I love Chromeless Windows, coloured scrollbars, the moving light effect on pictures, and the vflip/hflip attributes for link hovering.

    Sadly, the W3C dings me for some of those features. I wish they would still validate my page and CSS as long as all the standard features are written correctly.

    I have, however, successfully used the DOCTYPE 1.1 with those features working properly with the exception of the v/hflip attribute.

    I have also done away with Iframes and replaced them with overflowing divs. Now, I am in the process of eliminating tables.

    By the way, is it possible to produce the moving light effect by using compliant anti-document.all JavaScript? I also need a replacement for the speed attribute, which belongs in the image tag, since it fails W3C inspection.

    Sincerely,

    Tzabaoth

  133. Anonymous says:

    IE doesn’t work as an FTP client after installing SP2, even with the firewall turned off. FTP still works from the command line, and third party clients work after ‘allowing’ them to. Too bad, that was one of the nicer features of IE.

  134. Anonymous says:

    shopiere &raquo; They invented the internet, too

  135. Anonymous says:

    Will IE ever support full CSS2 (e.g. full absolute positioning support)? It seems a shame that W3C standards which are years old are not implemented by IE…

    Currently, though, I have a JavaScript file that completes absolute positioning support in IE when it is included in a JSP/HTML page, so that I can use CSS2 absolute positioning and have a consistent IE / Gecko UI.

    Thanks,

    Amnon

  136. Anonymous says:

    After installing Windows XP Service Pack 2 and the new version of Internet Explorer it contains, my version of Grande Dizionario Di Inglese 2003 with the ISI-Tech Search Engine runtime 2a refuses to work… The program loads up, but when I type in a word the right hand window shows an error message.. does anyone know how to fix this problem as I am dependent on the dictionary for my work.. my only alternative is to remove XP2

    this is the error message I get in the right hand window of the dictionary search engine…

    =======================

    The page cannot be displayed

    The page you are looking for might have been removed or had its name changed.

    ——————————————————————————–

    Please try the following:

    Open the L1_C_00003651.XML home page, and then look for links to the information you want.

    If you typed the page address in the Address bar, make sure that it is spelled correctly.

    If you still cannot open the page, click the Internet Explorer

    Search button to look for similar sites.

    Internet Explorer

    ==================

    haze@ghostfilm.net

  137. Anonymous says:

    Ya’ll are a bunch of pussies. Everyone bitched about the security holes in Wxp and its vulnerabilities. Microsoft tried to make good by delivering SP2, but the bitching continues. Microsoft could deliver the perfect product and ya’ll still find something to bitch about.

  138. Anonymous says:

    Ran SP2 upgrade & now IE doesn’t find web (connection fine as can still email) also all games freeze during loading. HELP

  139. Anonymous says:

    To backtrack on popups..

    Who was the first to create popups to start with?

    And even more interesting, which browser was the first to allow extra instances of a browser to open via scripting?

    Does it really matter in the long(horn) run?

  140. Anonymous says:

    Just wanted to add my 2 cents. You know how you like using a certain version of a program, maybe longer than the creator wanted you too? You said no to their discounted upgrades, ’cause you were quite happy with the existing program and didn’t need all the bells and whistles in the upgrade. Then, BAM! an OS service pack comes in and all of a sudden, those old trendy programs don’t work no more. Now, you gotta get in touch with the developer and BUY updated versions, along with the bells and whistles you didn’t want. …..

    Ok now the real reason for my entry. I am a software developer and will be testing my apps against SP2. I have read all the papers on SP2 and everything seems great, except, how come all of a sudden there’s a growing list of broken apps? Some aren’t even internet based apps.. Just curious…..

  141. Anonymous says:

    I have reported a problem that occurs with IE when SP2 is installed (Case ID # SRX040826601486). The abilty for IE to process java scripts seems to be disabled. The script error "permission error" is all I can decipher.

  142. Anonymous says:

    Our web application makes extensive use of iframes and the documents loaded into the iframes refer to the DOM objects in the parent window. All the URLs are from the same domain/app. With XP SP2 on the client box, we get "Permission denied" error. Adding the site to the "secure site" list didn’t help. Until there’s a solution, we are forced to ask our customers to not upgrade to XP SP2. Help.

  143. Anonymous says:

    Found the fix for the problem mentioned in my earlier log. The parent frame was hanging on to the document handle (of the document in the embedded iframe) even after "replace"ing the URL in the iframe. The fix is to re-establish the handle.

    Old:

    var doc = iframe.contentWindow.document; // IE-specific code

    doc.location.replace(newurl);

    ….

    // elsewhere in a function called from the onload handler

    doc.body.xyz… ===> Permission denied

    New:

    var doc = iframe.contentWindow.document;

    doc.location.replace(newurl);

    ….

    // elsewhere in a function called from the onload handler

    doc = iframe.contentWindow.document;

    doc.body.xyz… ===> works fine

    Now that this problem is behind me, I like what has gone into XP SP2/IE. The first thing I did with IE was to disable most all the plugins. There were a couple of spyware plugins happily grabbing my eye balls and sharing my cpu cycles, diskspace, account numbers, passwords and who knows what else!

    Hope this is useful.

    Gopi

  144. Anonymous says:

    suck ie but i used ….

  145. Anonymous says:

    Hi Guys.. I’m running XP and have recently installed SP2. I now don’t seem to be able to open ANYTHING in new windows from links on pages. I’ve unchecked popup blocker but still no joy.. I’m an amateur web developer (more a pro photographer) and the problem is also identified by not launching javascript popups from my gallery pages on http://www.pr-weddings.org.

    Would most appreciate an email from someone at info@pr-photography.org.

    Cheers Pete

  146. Anonymous says:

    The Information bar needs a way to let Active X material through because it is very stupid to click on that bar everytime to make it work correctly. Will there be a way in the very near future that will be able to disable the information bar or change it setting to make it save the ability to open certain active x programs

  147. Anonymous says:

    What frustrates me is that there is no way to mark locally stored HTML pages as "safe". I have a reference document that apparently uses some active scriptimg, amd every time I open the document, I get the "yada yada blocked" message. But I can’t add the HTML file or the location to my trusted sites because it’s on my local hard drive.

    Talk about frustrating. How about a "this file is safe" check box? And while we’re at it, how about being able to add sites to the trusted/restricted zone from the status bar?? I can SEE the zone.. why can’t I change it from right there?

  148. Anonymous says:

    While i believe you folks have done a good job of shoring up the security holes in IE, I think your documentation on SP2 leaves a little to be desired. Specifically on the new IE settings and what they specifically do. Some of these settings names seem to be counter-intuitive as well. Could someone please detail what the following settings do?

    Automatic prompting for ActiveX controls

    Automatic prompting for file downloads

    Allow scripting of Internet Explorer Webbrowser control

    Allow script-initiated windows without size or position constraints

    Allow web pages to use restricted protocols for active content

    Web sites in less privileged web content zone can navigate into this zone

  149. Anonymous says:

    I cannot open new window with IE anymore and many links do not work please help

  150. Anonymous says:

    Hey..

    The local HTML files (with JS in them) dont open, as they are blocked by the builtin firewall… coming back to the analogy of the house, it is like i can’t open the fridge in my own house, as somebody might have put something in it (although the door is locked)

    WHAT THE HELL ???

    Any of you "developers of the modern world" have answers ???

  151. Anonymous says:

    I have the same problem as Steve and Peter Rear. Since installing SP2, for some unbeknown reason, I can no longer open IE pages using the "open link in new window" option. It just returns a blank page with no url in the address bar. The same is true when you click on a link within a page and it tries to open that link in a new window. I’ve tried disabling the pop up blocker but it still happens. I don’t use the built in firewall either, as I have a hardware firewall/router. Can anyone help me? I’m seriously considering uninstalling SP2 as it is affecting my system performance – anyone had any issues doing this?

  152. Anonymous says:

    Since installing sp2 IE will not open pages that require secure and insecure content together. I cannot get my bank accounts to display. And it appears many gifs such as "buttons" are being blocked. Any suggstions on what settings to change?

  153. Anonymous says:

    I any just a simlpe user and just loaded SP2 since then I have not been able to open a new IE window when using "open in new WIndow" ?? now that makes a lot of sence…

    also my bank using javascript to open a new window to log in… guess what nothing I do will allow this window to open disabled the fire wall, disable the firewall all to no use… so guess what … i’m now unloading sp2 …what a peice of crap!!!!!!!!

    if you know how to fix these email me on joe_t_hm@hotmail.com

  154. Anonymous says:

    Similar problem here too. gifs gone (just the little red cross) and cgi script counters don’t work. Can’t be anything other than SP2 ‘cos this is happening on a brand new machine with nothing else on it yet other than AVG antivirus and ZoneAlarm. Must have tried changing every setting possible with no result.

  155. Anonymous says:

    try this – (it worked for me!!!) http://support.microsoft.com/default.aspx?scid=kb;[LN];281679

    or this – (from Microsoft tech support – didn’t help me)

    Step 1: Disable all Add-ons

    1. Launch Internet Explorer

    2. Click Tools, click Manage Add-ons

    3. In pop up screen, select all the Add-ons

    4. Click Disable.

    Step 2: Turn off Windows Firewall

    1. Log on as Administrator or a user with Administrator privileges.

    2. Click Start, click Run, type WSCUI.CPL then click OK. This will generate the Windows Security Center application.

    3. In the Windows Security Center window, click Windows Firewall.

    4. Select the option "Off (not recommended)" to turn off Windows Firewall.

    Step 3: Reset the Internet Explorer options

    1. Click Start, click Run, input "INETCPL.CPL" (without the quotation marks) and press Enter.

    2. Click Delete cookies and Delete files on the General tab.

    3. Click Clear History in the History area, and then click OK in the dialog box that appears.

    4. Click Settings, click View Objects, delete all objects there, and then close the window.

    5. Click View Files, delete all files there, and then close the window.

    6. On the Connections tab, click the LAN Settings button, and then uncheck all the boxes.

    7. On the Advanced tab, click the Restore Defaults button, and then click to clear the checkbox beside "Enable third-party extensions".

    8. Click OK to save these settings.

    Step 4: Scan for spyware:

    1. Download and install Ad-Aware from the following page:

    http://lavasoft.element5.com/support/download/

    2. Click Start -> All Programs -> "Lavasoft Ad-aware SE Personal" -> "Ad-Aware SE Personal" to start Ad-Aware.

    (Note: If there is a popup box asking whether or not check definition update, please click OK and click Connect. Click OK to download and install the latest definition, and then click Finish.)

    3. Click the Start button in the Ad-Aware window, and then click Next to start the scan.

    4. After the scan is finished, click Next, click the check boxes on the "Critical Objects" tab to select them, click Next, and the click OK to confirm the removal.

  156. Anonymous says:

    We have spent 1 entire development day on an apparent bug in SP2 install.

    We develop dynamic websites, we use cookies for session id and other information.

    We have one test Win XP machine recently upgraded SP2 containing several user accounts.

    We have been notified by our customer (also using XP SP2) that they were unable to use the site, the probem fully contained to Win XP SP2 machines, they were able to use some of our other sites. To make things more confusing, the site worked correctly on my own laptop (XP SP2).

    One day of testing later, the issue boiled down to IE -> Internet Tools -> Privacy being at a weird custom level. No one has touched these settings since the XP install or since SP2 install. Yet some users has strange settings for most of the Internet Tools options while others have default settings. One machine.

    The settings prevented certain cookies from coming through. Furthermore, there didn’t appear to be any notification, indication of this problem. Now (that we have fixed the settings), the only way to reproduce the original behaviour is to put Privacy settings on one of the two highest levels, however when we do this, we do get status bar notification and summeries.

    Am I satisfied with the SP2 release? Late, buggy, no documentation… not really. Misteakes can happen but where is the QA?

  157. Anonymous says:

    I also am havign an issue after installed SP2 that whenever I click on a link on a website, I get a message at the bottom of the screen that says javascript:null(0). The link will not open. How can I bypass this. The information bar also does not display.

  158. Anonymous says:

    I forgot. Contact me direct at bem522@comcast.net if you can help me with this.

    Tommybanana – this link did not work for me. Says document does not exist

    http://support.microsoft.com/default.aspx?scid=kb;[LN];281679

  159. Nuke'Blog says:

    window.open、showModalDialog、showModelessDialog(注意拼写)都是弹出新窗口,这里不讨论其区别与用法,请参见:窗口专题。

    他们的第三个参数中均可指定是否显示…

  160. Anonymous says:

    Dean Hachamovitch, the guy who runs the Internet Explorer team, seems to have a particularly tough job.

  161. Anonymous says:

    Dean Hachamovitch, the guy who runs the Internet Explorer team, seems to have a particularly tough job.