IE7 Security in Brief


While Rob Franco and Chris Wilson were presenting and getting feedback at PDC, I spent most of my time in smaller discussions (for example, with Paul and Joe) about the security work we’ve done in IE. The discussions reminded me that, before most of the team was working on IE7, before Rob posted about our overall approach to IE7 security, we heard three things about IE and security over and over: “take it out of the operating system (or integrate it less), get rid of ActiveX, and rewrite IE to be secure.”

Now, no one wants to hear what these steps (if done literally) would break. Windows applications (like the AOL client, or Office) use IE technologies to show users HTML email, to download files from the internet, and more. Similarly, no one wants to hear that every browser has its own ActiveX equivalent in order to support great technologies like Macromedia Flash and media players.

I wanted to step back from the threat-driven way we’ve thought about security for just one blog post and talk about our work in terms of what we heard people ask us for.

We heard people ask for more separation between the browser and Windows. In IE7, we built a containment wall around IE by running it in Protected Mode. In this mode, IE can browse the web but cannot install software (good or bad) or change settings on the user’s computer without explicit user consent. Because the foundation work to make this possible is in Windows Vista, this feature is not available on the XP version of IE7. Expect to read more about the details of how this works, and how IE balances compatibility (e.g. users still want their toolbars to work!) with security, in another post.

We heard people say that ActiveX controls had too much privilege. In IE7, we made sure that the only ActiveX controls available to IE were the ones intended for use on the internet. Microsoft Windows includes many, many ActiveX controls. For example, an application developer can use IE technology to browse the web inside her application by using a particular ActiveX. While only some ActiveX controls were intended for use inside IE by web sites, many of them identify themselves as available for use inside IE. We decided that allowing ActiveX controls to run in IE should be the exception, not the rule. IE7 will block all ActiveX controls from running in the browser except for controls that were explicitly intended for the browser. That list is under the user’s control. Of course, to keep mainstream web sites running, the most commonly used, clearly intended for the web, ActiveX controls (like Flash) will be on that list by default. We started getting feedback on this feature from developers at PDC. Expect a blog post with more detail so we can get your feedback on it before beta 2.

We heard people say that we should just start over from scratch. In IE7, we identified, via threat-modeling, the most critical parts of IE and focused our rewriting efforts on those parts. For example, we didn’t need to rewrite all HTML parsing in order to make IE more secure, but URL parsing and the enforcement of cross-domain security were clearly important parts to re-work this release. If you were at Rob’s PDC talk or if you have read about threat modeling, you’ll understand why we focused on threats rather than on rewriting for its own sake. While it’s hard to see the effects of these changes in every day browsing with IE7 (well, except for now supporting International Domain Names), these parts of the product are more resilient against attack and are still compatible with the web.

The things people asked for so much a year ago represent only a subset of what we did in IE7 and Windows Vista. I think the Phishing filter and other anti-fraud work that we’ve done is important. The Parental Controls work that teams showed at PDC is another aspect of protecting people while they’re using the internet. None of this security counts unless corporations can deploy it; we’ve done work (like the application compatibility tool and better Group Policy support) to make deployment easier. There’s also additional functionality around the user experience of security that will come out with beta 2.

Thanks in advance for your feedback on IE7,

Dean

Comments (45)

  1. Anonymous says:

    Another informative post – thanks guys ๐Ÿ™‚

    And it’s been nice to read a post for once without the same old ‘where’s the CSS’ or ‘But Firefox has this’ comments. Thought I suspect – no, I would put money on it – that it won’t last!

  2. Anonymous says:

    > IE7 will block all ActiveX controls from

    > running in the browser except for controls

    > that were explicitly intended for the

    > browser. That list is under the userโ€™s

    > control.

    How does this interact with security zones? Is there one list per zone, or a global one?

    > Thereโ€™s also additional functionality around

    > the user experience of security that will

    > come out with beta 2.

    There was an IE 5 Web Accessory that add menu entries (under Tools) for changing the security zone of a domain (it still works with IE 6, btw), and Win2k3 had similar functionality to support the Enhanced Security Configuration. Did you consider/will you include something like that in IE 7?

  3. Anonymous says:

    Lionel, ActiveX Opt-in will use the list in "Manage Add-ons" with a few tweaks. The list will be enforced for the Internet Zone by default but users and IT pros may choose to use the feature in other zones as well. -Rob

  4. Venu Anuganti says:

    Real nice one Dean,,,,

  5. Anonymous says:

    The containment feature of IE7 will really put it apart from other browsers, but I keep hearing that the foundations for this are only in Vista. Is that really so? On XP today, I am running Explorer (and Media Player, QuickTime, Messenger etc) with rights equivalent to a Limited User, although my user is an Administrator. It works through Group Policy and I believe the technology is called SAFER. Even more limited rights can be set in XP through GP, but of course the applications break because they haven’t been adapted to these constrained rights (with broker processes and whatever IE7 on Vista will use).

    So, what is really missing in XP to make IE7 as secure as on Vista there too?

  6. Jie Ren says:

    Both to have IE running ActiveX and to have it being used by other components make very good sense for software development. To safeguard this capability, the critical path (putting downloadable components into the appropriate compartments/domains based on URL) needs better investigation, which is exactly what the IE team is doing. Keep the good job.

  7. Anonymous says:

    Has the IE team actually experimented with "take it out of the operating system (or integrate it less), get rid of ActiveX, and rewrite IE to be secure."?

  8. Anonymous says:

    What about a spoofing catcher… such as if you click on a link that says "www.bankofamerica.com" (example), but it takes you to a site with a SIMILAR, but not exact domain, have the notification bar popup that says "Warning, you have clicked on a link that is not what it seems… blah blah blah".

    What do you think… good idea?

  9. Anonymous says:

    Surely you can implement a similar sandbox system under XP, just create a special user that can only write to temporary internet files, and use the same method you mentioned in the channel9 vid for actions requiring more privileges?

  10. Anonymous says:

    > Now, no one wants to hear what these steps (if done literally) would break.

    Unless I’m mistaken (and if I am, please correct me), removing *Internet Explorer* won’t break anything. Internet Explorer is just a shell around Trident.

    All the applications that embed "Internet Explorer" really only embed Trident, right? So removing Internet Explorer is perfectly possible, you just don’t want to do it. That’s fine, but don’t pretend you are doing it because things will break otherwise.

    If all the bits of the OS that rely on "Internet Explorer" could get along just fine with Trident, there was never anything forcing you to bundle a fully-fledged web browser with Windows. You could have provided a simple browser equivalent in quality to something like Lynx, so that people could download the browser of their *choice*. Much as you did with FTP – anybody who actually uses FTP on a regular basis downloads something else instead of http://ftp.exe.

    I agree that it’s pretty meaningless to rant about "removing Internet Explorer" from a security perspective though.

  11. Maurits says:

    > Unless I’m mistaken (and if I am, please correct me), removing *Internet Explorer* won’t break anything. Internet Explorer is just a shell around Trident.

    "Just" a shell begs the question. Many IE vulnerabilities are precisely in this shell. Trident vulnerabilities exist too but are by no means the only ones.

    Removing Internet Explorer will break anything that relies on Internet Explorer.

    Removing Trident will break anything that relies on Trident.

    I’m in favor of making both Trident and Internet Explorer optional. Create dependencies if you like. Want Windows Explorer? You’ve gotta have Trident. Want Windows Media Player? You’ve gotta have Internet Explorer. All fine.

  12. Anonymous says:

    Have I missed something or does Flash work without activeX in all the other browsers?

    In regards to sites like bank of America, their SSL only kicks in AFTER you have sent your SS unencrpyted over the net. How about some feature that would always show the security level of sensitive information, such as a red X’ed out lock ti denote the lack of SSL on any information being submitted?

    Will the reduced rights for activeX effect sites such as housecall.trendmicro.com? I hate resource hogging programs and have not been able to find a program that runs less then 5 or 6 proccesses just to do real time virus protection (a program should be allowed one proccess as far as I’m concerned) and therefor since I don’t resort to using my computer insecurly (in regards to viruses) by using Outlook using enabling Java clientside I tne dto visit sites such as that which I can do an occasional virus scan.

  13. Anonymous says:

    Mike, I think that under XP you don’t even need to create a special user. There are ways to "strip" the administrative privileges from an Administrator account and add the RESTRICTED group to the token for a process (so it can’t access many files or registry keys locally). I wonder why this will only be done on Vista, though.

  14. Anonymous says:

    Seems a great job has been done about security but what about confidentiality ?

    It still needs many clicks to switch on/off HTTP Proxy, cookies, active scripting, etc…

    Still no referrers filtering without third party app.

    Why ? Does nobody but me care about referrers breaking confidentiality ?

    Regards,

  15. Anonymous says:

    > Have I missed something or does Flash work

    > without activeX in all the other browsers?

    It works without ActiveX, but *with* a binary extension.

    ActiveX is basically a programming interface convention, used everywhere in Windows. IE simply uses this interface for its binary plugins/extensions. The security issues apply to any kind of binary (machine code — JIT-ed or interpreted code is another matter) extension.

  16. Anonymous says:

    <<How about some feature that would always show the security level of sensitive information, such as a red X’ed out lock ti denote the lack of SSL on any information being submitted?>>

    John: If you don’t see the lock, it’s not secure, no matter what anyone tries to tell you. I’ve blogged about this before. See http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx

    <<Does nobody but me care about referrers breaking confidentiality ? >>

    JacK– Please elaborate on what sort of confidentiality breach you’re concerned about? We already block leakage of HTTPS Referers to HTTP pages.

    A site can simply pass around query string parameters instead of using the Referer header and the data transmitted would be equivalent.

  17. Anonymous says:

    It would be really nice if MSFT would take on the task of creating a logo program that includes a security testing methodology for ActiveX controls and publish a list of controls that have passed. Safe for IE7 anyone?

  18. Anonymous says:

    I am curious why Microsoft didnt release this with Windows 2003 sp1 support, after getting it to install on 2003 server, it has ran without any issues…

  19. Anonymous says:

    > Please elaborate on what sort of confidentiality breach you’re concerned about?

    Suppose my company has a wiki, and a competitor suddenly notices referrals from http://www.microsoft.com/bills-wiki/people-to-crush-next-week/

    Contrived example, I know, but leaving referrers switched on is basically an assumption that there will never be any sensitive information in any of the URLs you visit. I don’t think that assumption is warranted, do you?

    Proxies aren’t enough to disable referrers, as pages can still find this information through Javascript (and also detect when a proxy is attempting to filter them out). This is something that needs actual browser support.

  20. Anonymous says:

    Is the post already written that states that you don’t need to take IE out of Windows because it is’nt that much linked into it?

    I also don’t understand why a fresh installed box needs ActiveX turned on. It’s nice for intranets, but why would one want it on in general?

  21. Anonymous says:

    How about IDN’s and url resolving?

    (why is noone from MS talking about IDN support even though it’s coming out in ie7? )

    thanks

  22. Anonymous says:

    [We heard people say that we should just start over from scratch.]

    Many of those are css fanatics: all they can do is css, and they wonder why they cannot have an internet where their only talent rules.

    Unable to achieve the same results via a combination of Css and Javascript (although BOTH style and javascript could go disabled, not only the latter), they find that the solution is to blame IE for their own shortcomings.

    They live in a world where bugs do not exist. I have never seen such a world, in NO field.

    ActiveX, many of them repeat by hearsay, they don’t even really know what they are.

    As for those who are not css fanatics, in politics we follow the votes, in economics we follow the money: if making of security and of strict w3c compliance an issue is enought to take away a market share from Microsoft, why not venting it considering how high the revenue is for so cheap a price? After all, Opera has banners. And Netscape with its Mozilla engines is at the Nasdaq.

    It is the right approach to listen to the complaints and try to meet them. But nothing of this should make you unaware that the purpose of the complaints has never been having a better IE product (god forbid isn’t it!?) , but that of taking away money from Microsoft’s current market share.

    True, it’s not an engineer’s concern: but it’s still a Microsoft challenge.

    They will find another way to attack you and Microsoft engineers, unless you won’t start attacking them on the same grounds too rather than just reacting.

    They say you’re "catching up" – you’re not, really: you will really "catch up" when you’ll start fighting this fight also per what it is: fictional complaints propaganda to get market shares.

    You need your Google like Chief Evangelist lol.

    They are as much insecure as any other can be, or as much secure as any other can be. They only know that human credulity and stupidity (and pride!) is above artifical intelligence bugs: they just start spreading rumors, and they found out they haven’t even to pay the cheerleeaders in order to find zelous supporters.

    IE7 can be fabulous. All the more get ready for the next wave: if it paid off the first time, they’re just going to invent another one, once released IE7, basing it on _minimal_ grounds of truth like any good stealth and slandering approach should do.

    Follow the money, not the complaint. Let the css fanatics believe it has ever been about the complaints.

  23. Anonymous says:

    Well, what would IEBlog be without groupies to bash on IE critics.

    I see no reason to style a website through JS rather than CSS, except I need something IE isn’t capable of and am in an intranet. The (X)HTML for markup, CSS for style approach seems the best to me. And using JS for that is like, well, formatting a list with ActiveX. It is not needed, so why not just keep it simple and maintainable?

    As a sidenote: Opera doesn’t seem to have banners anymore.

    Also I like it everytime I read someone saying that "the purpose of complaints is not to get a better product", that’s right. I don’t use IE myself, but the internet is. And I have to design and develop for the internet. So it would be great if Microsoft joins the game and follows the rule instead of punching the referee’s in the nuts and singing something about "walking on sunshine" everytime they got to the Touch-Down-Area with their huge coloured tank. That would be constructive.

    "They are as much insecure as any other can be"

    Well, with that kind judging on people you do not know, well, that do not even exist, since you’re projecting your mental categories to masses of people, I just recommend a bit observation on your own communications.

    Well, it’s finally up to Microsoft how they decide to go. Maybe they’ll follow the path you suggested. If they do, let’s meet exactly here in 5 years again.

    an amused phaylon

  24. Anonymous says:

    Mattias, URL parsing and secure defaults for IDN will both be part of IE7 and Windows Vista Beta2. You can read more in Eric’s post here: http://blogs.msdn.com/ie/archive/2005/08/15/452006.aspx

    – Rob Franco [MSFT]

  25. erik233@hotmail.com says:

    Alberto,

    Unfortunately, you have a fundamental misunderstanding of the purpose of CSS, and why it’s so important to so many people.

    It’s not because people like to code with CSS (while i’m sur emany do), and it’s not because they can’t code otherwise (in fact, it’s easier to use tables, and font tags, and other stuff).

    The fundamental reason is that a huge percentage of the web sites out there *ARE REQUIRED BY LAW* to be handicap accessible, and CSS and XHTML are the tools of choice to achieve that.

    I know there’s a lot of people out there that don’t care, but for those of us who would be fired from our jobs if we made inaccessible sites, it’s a very real issue.

  26. Anonymous says:

    If Internet Explorer now uses seperate processes for the browser and for the save-dialogue: Will it still be possible in Vista that this restricted process for the browser that only can write to the TIF would just send windows messages to explorer to open the start menu and run a virus?

    Or is that "fixed" in Vista?

  27. Anonymous says:

    Christian, great question re: whether the restricted process can send window messages to higher privilege processes.

    The answer is "no". This kind of attack (called a "shatter attack") is blocked by the integrity control in UAP. Window messages can only be sent to processes with the same or lower integrity level. Since IE will be running with low integrity, it can only send messages to other low integrity processes.

  28. Anonymous says:

    A rewrite is probably best avoided. In any large body of code, it’s not impossible that you’ll just introduce more bugs than you eliminate, especially when the rewrite is rushed or tries to add features as well as lock things down.

    Auditing subsystems, looking for bad code hotspots and fixing specific design problems in the current codebase is most likely a much better way to go. So three cheers for the IE folks, hopefully I won’t have to try to disable the browser (transproxy checking user-agent, all javascript, activex, etc disabled) in future.

  29. Anonymous says:

    Tony, that is really cool that this kind of attack is now mitigated. All those people who now run their browser with another account, but on the same desktop are probably only secure because no virus uses SendKeys because it’s not common.

    Regarding those who want a complete rewrite:

    Please read

    http://www.joelonsoftware.com/articles/fog0000000069.html

  30. Anonymous says:

    > If so, css is just one of the ways to implement a law, not a precised prescription of the law. Whether I attain the goal via css only or via css and javascript both, the law goes satisfied.

    Not when user-agents typically used by disabled people don’t cope well or at all with Javascript, and not when consensus among experts explicitly warns against reliance on Javascript (see WCAG).

    You are right in saying that CSS is not specifically required by law. Yet it’s the only appropriate method for most websites. If you end up on the wrong side of a lawsuit, you’re going to have a hard time explaining why you ignored specific advice from the W3C:

    http://www.w3.org/TR/WAI-WEBCONTENT/#gl-structure-presentation

    > Though I understand this is not the appropriate forum, if you have a link where any text of such laws can be read, I think many could be interested.

    http://www.w3.org/WAI/Policy/

    > For instance aural sheets: I often wished I could use a bit of them, but what’s the point with the effort when you won’t see browsers around able to interpret them correctly?

    Opera and EMACS-W3/Emacspeak support aural stylesheets today.

    > Whom will the law jail? IE? Me? You? Everybody?

    This is why it sounds a bit puzzling you see.

    Accessibility laws are not usually criminal, but civil in nature. You won’t see anybody jailed, but you will see fines. SOCOG, the Sydney Olympics committee, were fined A$20,000 for not making their website accessible.

    http://www.contenu.nu/socog.html

    Lots of people settle out of court (e.g. AOL) or don’t let it get that far in the first place by fixing their websites when people complain.

    > The issue is not css yes or css not. The issue is on whether we should reserve our refined critical capabilities to blame Microsoft only as we DO, whereas as herds of sheep we say "yessir" to the W3C whichever absurdity it implements.

    That’s a false dichotomy. Microsoft are a member of the W3C, Microsoft have members on the CSS working group, if the specifications that the CSS working group author are not acceptable to Microsoft, then that’s their own fault.

    > So, we’re teaching our programmers to respect a rule simply because it has been made a rule with a tap of a selector on the shoulders.

    The W3C is an industry consortium with members from across the whole community, working for all kinds of different companies.

    They aren’t some shadowy group that are dictating standards – they are arriving at community consensus and publishing the results.

    > Wrong rationale behind it, SHOULD have been the OTHER way round. BAD PICK lol ๐Ÿ™‚

    That’s your opinion, and you are entitled to it.

    However, the CSS working group obviously had a different opinion to you. That working group is made up of people working on browsers, people working on web development tools, web developers, and so on.

    With all due respect, I think they are more qualified to decide what is appropriate than some random person posting on the IE Blog.

    > IE is CORRECT, though the W3C might go differently. We cannot accuse Microsoft of standard lack of compliance even when it corrects a W3C bug

    Internet Explorer is not correct, because it’s not a W3C bug. You might not think that the W3C’s decision was correct, but the Internet Explorer developers chose to use CSS rather than some proprietary concoction. You can’t just pick and choose parts of the specification you like and do something else when it suits you – that defeats the whole purpose of having a specification in the first place.

    > The W3C spec is wroing there. It is surprising that whereas we so eagerly allow blaming IE for whatever, we consider anathema blaming the W3C for clearly questionable specifications.

    Who is the "we"? It seems you are attacking a straw-man there. Who are these people who consider it anathema to criticise the W3C?

    > Unless, as I said and that’s the point, it’s just a staged technique to take away market shares from IE exploited by third parties.

    It would be quite idiotic to include Microsoft in this scheme then, wouldn’t it?

    > A few guys will get the money (ours) while we will go on cheering for free.

    Who pays for a browser these days? Even Opera is free.

    > IE is good. If it doesn’t implement all css, who cares.

    Web developers. If you can really say "who cares?" then I strongly doubt you do much web development.

    > Go validate Yahoo and get 301 w3c validation errors today: shall we jail them, or shall we go on using their services quite successfully

    Another false dichotomy. Nobody is calling for them to be jailed, but condoning it is not the only alternative.

  31. Anonymous says:

    Hi,

    i just wanted to know if you guys intend to patch the 19 unpatched vulnerabilities in ie6sp2 with all patches installed as listed on http://secunia.com/product/11/

  32. Anonymous says:

    There are other reasons why I would love to see ActiveX be deprecated and eventually, someday down the line, abandoned entirely. Yes, it has been a security nightmare up to this point. But it has also been one of the biggest setbacks to web standards. Why is there still no next-generation forms standard on the web? Because nonstandard, proprietary technologies like ActiveX have been "good enough" up to this point, but result in websites that are incompatible with other browsers. Tying users into one browser (or other application) is the worst security problem of all, because the user loses the ability to choose a more secure product.

  33. Anonymous says:

    Secunia is a company that makes money by claiming that IE is bad so you need to buy their product.

    Secunia saying something is a security bug doesn’t make it so. Most of these "unpatched" bugs are really stupid like "I can make the status bar say what I want it to" or "I can see if there’s a certain file on your computer but I can’t read it or do anything to it." Big friggin’ deal.

    Some of them are fixed (like http://secunia.com/advisories/10155/) even if Secunia doesn’t show it.

  34. Anonymous says:

    Just what I needed to know. Thanks for the post.

    ~Denzil

  35. Anonymous says:

    people like this need to be shot:

    http://pro.grammers.info/fuck_ie.html

  36. Anonymous says:

    > Have I missed something or does Flash work >without activeX in all the other browsers?

    AFAIK, every browser but Internet Explorer uses the old Netscape Plugin system for implementing browser plugins. The main difference between NP and ActiveX (and the reason ActiveX gets bashd so much) is that Netscape Plugins can ONLY run as Internet components, whereas ActiveX is used all over Windows. So generally ActiveX has more freedom (though from what I’m reading, that’s one of the things being dealt with in IE7).

  37. Anonymous says:

    There’s no reason that you can’t have IE libraries be seperate from the libraries used for other software programs and the Explorer shell. One of the most annoying things about Internet Explorer is when it gets screwed up, there’s no way to re-install it. De-integrating, and having two seperate library bases would not only lessen the impact of security holes, but would also allow for removal and reinstall of the browser itself.

  38. Anonymous says:

    [*ARE REQUIRED BY LAW*]

    Possibly in the Usa they are (I thank you for the hint, I "stored" it), although I do not think (you can correct me, of course) there exist any law that mentions "css". Would sound grotesque.

    If so, css is just one of the ways to implement a law, not a precised prescription of the law. Whether I attain the goal via css only or via css and javascript both, the law goes satisfied.

    Or doesn’t it? Feel free to correct me, but not for the sake of it ๐Ÿ™‚

    Though I understand this is not the appropriate forum, if you have a link where any text of such laws can be read, I think many could be interested. Though the fact a law is enacted in, say, Nebraska, doesn’t mean it has to be respected in Holland – WORLD wide web (which accounts for my grammatical mistakes: I am not an english native speaker).

    For instance aural sheets: I often wished I could use a bit of them, but what’s the point with the effort when you won’t see browsers around able to interpret them correctly?

    Whom will the law jail? IE? Me? You? Everybody?

    This is why it sounds a bit puzzling you see.

    Yet all this doesn’t erase the fact that we already have css, and that no one sponsors a world without css (although there has been even a time when there was not only no css, but even no internet, and the world just went on producing abominations and masterpieces as well lol).

    The issue is not css yes or css not. The issue is on whether we should reserve our refined critical capabilities to blame Microsoft only as we DO, whereas as herds of sheep we say "yessir" to the W3C whichever absurdity it implements. It seems we implicitly assume that what the W3C does, that is right because it implements a standard in the same line it makes a mistake. Forget the mistake, gulp the (flawed) standard. Say it tasted fine.

    So, we’re teaching our programmers to respect a rule simply because it has been made a rule with a tap of a selector on the shoulders.

    The W3C sets specifications where if you set the height of a layer and also declare its overflow property to ‘visible’, yet the height prevails.

    Why? Wrong rationale behind it, SHOULD have been the OTHER way round. BAD PICK lol ๐Ÿ™‚

    If an overflow is openly stated as ":visible", Mozilla will show contents overflowing outside the container if they exceed the HEIGHT. That is, the overflow goes unnoticed.

    IE, on the contrary, STRETCHES the layer.

    IE is CORRECT, though the W3C might go differently. We cannot accuse Microsoft of standard lack of compliance even when it corrects a W3C bug – oops I forgot for a moment that only Microsoft engineers can produce bugs rofl.

    Observing the height and yet interpreting the specific & specified overflow command of a layer as a request to reproduce the DEFAULT behavior we ALREADY had, and therefore as an added license to span beyond the boundaries of the container, is equivalent to making the overflow instruction impotent and as if it weren’t: and yet it is.

    Omit the overflow statement in order not to stretch, rather than omitting the height in order to stretch: because it is the height that is made for its overflow specification, not the overflow specification for its height.

    Viceversa, makes NO sense.

    The W3C spec is wroing there. It is surprising that whereas we so eagerly allow blaming IE for whatever, we consider anathema blaming the W3C for clearly questionable specifications.

    Unless, as I said and that’s the point, it’s just a staged technique to take away market shares from IE exploited by third parties. A few guys will get the money (ours) while we will go on cheering for free.

    IE is good. If it doesn’t implement all css, who cares. Go validate Yahoo and get 301 w3c validation errors today: shall we jail them, or shall we go on using their services quite successfully as we always did with all browsers and OS?

    Demystify the W3C. It’s not G-d, though we may still make an idol of it.

    What fantasy shall our programmers nurture if they learn to worship statements just because they are turned official and they detect no longer those that have turned rotten, and if they learn to revere wrong solutions simply because they have been lent by an authority?

    They are cannon fodder for MORAL phishing.

    «Cerf said he often meets young people pursuing radical ideas in technology because "they don’t know you can’t do that, so they go and do it."

    "And there’s nothing more refreshing than that (can do) attitude," he said.»

    [Vinton Cerf]

    I won’t add more about this. I already wrote too much. But I want to defend IE for that good product that it IS. Css fixed layers are like heaven, they CAN wait.

  39. Anonymous says:

    What I’d like to see is the message "do you want to run ActiveX Controls" changed to tell you what control it is. Most of the time it is just Flash which I have intentionally installed, but the message is way too ambiguous considering all the things ActiveX Controls can do. Better yet, if I installed it then let me specify if I want to run or prompt separately from the world of unknown ActiveX Controls.

  40. Hoochie says:

    On lucky, IE is the most popular browser today,

    but not in the future.

    As we know,there are many great browsers that growing up today,such as Firefox,GreenBrowser,Maxthon and so on. these browsers have one common characteristic that is simply extended (not like IE,made a plug-in must by compiled language,such as C++,VB).

    So I think,why not write a engine which execute some plug-ins ware wrote by JS or DLL(just like GreenBrowser)?

    On lucky,I have written this kind of engine,

    it let you can wirte a plug by JS or DLL,

    and can also execute plug as you want(just config the runat event in the plugin.xml).

    plugin.xml’s format here:

    <?xml version="1.0" encoding="UTF-8" ?>

    <IEHelper version="1.0">

    <plugin id="com.jjsoft.splitFrames" enabled="true" name="split Frames Plug-in" runat="document_onload" version="0.1.0" provider="jjsoft">

    <runtime>

    <script language="javascript" src="common.js" />

    </runtime>

    </plugin>

    </IEHelper>

  41. Anonymous says:

    Ever since the first IE7 beta came out, I’ve been mystified by a security dialog that came up on my site, prompting me to approve or deny the installation of the Windows Media 6.4 Shim [screengrab, 32K PNG]. Today I…

  42. Anonymous says:

    Mike Danseglio, the Program Manager for the Security Solutions group at Microsoft blames users for the Windows security nightmare, saying &quot;there really is no patch for human stupidity.&quot; Nice one, Mike. Actually, Mike, there really is no patch

  43. Anonymous says:

    According to Microsoft’s IEBlog, IE7 is coming this month — Are you Ready? Most of the expected compatibility issues are in CSS filter hacks that will no longer work in IE7. However, in working with the IE 7 Release Candidate…

  44. Anonymous says:

    According to Microsoft’s IEBlog, IE7 is coming this month…Are you Ready?, with auto-update kicking in a few weeks after the download is made available. Most of the expected compatibility issues are in CSS filter hacks that will no longer work…