A quick blog from the floor of the Hack in the box conference


Tony and Rob have just wrapped up their keynote here in Kuala Lumpur, and I wanted to make sure that the resources they talked about are listed here both for the benefit of the conference attendees who wanted to get to them and to everyone else who couldn’t be here today.

The talk spoke to how Microsoft’s Security Development Lifecycle (SDL) has influenced the development of IE 7. Specifically, and quite obviously if you’ve been reading this blog, IE 7 isn’t just about patching problems but about making deep architectural changes to provide defense in depth at every level of the browser.

Here are some of the resources that we mentioned for those interested in SDL or providing us feedback on our security plans:

Thanks to the organizers of the conference for having us. This keynote represents the first time the IE 7 team has given a talk at a software security conference and we hope it’s the first of many talks and opportunities we’ll have to engage with security researchers around the world.

-Christopher Vaughan

Edit: fixed formatting errors


Comments (53)

  1. Anonymous says:

    "Proof read"

  2. Anonymous says:

    What on earth happened with the RSS item for this post? Trust the IE team to pepper everything with font tags and make it all unreadable *rolls eyes*.

  3. Vasil Dinkov says:

    RE: Josh Street

    Yeah, thank God I use Opera for my feeds and it was able to parse the HMTL.. πŸ™‚

  4. Anonymous says:

    @Josh street

    Unreadable?

    I think this blog looks great using Sage in Firefox.

    Great work IE team. Wish I was an MSDN subscriber (wont pay $500-800 USD just to test free beta stuff though) so I could try both IE 7 and WinFS. I love Monad so far.

    Windows Vista will probably be great with these extra apps.

  5. Anonymous says:

    @Lordmike: Yeah, at least in my feed reader (Liferea). They’ve stuck a fontsize=2 in there somewhere which makes it all… well… small. I think it uses some GTK HTML parser, and it’s fine for pretty much everything else, just this one post went funny. Bizarre πŸ˜› (And yeah, I know, completely unrelated to Hack in the Box)

  6. Anonymous says:

    Heheh would be horrible to read it in a fontsize=2. That is, I wouldn’t be able to read it at all (almost blind without my glasses :P).

    Oh well, lets hope it works better in the next post.

  7. Anonymous says:

    I dont know what the fuss is about…looks fine in the IE7 RSS reader.

  8. Anonymous says:

    Ok… I didn’t think this was going to be a funny post, until I checked out the links. πŸ˜€

    Am I the only one that finds it extremely amusing that Microsoft is promoting/publishing books under MSPress on Security?!

    Writing secure code?!?!

    Threat Modeling!?!?

    I have to thank you though… now I have to take a 5 minute break, to wipe the coffee I splurted all over my monitor from laughing so hard…

    ——–

    On a more related note, I have THREE *NEW* issues with this Blog.

    1.) I’m not sure how your searching works, cause it doesn’t. Using the search box at the side of the screen, I can’t locate articles/comments, using EXACT phrases found in the articles/comments. (lemme provide a URL for ya: http://www.google.com/ <– these guys seem to have figured searching out. . . why don’t you ask them?

    2.) Comment drop dead dates?. . . When do they occur, as I was hoping to add to some previous threads, but the "Add Comment" link was gone.

    3.) Is there an editor, that will be revisiting this Blog, linking up the bugs/issues noted here, with their respective bug in the Wiki/Bug tracking system? E.g. If someone here mentions, that the window.prompt() dialog, a.) doesn’t support more than 2 lines of text. and b.)is awkwardly placed in the top-right of the screen, unlike ALL other message boxes. i.e. alert();, confirm();, find();

    It looks bad, that there are so many issues raised here, with no link, to when/if the bug will be fixed? in terms of release date, version, patch, OS, etc.

    so far, I’ve counted several dozen, long standing bugs in IE, that have yet to be "addressed" by MS, in terms of the public, and the web app developers finding out when they can expect these things fixed.

    I’ll be brutally honest here. If you provide a date, or at least aknowlegement, that an issue exists, your end-users and developers will be willing to give you the benifit of the doubt, and wait till they arrive. However, if you leave us in the dark, we will simply switch to a software company that does add the features we want, and fix the bugs we find. (I won’t link the Browser software I’m thinking about, but I’m sure you can guess)

    I have personally submitted dozens of bug/feature requests to (other Browser maker), since there is a forum available to do so, and gosh darnit, those issues get fixed, and the features get attention, and if deemed apropriate, get implemented. I couldn’t be more pleased, the results are amazing. I have dozens of bugs for IE, that I would love to submit, ****and track****, but there is nowhere to do it, so I don’t bother.

    Thanks (awaiting a MS response on this thread, this is VERY Important to your developer, and user community)

    Kal

  9. Anonymous says:

    I hate to sound biased but I’ve spent the past two hours with a Dell HD in a secure box of mine removing viruses that got on to a computer via AOL while running the last version of Norton.

    I think Microsoft needs to deal with Java security issues but I found several other unrelated viruses that got through via IE somehow. The people reported that their computer was fine until they tried to play games which only seemed to work in IE.

    I had just cleaned this system less then a week ago and already by getting in to these games they had over 200 pieces of spyware and 80 viruses.

    It’s time to kick ass and chew bubblegum, and I sure as hell hope you folks aren’t chewing any gum.

  10. Anonymous says:

    It was great to meet you guys when you guys were down at HITBSecConf πŸ™‚ i got a question since IE is available for Mac OS X will it be available for the GNU/Linux Operating system as well ?

    P.S : Thanx tony for signin my phrack 63 πŸ™‚

    Prabu

    http://www.prabu.us

  11. Anonymous says:

    It was great to meet you guys when you guys were down at HITBSecConf πŸ™‚ i got a question since IE is available for Mac OS X will it be available for the GNU/Linux Operating system as well ?

    P.S : Thanx tony for signin my phrack 63 πŸ™‚

    Prabu

  12. Anonymous says:

    Dude, where’s the photos! πŸ™‚

  13. Anonymous says:

    Xepol: Well the only tools I have so far is "Visual Basic 2005 Express Edition Beta 2" when using Monad. I’m not much of a developer, I mostly steal other peoples codes to test stuff. Coding has never been my thing (logic thinking that is :P), but it could be a good idea to try it out for a year.

    A lot of money for someone like me whom don’t develop anything for anyone though.

    The money would come from my own pockets and not some companies *sighs* oh well.

    IE team: Could you please update us every now and then regarding releases of IE betas and when IE 7 will be released?

    I have been reading on Paul Thurrot’s site for some time now and he seems to be able to get the dates (not sure if is he right though).

    Thanks for the info, might give it a try next year. πŸ™‚

  14. Anonymous says:

    "since IE is available for Mac OS X will it be available for the GNU/Linux Operating system as well?"

    Why would you ask such a thing?! Why would anyone want IE on Gnu or linux?

    In fact why would you want it at all?

  15. Anonymous says:

    Hey guys, just a quick note to thank the IE team for coming down to KL. It was really REALLY great meeting up with all of you and I hope that you enjoyed yourselves at our event. Anyway, since Jim asked; the photos from the event have just been released πŸ™‚ I’m pleased to say the atmosphere was well captured; even the post conference party!

    http://photos.hackinthebox.org

    Cheers,

    LD.

  16. Anonymous says:

    " IE7 is not and will not be available on OSX. Macintosh development of IE ended some time ago."

    Thankyou.

  17. Anonymous says:

    "* IE 7 is holding on to broken architecture(ActiveX). "

    Wrong. Activex is a very powerful tool, and without it, the internet wouldn’t be as interesting. It’s not IE’s fault that some activex controls (mostly written by 3rd parties) were written without security in mind.

    "* IE 7 has not dealt with long standing security bugs."

    You have obviously not spent any time in computer security, otherwise, you would not be saying such things.

    "* IE 7 has not dealt with long standing markup bugs."

    Wrong again. IE7 BETA 1 (with emphasis on beta 1) didnt deal with long standing markup bugs. If you would read some of the previous posts made by the fantastic IE team, you would realize that many of the rendering complaints are being resolved.

    "* IE 7 has a bizarre tabs/menu/button GUI implementation."

    I personally disagree. In my opinion, the GUI in IE7 slightly surpasses Firefox, and it definately kicks the crap out of Opera and Netscape.

    * IE 7 is too little, too late.

    Compare and contrast IE7 with firefox for a second. Look at all the tiny little details of both browsers. If you do, you will see that IE has way more features than Firefox (at least the most useful ones, skinning doesnt count).

    The most important point in my opinion is security. I have been on the front lines of software security, especially Internet Explorer and Firefox. I can honestly say that even though I found more vulns in Internet Explorer than Firefox, this was over a period of about a year. In about 2 weeks, I found about half as many vulns in Firefox as I had in a year’s worth of Internet Explorer security research, and let me tell you they were a lot easier to find and exploit than IE’s bugs.

  18. Anonymous says:

    "Wrong. Activex is a very powerful tool, and without it, the internet wouldn’t be as interesting. It’s not IE’s fault that some activex controls (mostly written by 3rd parties) were written without security in mind."

    Wouldn’t be as interesting as what? What does Active-x even do to make things interesting? I don’t think I’ve ever used it/had a use for it.

    "Wrong again. IE7 BETA 1 (with emphasis on beta 1) didnt deal with long standing markup bugs. If you would read some of the previous posts made by the fantastic IE team, you would realize that many of the rendering complaints are being resolved."

    So what about IE6 and the fact that it will be around for at least 5 more years with NO rendering updates?

    "I personally disagree. In my opinion, the GUI in IE7 slightly surpasses Firefox, and it definately kicks the crap out of Opera and Netscape."

    It’s the most non-user friendly interface I’ve ever used before. You can’t tell me that having the "go", "stop" and "refresh" buttons on top of eachother is good design.

    And what’s with window menu being on the bottom of the toolbar? I don’t want it there, because in every other program on windows it’s at the top.

    "Compare and contrast IE7 with firefox for a second. Look at all the tiny little details of both browsers. If you do, you will see that IE has way more features than Firefox"

    I laughed at this. πŸ˜€

    "The most important point in my opinion is security."

    That’s one reason why I use Firefox.

  19. Anonymous says:

    Ron, I don’t want this to turn into a flame war, but you seriously need to get a life. If your blind hatred of Microsoft is going to rule your existence as it apparently does, why do you constantly come to the ieblog website to piss on the pro-IE guys’ parade? I mean, shouldn’t you be off with your OSS buddies on the mozilla forum agreeing with each other about how much "M$ sux" and "bill gates is big brother"? IEBlog is a place for people to learn about the new features in Internet Explorer, not a battlefield for the browser wars. These guys intended IEBlog to be a place for suggestions and constructive criticism, not "FF pwns j00" comments.

    Why don’t I go on the linux forums and post about how much opensource software sucks? Because I don’t care what you guys think, it’s not like I’m going to be changing the minds of such stubourn individuals any time soon.

    I’ll tell you what, you are just wasting your time when you come to this blog and start bashing the IE team. No one who reads this blog is going to pay any attention to someone like you, so do everyone a favor and leave, for good.

  20. Anonymous says:

    The conference materials have been released.

  21. Anonymous says:

    Firefox isn’t going to get wiped out by IE7. Nor will Firefox stop IE7 from going out to a hundred million machines in short order.

    With many hundreds of millions of folks on the Internet, there’s room for more than one or even two browsers. Healthy competition is good for everybody.

    Vendor-patriotism isn’t really needed.

  22. Anonymous says:

    Woah, settle down Paul. I was merely disagreeing with your points, just as you disagreed with whoever called themselves "sigh".

    I post on this blog because I want MS to improve their product, not just to bash it. I want IE to be the best browser out there because all of my clients use it, and if the software is up to scratch then my job as a Web Designer is easier and more rewarding.

    I make criticisms in the hope that the IE team will listen and improve their software. I’m over the moon that IE7 is going to support more standards and even the "not-yet-standards", but at the same time I’m gutted that IE6 will remain the same.

    I’m not a fanboy either, I’m just passionate.

    I deal with IE6 every day. (emphasis on "deal")

  23. Anonymous says:

    Well… I agree that these comments are of no use for anybody. I personally currently use Firefox but I do not smash Internet Explorer in the corner calling it a bad browser.

    There are things I do not like about it.. an example is the following: too many people use it, therefore many web pages have code errors and they rely on IE’s behaviour to fix malicous HTML code. Many other browsers therefore have problems to fix this as they are based on different rendering engines. I do not want that from now to tomorrow all web pages are 100% W3C valid but web developers should at least try to use correct HTML markup as good as they can. Then all (modern) browsers would be able to show it properly.

    Personally, the current design of the IE 7 Beta (I am just talking about screenshots I am no beta tester) was quite confusing. I for myself did not really like it so far. The title bar should be at the top in my eyes and I missed certain toolbar buttons. But guys: IT’S A BETA, A BETA.. it could still change. Have you used Firefox 1.5 beta… I did.. it crashed several times – but that’s OK in my eyes.

    ActiveX is not a bad development. It unfortunately allows high access to the user’s computer (see Windows Update which totally updates your user software). And the main security problem for ActiveX are the users. They look and click "Yes, install" without even reading what they are doing. And, 2 seconds later they have succesfully installed an ActiveX control which lowered the security of their PC. I personally don’t use AciveX on web pages; simply because I do not like the fact that only IE supports it and web pages should be readable on all modern browsers (if possible even cell phones as they nowadays support real HTML).

    For IE7: I was quite happy to hear that many fixes to standard compliance were done. The only downside in my eyes is that IE7 only supports Windows XP SP2, Win2003 SP1 and Windows Vista. Therefore, even with IE7 released there will still be many users using IE6 (I still know many who: use Windows 98/2K/ME… do not want to upgrade their XP to SP2). Therefore I still see myself forced to test web pages in both IE6 and IE7 (the only thing I’ll probably do is make use of Alpha channel PNG files; if done right the Alpha channel background will still look OK on IE6).

    Last thing about security: yes, IE is known to be insecure. But that’s not reality. Just the fact that Firefox is widely spreaded, people now even check for bugs in that software. In fact: they could even search the source for bugs and exploits. As Firefox is new, they of course find more exploits than in the now 5 year old Internet Explorer. Symantec said the same. However, Symantec also said that the Open SOurce developers close security wholes much faster than Microsoft who normally does a monthly update (so in special cases a security whole might be up to 4 weeks old until it is fixed – this should change in my eyes). The only real downside for Firefox: modem or ISDN users always have to wait for several minutes as Firefox doesn’t have incremental updates so far (this will probably change with Firefox 1.5). So: keep your browsers up to date (IE and ANY OTHER BROWSERS) and security shouldn’t be too much of an issue.

    Result: I am looking forward to IE7. As far as I understood that Beta 2 will be open and also availible in my personal language (German). I will test it then. Smashing browsers in the corner just for useless reasons is unfair for Microsoft as well as for Mozilla. All browsers have their advantages and disadvantages. IE6 might be slightly outdated and it has still no support for several features; BUT THIS DOESN’T MAKE IT A BAD BROWSER. Look at Firefox: it might have a better code parser but it still lacks standards IE supports and Firefox does not like the soft hyphen (&shy;) or ruby (although I do not know why IE supports this.. ruby is an XHTML 1.1 tag, XHTML 1.1 should be sent using application/xhtml+xml that IE doesn’t support – anyway, Firefox doesn’t support it at all). And there are other examples. But this doesn’t make Firefox a bad browser.

    All browsers are not perfect. Look at IE6.. look at Opera (I also have it).. Look at Firefox. But because of not being perfect, they are not bad!

  24. Anonymous says:

    Nice post Link, I agree with just about everything you’ve covered. Except I still think IE6 is a bad browser (mainly because of the lack of some particular CSS support, I’m getting tired of saying that).

    Also, you say "these comments are of no use for anybody". But later on you say "IT’S A BETA, A BETA.. it could still change."

    That’s exactly why it’s important to pump out the suggestions/crits before it’s too late. The IE team also asks for feedback, and that’s what they’re getting.

    I tried the IE7 beta and you’re absolutely correct about the interface being confusing. You should have seen my colleague use it for the first time.

    Now, when can we see some new blog updates? It’s evident that everyone’s getting a bit wrestless (or maybe it’s just me).

  25. Xepol says:

    "Wouldn’t be as interesting as what? What does Active-x even do to make things interesting? I don’t think I’ve ever used it/had a use for it. "

    ActiveX is simply MS’s standardized plugin infrastructure. If you find plugins objectionable, blame Netscape, since they had plugs for extra content long before MS. The presence of plugin infrastructure allows previously unimagined content to be served. Flash, Shockwave, VRML, embedded video are all prime examples for BOTH companies. IS the Firefox implementation more secure? No. Once code is running on your machine, it is on your machine. If you have trusted poorly, you are still screwed. Firefox isn’t more secure, it just has not been exploited as actively yet (and it has been exploited at a growing rate)

    "So what about IE6 and the fact that it will be around for at least 5 more years with NO rendering updates? "

    I’m still dealing with people using Netscape 4.71. It sucks, but that is life.

    "It’s the most non-user friendly interface I’ve ever used before. You can’t tell me that having the "go", "stop" and "refresh" buttons on top of eachother is good design. "

    Actually, since the go, stop and refresh actions are mutual exclusive, this made perfect sense to me.

    "And what’s with window menu being on the bottom of the toolbar? I don’t want it there, because in every other program on windows it’s at the top. "

    At first the position of the menu bar seriously annoyed me, but once I realized that what IS at the top of the screen is the part of the UI I use 98% of the time, it started to make a LOT more sense to me.

    ""The most important point in my opinion is security."

    That’s one reason why I use Firefox. "

    The marketing about Firefox is that it is secure. Ask the Firefox dev team if they think so? Ask CERT, which has more critical flaws for Firefox over the past year if they think it was designed more securely. Sadly, you have bought into the marketing, and as we all know – marketers distort truth when they are not outright lying. Firefox has MORE than its fair share of security flaws. History has proven that the more people who use a system, the more people there are who try to exploit the system. Imagine, if FireFox is already leading for critical flaws how much worse it would be if they had 10x the market they have now? Face it, Firefox has its fair share of blemishes.

    No matter how well designed an application is, if it has more functionality than Hello World, chances are some user is going to find a way to do something the developers never expected. The more people doing this, the more likely it is that something serious is going to crop up. It is just a basic numbers game. If you want to test this theory yourself, write a list of instructions for how to change the oil on car and watch how many people STILL manage to get something wrong following your instructions. I was originally going to suggest changing the blade on a lawnmower, but the numbers of people who injur themselves performing that simple operation is already shockingly high.

    Now imagine a list of instructions a billion items long. Just a numbers game.

  26. Xepol says:

    Ron –

    Keep surfing with Firefox, you’ll eventually get something you didn’t ask for. Others already have. Actually, in your case, I would say that the chances are actually fairly low, after all you said :

    "And the thing that seperates IE’s plugins/extensions from Mozilla’s is that Mozilla hosts their own extensions, therefore eliminating most of the risk."

    Which means that you are VERY choosy about where you let your extensions run from. Mozilla is not the only source for extensions, just a moderately reliable source. By choosing to accept extensions from them you show that you are exercising some judgement (in this case, you are deciding to let others do your deciding). Irregardless, most people lack this good judgement and click OK whenever they see it. This is the type of judgement that leads to most wild viral outbreaks.

    Sure, there are exploits that manage to run on their own, but the attack surface for those exploits are decreasing by the day (both for IE and firefox). No, most of those problems continue to attack the weakest component in the link – the person at the keyboard. Since we can’t design a smarter human, we’ll never be able to completely account for it.

    Even anti-phishing methods like IE and others require that some people fall for the phishing scam before they can be blocked out for everyone else. In fact, they require that YOU fall for the phishing before they even activate.

    Using that same good judgement that you used, the same good judgement that MS has always advocated – only accepting code from a trusted source, I have never gotten any exploits through IE. If everyone I knew had the same good sense, I would loose all my extra pocket money cleaning up their machines.

    Before we blame the technology for everything, perhaps we should take a long look at how people use or misuse their machines? After all, the only truely secure computer is unplugged from everything.

  27. Anonymous says:

    See http://TheFuturum.com – you can send message to eternity there.

  28. Anonymous says:

    Hi Christopher, It was great catching up with you after my presentation at Ruxcon, I hope you also enjoyed it. Apologies for not being able to hang around for too long afterwards, I was in a rush to get to the airport. If you are back in the US now, have a look at some of the emails I have sent you (I hope you are getting them). I have some interesting ideas that I would like to speak to you about – look forward to hearing from you again. Cheers.

  29. Anonymous says:

    I have to say, I’m a little curious regarding your progress when it comes to ingrating your authentication technology (InfoCard) into IE 7, as well as any news on how disscussions are going with Firefox and Safari in getting them to adopt the tech.

    It’s just I was reading an article on the subject: http://www.pcworld.idg.com.au/index.php/id;2112242001;fp;2;fpid;1, which said that while infocard was not on IE 7.0’s feature list, it may well end up being included and that you guys where in talks with the other major browsers to see if they where interested in adopting it as a standard technology.

    This, according to ‘experts’ "can only help" when it comes to security, so I think it’s definetly something worth pursuing.

    P.S. This is only my second blog (my first being the one above), so my point there is that if I’ve made a fool of myself in either, please be kind!

  30. Anonymous says:

    I definitely agree with the calls (and there have at least been a couple here so far), for some new blog updates from the IE team, as it’s been a good ten days since this one got put up. Come on guys, don’t tell me you’ve run out of stuff to talk to us about?….

  31. Anonymous says:

    The person who calls themselves "* sign *", you are terribly wrong. Perhaps the non-technical people at Microsoft are only interested in making money, but if you know as many developers as I do, you’d realize that all they’re interested in is making the coolest, greatest program in existance. That’s what drives the IE team forward, not adding the least possible amount of features to their software as possible while still holding onto a relativly large userbase. Developers aren’t making insanely big bags of money, so their payback is knowing they contributed to a really awesome piece of software.

  32. Anonymous says:

    Paul (greyhats) wrote:

    "You have obviously not spent any time in computer security, otherwise, you would not be saying such things.

    I have been on the front lines of software security, especially Internet Explorer and Firefox. "

    I have been working with computers since the Carter Administration. What kind of security professional puts confidental information on a public server?

    Stop drinking the kool-aid. Firefox is not going away, and the points I made are valid. I won’t quibble the minutia. Microsoft is releasing IE7 as a business move. Only features/architecture/bugs deemed relevant to their interests will be addressed. That’s business 101.

    Customers will choose what fits "their" needs.

  33. Anonymous says:

    I know that Firefox isn’t more secure than everything else, but the last time I got spyware/adware was when I was browsing innocently with IE6. I still haven’t had any viruses, adware or spyware since I started using Firefox, therefore I will continue using it until I get something I didn’t ask for.

    If you’re still designing for Netscape 4x then that’s your choice, but IE still has about 90%+ more market share.

    And the thing that seperates IE’s plugins/extensions from Mozilla’s is that Mozilla hosts their own extensions, therefore eliminating most of the risk.

    For the record, I am actually hoping IE7 regains IE’s lost market share. As long as standards support is improved then I’m a happy chappy.

  34. Anonymous says:

    milki wrote:

    "With IE 7 Firefox will disappear."

    * IE 7 will only run on a subset of Windows versions and will ignore Mac, Unix, Linux.

    * IE 7 is holding on to broken architecture(ActiveX).

    * IE 7 has not dealt with long standing security bugs.

    * IE 7 has not dealt with long standing markup bugs.

    * IE 7 has a bizarre tabs/menu/button GUI implementation.

    * IE 7 is too little, too late.

  35. Anonymous says:

    With IE 7 Firefox will disappear.

    I found a addon for Mouse Gestures in IE.

    But can someone tell me if their are somethings like the AdBlock Extension and the Customize Google extension for Firefox.

    Thank You

    You Can email me these requests at

    cricketmilki@yahoo.com

  36. Xepol says:

    LordMike : There is (was?) an OS version only subscription for MSDN. It would be worth finding out if it qualifies for the IE betas.

    Certainly, if you don’t need developer tools, but need access to just the OS stuff, it has a certain appeal.

    Who knows, maybe TechNet Plus might even be more appropriate (again, you’ll have to check, I’m not sure if they get the IE beta, but I would think that they should, since the IE beta is aimed at IT people, and TechNet is FOR IT people)

    And ya, my subscription costs come out of my pocket too – it can hurt just a little. Better than the 4g only option MS used to have though.

  37. Anonymous says:

    IE7 is not and will not be available on OSX. Macintosh development of IE ended some time ago.

  38. PatriotB says:

    "Am I the only one that finds it extremely amusing that Microsoft is promoting/publishing books under MSPress on Security?!

    Writing secure code?!?!

    Threat Modeling!?!?"

    I think you are.

    The authors of these books (e.g. Michael Howard) know their stuff. The purpose of the books is to help other people learn this stuff. I’m pretty sure that "Writing Secure Code" is required reading for new Microsoft developers.

    Regarding the "other browser" you mention… how many of those who contribute to the code base are educated about how to write secure code? How many of the new features undergo thorough threat modelling before being developed?

  39. Xepol says:

    IE TEAM : Please make DOWNLOADING (anything other than text files, html, and image files) a privledges operation requiring a password. If you do that, my kids won’t be able to destroy machines with stupid downloads – the biggest security hole of all.

    Lordmike : MSDN Pro subscription comes with developer tools, 10 licenses for each OS for yourself, Virtual PC, and a myriad of other applications. It is not just about access to betas (which is pretty sweet). Personally, I have found it to be an excellent investment. Higher subscriptions cost more and come with even more bells and whistles.

  40. hAl says:

    Now that the hackers have previewed IE 7 beta 2 could you announce a public beta date ?

  41. Anonymous says:

    Beta 2 will be out 7th december. This might change, because IE 7 was supposed to be released this year, but is now moved to march 2006.

  42. Anonymous says:

    When will Beta 2 be ready? Beta 1 wasn’t even worthy being called "beta".

  43. Anonymous says:

    I’m glad the IE team is doing heavy work on security. Since it’s a popular target of criminals, my organization has decreed that we will stop using IE in some sensitive areas. I approve of their caution.

    Perhaps when IE gets locked down properly, and loses the reputation as a vulnerability, such measures will be unneeded.

    Don’t get discouraged. Keep working on it.

    thanks

    David

  44. Anonymous says:

    I know this isnt the appropriate blog to ask this quesiton but anyways :

    will the ‘Image toolbar’ be re-availalbe in Beta 2 when it is released. The options are still within the settings in Beta 1 – image resizing still functions but the image toolbar doesnt display (unless Im doing something wrong ?)

    Thanks

  45. IEBlog says:

    Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact).

  46. Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact