Real-World Protection With IE8’s SmartScreen Filter™


Back in March, I posted a note to the IEBlog when the pre-release version of IE8’s SmartScreen Filter had delivered its 10 millionth malware block. Today, I’m happy to report that IE8’s SmartScreen Filter has delivered more than 70 million blocks in the first four months since IE8’s official release, for a cumulative total of 80 million blocks. This data is a strong indication of the value of the protection SmartScreen provides, and of just how widespread socially-engineered malware attacks are on the web today.

While we were proud of the work that went into SmartScreen leading up to IE8’s release, we knew that it was only the beginning of our efforts. Microsoft’s commitment to Trustworthy Browsing didn’t end when we signed off on the final IE8 code– the reputation services behind SmartScreen represent an ongoing investment that we strive to improve every day.  

Eighty million blocks is an incredible number of attacks thwarted– each malicious download blocked helps prevent compromise of that user’s computer.  The other key numbers that I announced in March are holding strong, even with a rapidly expanding user base:

  • IE8 is delivering a malware block for approximately 1 out of 40 users every week
  • Approximately 1 of every 200 downloads is blocked as malicious

If you’re not running IE8’s SmartScreen Filter, I believe you are missing a key piece of protection to help ensure your safety on the Internet. IE8 users can ensure that SmartScreen is enabled by clicking on the toolbar’s Safety button (or Safety button on the IE command bar if you’re in Show Only Icons mode) and examining the SmartScreen Filter submenu. If a “Turn on SmartScreen Filter” item is present, click it to enable protection.

Malware Block Effectiveness

Heading into the launch of IE8, the engineering team commissioned an independent study of SmartScreen Filter by NSS Labs.  Our objective was to gather an accurate and independent baseline measurement of SmartScreen’s protection against socially engineered malware attacks.  That baseline, run against the IE8 Release Candidate, allows us to validate our investments in improved intelligence and technology. Since then, we’ve made major investments in malware intelligence and rapid response systems to provide an ever-increasing level of protection for users.

NSS Labs has just completed a second round of studies on socially engineered malware attacks, and I’m happy to share the results. In this latest test pass, NSS found a 12% improvement in SmartScreen’s protection levels. Here’s the data from NSS Labs on the malware block rate for major browsers:

Table, Mean Block Rate: Socially Engineered Malware

Microsoft’s reputation services team has other significant investments staged to launch in the next quarter, so I expect even better results in the near future.

Phishing Block Effectiveness

We’ve spent quite a bit of time talking about the socially engineered malware threat because it is currently the biggest problem users face.  However, phishing remains a prevalent and important threat to users as well.  We’re continuously making improvements to our data sources and intelligence systems that deliver phishing protection.  This continuous investment keeps IE in the market-leading position it established with the release of the Phishing Filter in IE7. Since then, Internet Explorer 7 and 8 have blocked over 125 million phishing attacks.

The newest NSS study included a test pass for phishing blocks. NSS Labs reported the following block rate for major browsers:

Table, Mean Block Rate for Phishing

You can view the full NSS study at http://nsslabs.com/browser-security.

I hope that the internal data I’ve shared today and the results of the NSS testing are a clear indicator of our commitment to Trustworthy Browsing, and our ongoing execution against that promise.

Thanks,
-Eric Lawrence

Comments (155)

  1. Anonymous says:

    Google is hard at work with Chrome 3.0 and Chrome 4.0.

    http://googlechromereleases.blogspot.com/2009/08/dev-channel-update_17.html

    Mozilla is working on Firefox(Namoroka) 3.6 and 3.7 pre-alpha.

    Microsoft is busy FUDing and EEE(Embrace, Extend, Extinguish) with sponsored lies together with NSS and Amy Barzdukas can’t count if she has to come up with "interesting math".

  2. Anonymous says:

    He Micro.$.uck.. why don’t you do a fail chart representing corporate and user intelligence failure…

    I’m sure you could have your sh|t browser at the top of those results easily 😛

    though you could collect IE6 results and sum it up as – IT admin retards.

    P.S. all your Explorer suks A S S!

  3. Anonymous says:

    http://code.google.com/p/svgweb/

    http://www.youtube.com/watch?v=ctuUrvReOIQ&fmt=18

    Sad yet ironic, Google has to fix things because MS developers are lazy as hell.

  4. Anonymous says:

    good information,good post.

    <a href="http://www.domainbargaindeal.com/">domain names for sale</a>

  5. Anonymous says:

    I observed the graph and its true… The IE is leading on its way.. As what I am using right now..

  6. Anonymous says:

    That smartfilter has done nothing good for me.

  7. Saqib Ali says:

    Kudos to IE 8 Team! Awesome job. 🙂 I I am exclusively using IE8 on my Win 7 machine.

    One thing I would like to suggest is that since the Time To Live for Socially Engineered Malware is very low, it  would be prudent to improve the Average Response Time To Block Malware in IE.

  8. please dont says:

    Please don’t take screenshots when you have FuzzyType[TM] enabled in Windows or IE.

    Just viewing the pictures hurts my eyes. More importantly do NOT scale images in HTML. We all know that it ruins images.

  9. Jorge says:

    @dont,

    ClearType you mean? I love it, and I use it even in Windows XP (which by the way I detest, I prefer Windows Vista or Windows 7 :D), and it’s great to see it by default in Office 2007 and IE7 & IE8 😉

    Anyway, really great job IE team! It’s nice to see this results, but for some reasons I like Firefox as well, and I’ll keep both of them in my machine 😉

  10. punkcoder says:

    Couldn’t some of this data show that Windows IE users are more susceptible to Malware and Phishing attacks (i.e. they’re stupid enough to click on the Bank of America e-mail asking for personal info), compared to users of Firefox and Safari, and other browsers.  Most users of the other browsers actually think the internet is something other than the blue ‘e’ on the desktop and may be smart enough not to click on the links that lead to the high numbers of blocks you are getting.  Just a thought.  It’s still good to know that your new browser is keeping the idiots at bay.

  11. Phil says:

    @Punk: No, that’s not what the competitive shows at all. Read the report. They’re not comparing their 205M blocks to the competitor’s number of blocks. That study doesn’t try to determine which users try to download what– it objectively compares, for a given set of attacks, which browsers block those attacks and which do not.

  12. paf says:

    What is "socially engineered malware"?

  13. IErox says:

    @paf

    You click a fake bank of america email asking you to click the provided link to the BoA (fake) site in order to claim you $25 bonus. you click it, you give you id and passwords and basically say tata to the money in it (cause now the creator of the fake website has it).

    That’s an example of "social engineering" for you.

  14. Franco says:

    @paf

    you visit a dangerous site hostsing a malware => SmartScreen filter will block it for you.

  15. paf says:

    So "socially engineered malware" is basically phishing, which all browsers protect against? Why use a different term? That’s just silly.

  16. walt says:

    @paf – exactly! but thats how microsoft operates.

    JavaScript? – nah we’ll call it JScript in social conversations just to confuse people

    Phishing? – nah we’ll call it socially engineered malware (for the record engineers everywhere are cringing at the use of the word engineer in this context)

    Internet Explorer? – nah we’ll call it Windows Internet Explorer and see if we can get that to catch on and maybe that will help us win back sales from Apple

    Plays For Sure? – nah we’ll make a crippling DRM mechanism that stops you from playing songs and video on tons of devices and brand it with the oxymoron "Plays For Sure[TM]"

    Microsoft Works? – yeah, not so much

    Tab Browsing? – nah, users don’t want it… wait, Firefox is killing us, we need tabs!… ship IE7… whoah! why are the tabs all messed up? they open in the wrong order… when they finally open… ship IE8 now the tabs are still in the wrong order, but now they are colored! but they all still say "Connecting…"

    OGG Format? – nah why would we support an awesome audio/video format like that on the Zune? – oh wait yeah we wouldn’t because our motto is to ensure that all technology has gates.

  17. EricLaw [MSFT] says:

    No, socially engineered malware is not phishing, although they are both “social engineering” attacks that rely on tricking the user.

    Phishing email: “Hi, I’m your bank. Please type your secret info into this page.”

    Socially-Engineered malware site: “Hi. This is a cool game/screensaver/program. Download and install it. We promise you’ll like it.”

    As the first chart in the report shows, IE8 is very effective at blocking socially-engineered malware. Other browsers are much less effective at blocking malware than they are at blocking phishing sites.

  18. William says:

    Dear Sir,

    IE 7/8 on Vista/Windows 2008 will dead when opening below page:

    http://www.jazan.org/vb/showthread.php?t=146570

    http://www.aldair.net/forum/showthread.php?t=81162

    but it works with IE 7/8 on Windows Xp, Firfox and Google Chrome

    It seems that IE on Vista can not process large block of text in web page.

    If I save the pages and remove some text then open it in IE, it will works.

    How to get IE works with above pages?

    thanks,

    William

  19. Olivier says:

    @walt : you’re just wrong in every way.

    Javascript/Jscript : everybody know it’s the same. But why nobody call it… maybe something like Ecmascript ? Javascript has always confused everybody because it contains "java" in it’s name and it was called this way by Netscape when java was a "hot" language.

    socially enginneered… it’s the real word, not an invention by Microsoft. So they’re using the proper word. And about your enginneers, they should go back to school and study a bit more…

    Tab browsing… yeah, and while you’re at it, why not saying it’s Mozilla/Firefox who invented that ?

  20. Evan says:

    @Oliver: No need to be an MS Fanboy here.  We all have issues with Microsoft’s lack of transparency and this is just one more case.

    Did Firefox invent tabs? no. but they did make the first browser to compete directly against IE with a great addon infrastructure, and tabs, and security, and ease of use… and stole a big chunk of market share from IE.  Better yet then now have a browser that not only IS much better than IE, but is actually preferred over IE by almost all that try it out.

    My Mom doesn’t understand much about the InterWeb but she knows what a JavaScript error is.  She doesn’t have a clue what JScript is – and thats good – because it doesn’t matter.

    When we talk about JavaScript, we all know what we are talking about. Calling it JScript just confuses people unless you are specifically talking about how IE doesn’t support things properly.

  21. Paid says:

    Microsoft paid NSS to do this study, you can’t take it for whats it worth, obviously NSS will pad up the results so it looks good for MS.

    In the real world, try surfing with IE and see if you don’t get nailed by various malware. As long as ActiveX is in IE, it’s easy pickings.

  22. Fred says:

    Paid: Go troll elsewhere. You don’t understand what you’re talking about.

  23. EricLaw [MSFT] says:

    @William: Your page works fine for me in IE8. Do you have an addon which crawls the page (e.g. Skype) installed?  If so, that might explain the hang on your computer.  Please see http://www.enhanceie.com/ie/troubleshoot.asp#crash for more troubleshooting info.

    @Evan: Describing "socially engineered malware" as "socially engineered malware" does not reflect any lack of transparency. As noted previously, this is different than phishing and thus is rightly distinguished from phishing.

  24. Olivier says:

    @Evan : I’m not a MS fanboy, I just don’t like when people invent stuff just because "it’s cool to bash Microsoft".

    You’re very right, this blog and others Microsoft’s blogs show Microsoft’s lack of transparency…

    You can’t say Firefox is a good browser : it’s slow, it’s full of memory leaks (well 3.6 may be better, we’ll see when it’s get final).

    Even the Mozilla guys admit it and they have a lot of stupid ideas to make their browser "feel faster" (not "faster", just "feeling faster"…).

    They even want to preload stuff when the OS load, so they’ll say "Firefox loads very fast", and later they’ll bash "look how slow Windows is"…

    And it’s coming directly from Mozilla wiki : https://wiki.mozilla.org/Perceived_Performance

    My parents don’t care about javascript errors, they just don’t see them. I don’t understand why normal users should care about this errors.

    And IE doesn’t support javascript/jscript properly ? Yes, as if others browsers didn’t have their own problems too (ex : JSON.stringify() : Firefox doesn’t properly encode characters while IE encodes everything as required).

  25. Paid says:

    Fred, IE fanboi much? You obviously don’t even know what you’re talking about.

  26. Cezille says:

    Internet Explorer 8 is working very fine on my new computer. IE8 is the number one browser for me.

  27. Wuuuut says:

    Look at this text from the study, a failure is not an INSTALLED malware but a DOWNLOADED malware. My browser is not an AntiVirus, and it’s better like this.

    5.5.1 SCORING & RECORDING THE RESULTS

    The resulting response is recorded as either “Allowed” or “Blocked and Warned.”

    • Success: NSS Labs defines “success” based upon a web browser successfully preventing malware

    from being downloaded, and correctly issuing a warning.

    • Failure: NSS Labs defines a “failure” based upon a web browser failing to prevent the malware from

    being downloaded and failing to issue a warning.

  28. Snap Snap says:

    WTF, Microsoft is CENSORING comments that are exposing them?

  29. Wuuuuuuut says:

    So yes.

    Another dishonest NSS Labs report.

    Remember how they were busted last time? Their claims were blown out of the water.

    For example, they claimed that Opera updated itself, BUT OPERA 9 DOES NOT HAVE AUTOMATIC UPDATES, that’s only in version 10!

    NSS Labs were caught red-handed manipulating statistics and lying.

    Obviously Microsoft is going to continue to pay NSS Labs to lie for them.

    Pathetic.

  30. heh says:

    @Olivier

    Wow, shill much?

    # You can’t say Firefox is a good browser :

    # it’s slow, it’s full of memory leaks (well

    # 3.6 may be better, we’ll see when it’s get

    # final).

    Firefox is faster than IE at everything.

    # They even want to preload stuff when the OS

    # load, so they’ll say "Firefox loads very

    # fast", and later they’ll bash "look how slow

    # Windows is"…

    Wait, so you are saying that they want to do the same thing IE does, namely preloading with Windows?

    Why are you whining that Mozilla wants to do it when Microsoft is doing it already with IE? Pathetic.

    # My parents don’t care about javascript

    # errors, they just don’t see them. I don’t

    # understand why normal users should care

    # about this errors.

    Who said they should?

  31. EricLaw [MSFT] says:

    @Snapx2: Rules for comments are here: http://blogs.msdn.com/ie/archive/2004/07/22/191629.aspx

    @Wuuuuuuut: I’m not sure what "My browser is not an AntiVirus, and it’s better like this" means? Viruses and malware are different things.

    The point of a browser-based anti-malware feature is to prevent the user from downloading malware, which is obviously one of the best ways to prevent installation of malware.

    The TechHerald site complains that the testing only accounts for the protections provided by the browser, and not by plugins that a small percentage of users may choose to find and install. The fact that the NSS Labs test design was to test the browser and not other products was in no way unclear or ambiguous in the reporting results.

    The results show that, by default, IE8 users have the best protection with "no assembly required."

  32. Kai says:

    I trust this report. Congrats to the IE team 🙂

    "Microsoft paid NSS to do this study, you can’t take it for whats it worth, obviously NSS will pad up the results so it looks good for MS."

    Apple made the Sunspider javascript benchmark, so the same logic can be applied in this case, yet many people use it to assess a browser’s javascript performance.

    "In the real world, try surfing with IE and see if you don’t get nailed by various malware. As long as ActiveX is in IE, it’s easy pickings."

    Actually, I’ve been testing MSE lately by sandboxing several browsers (IE, Firefox, Opera and Chrome) and visiting malicious links pointing to all kind of nasty malware and IE8 was the most effective in terms of security because not only it blocked the malicious websites but the downloads containing malware.

    I don’t like the whole ActiveX thing, though 🙂

  33. hAl says:

    @Wuuuut

    Your link goes to a blogger who thinks that test with 500 unique kind of malware attacks are not statistically usefull to show browser security.

    However that is actually a big sample for unique malware samples to test the browser against. Also he thinks that addon should be counted as well. That actually confirm that the other browser are not so safe against these attacks out of the box.

    And finally he think the test in the first quarter was unfare to Safari who released a newer version in februari but the above article is about a new second quarter test and in it the new version of Safari is used and it scores poorly as well.

    Your link exposes nothing but rather confirms the validity of the results of the NSS labs test.

  34. hAl says:

    Also valuable information for companies who by definition do not want their employees to surf to possible malware attack sites.

  35. Kai says:

    @Wuuuut: I haven’t read the article your link is pointing to, but I can tell you by first hand experience that EricLaw is right: a layered protection is the best way to prevent infection. Go to any serious security forum and many people will agree with me.

    As I said in my previous post, I’ve been testing a lot of malware lately (I can’t share the links for security reasons, google for info if you’re interested) and sometimes the malware is so new (or when it’s a rogue, adware, etc.) that no antivirus can detect it. That’s when a layered defense comes handy. In my own tests, IE’s Smartscreen managed to block quite a lot of malicious downloads, whereas, Firefox and other browsers only warned me about the malicious websites but didn’t block the actual downloads; so if I had executed the downloaded files, my pc would have got infected.

  36. Olivier says:

    @heh : nope, the only slowness in IE8, is when you have lots of "dangerous" websites configured by Spybot. IE7 was fast.

    Firefox takes a long time to start and sometimes it slow down its rendering without apparent reasons (and it’s not a network problem because I use Firefox only on my local server).

    Since when IE is preloaded at Windows startup ?

    Regarding your last question, I was answering Evan… so why do you ask ?

  37. Kage says:

    @phil @eric on the blog linked to by Wuuuut, it is revealed that you have the same IP,which means you may be the same person under two names.

    @hAl As was repeatedly pointed out, this evaluation only tests blocked websites. It does NOT show the total amount of protection from all different methods of infection, specificaly browser exploits. IE8 might be better at blocking downloads, but it isn’t like that at everything.

  38. ui83 says:

    I trust this report, and I’m an happy user with IE8.

    From Ars Technica:

    Rick Moy, president of NSS Labs, sent us a follow-up e-mail to tell us that it was Microsoft’s online security engineering team (not marketing) that hired NSS Labs to do recurring benchmark testing so they could improve their services. Only once Microsoft’s security engineering team saw the results did it send the details over to the marketing department.

    In terms of sponsorship of the reports, "this stuff is expensive to do right, and we need to monetize it somehow," Moy told Ars. "We invited Google, Mozilla, Apple, Opera to participate, but they didn’t even bother to respond, except for Opera, which stated they “don’t really focus on malware."

    http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.ars

  39. fari says:

    @EricLaw [MSFT]

    "The point of a browser-based anti-malware feature is to prevent the user from downloading malware"

    So, anti-phishing. And it just so "happens" that the liars at NSS Labs who have been caught lying for Microsoft in the past are supporting Microsoft again…

  40. waki says:

    @Kai

    "Apple made the Sunspider javascript benchmark, so the same logic can be applied in this case, yet many people use it to assess a browser’s javascript performance."

    Indeed. SunSpider is as dishonest and disgusting as the dishonest NSS Labs report.

  41. fipa says:

    @hAl

    "Your link goes to a blogger who thinks that test with 500 unique kind of malware attacks are not statistically usefull to show browser security."

    Never mind the fact that the chosen examples are advantageous to Microsoft. No, Microsoft never paid off anyone at all!

    Disgusting.

  42. liar liar says:

    "I trust this report, and I’m an happy user with IE8."

    You are a disgusting Microsoft shill.

    NSS Labs have been exposed as dishonest liars a long time ago.

  43. Mike says:

    Wow this blog is really getting more and more infantile. The fact that Microsoft is trying to do something to protect users does not seem like a bad thing to me. In order to judge effectiveness companies have reports commissioned.

    Before everyone calls me an MS fan boy, I have been more often critical on this blog. It just seems people wait for a new post to come out and then try to slam it.

  44. Kai says:

    @waki "Indeed. SunSpider is as dishonest and disgusting as the dishonest NSS Labs report."

    Yet few people question the relevance of the Sunspider benchmark’s results. On the other hand, loads of people quickly said that this report was biased by pointing out that the NSS report was sponsored by Microsoft.

    @Rapid Capid: Microsoft is not paying me to write anything (but I wish they did ;)).

    "In my tests, IE didn’t catch sh*t." OK, that’s very possible, it depends on the tests you run. But I wasn’t telling lies. I found a frequently updated malware list on Google with links and descriptions. And I can tell you that after testing quite a lot of samples with Virustotal, I found out that AVs failed to detect a lot of rogues (fake AVs) and adware. Firefox is good at blocking malicious websites but mostly it doesn’t block the direct downloads. That’s why having some kind of filter that blocks malicious downloads (i.e. Smartscreen) is useful.

    "Yeah, more Microsoft shilling. Pathetic."

    Lol. May I call you radom [Google, Apple – insert MS competitor] engineer?

  45. Josh says:

    The ineffectiveness of the Safari anti-malware filter is pretty well documented (and also, relative to the competition, a pretty new feature). The poor showing of Chrome was a bit surprising though as I was under the impression Chrome and Firefox both use the google malware list (which would be much more useful if it was a webservice where you could validate an address rather than a webservice that returned a dictionary of hashes of bad sites)

    > "@phil @eric on the blog linked to by Wuuuut, it is revealed that you have the same IP,which means you may be the same person under two names."

    Hmm, I wonder if it might just be two people from MS going through the same corporate proxy…  Your public IP is in no way a one to one mapping to the user behind it.  I’d suggest you might be inclined to just assume the worst which begs the question, what do you get out of discourse here?  

    > "So, anti-phishing. "

    As has been previously pointed out, it deals with a great deal more than phishing, which is also clear by the seperate charts above.  One of the key features is that it tracks sites hosting malware and blocks them (for example, sites compromised by ASPROX), which is entirely seperate from phishing.  

    Anyway, while I am sure marketing loves the fact that IE is above the competion in this regard (and honestly, this isn’t horribly surprising since MS has been working on the problem longer than the competition), I am more curious as to what leads IE to be significantly more effective.  Does it simply compare a URL to a blacklist that MS happens to be better at building than the competition?  Does it also look for common signatures even if a site isn’t in a blacklist (for example, the javascript that ASPROX embeds in a compromised site)?  Does it look for certain site behaviors that appear to target patched or known vulnerabilities?  I’d love a blog post talking about the solutions IE implements, rather than the results of the implementation.  

  46. chevysales says:

    why for gosh sakes can’t this web team work towards the digital photographer and allow ie8/vista windows7 to be color managed?

    the break in icc v2 to v4 is a start but it goes beyond that with todays wide gamut monitors which along with a standard sRGB gamut monitor still don’t show our photos properly via this browser…being a fan of ms products and ie in particular it makes it sickening to know the only way around it is to use firefox? come on ie team stop patting your selfs on the bac k and get with it already.

  47. ActiveX this, ActiveX that... says:

    @Paid

    I know ActiveX is a common target for people, but I’m failing to see why Firefox is better in this regard given what XPCOM can do. First off, your Firefox extensions run at full permissions, so they can easily make the following call (assuming it’s even necessary): netscape.security.PrivilegeManager.enablePrivilege(‘UniversalXPConnect’);

    At that point, you can run arbitrary biraries, create/delete files, establish outgoing/incoming tcp/ip sockets, etc. What prevents someone from signing an XPI file, putting a evil binary in it, and then presenting it as a fake codec, anti-virus software, whatever else scammers use these days? You could easily detect the operating system through XPCOM, and then execute either a Mac or Windows binary, making it even BETTER than ActiveX at jeopardizing people in a cross-platform manner. Have they fixed this problem yet (do extensions REALLY need to be able to do some of that)?

  48. Derek Jeter says:

    IE8 with Protected Mode on Vista/7 is the safest and most satisfying way to surf the internet. I won’t touch Firefox with a ten-foot pole until they support Protected Mode and improve their horrible UI.

  49. Josh says:

    @ActiveX this, ActiveX that…

    Well, one of the security concerns of ActiveX over other plugin models was that it could be arbitrarily invoked and scripted by any web pages that wanted to.  Thus, if an ActiveX control was erroneously marked as safe for scripting and had a method like DeleteFile(path), a web page could invoke it and delete any file they want (Sony pretty much released an ActiveX control just like this to uninstall their rootkit back in the day, in their ill advised malware copy protection mechanism).  Now IE has made great strides to mitigate this, include domain bindings that whitelist who can invoke a control, but the scenario does still present why ActiveX has a bit worse reputation than plugins (though when it comes down to it any third party code you install, regardless of technology, can be a security risk).

  50. boen_robot says:

    @ActiveX this, ActiveX that…

    I think the reason they haven’t fixed it is simple – all Firefox extensions are by definition open sourced. More importantly, they are verified by Mozilla developers before being posted on the Firefox add-on site. And MOST importantly – pretty much all Firefox users install add-ons only from the Firefox add-on site.

    This is different from IE’s way of distributing add-ons. IE add-ons are distributed together with various Windows binaries at various third party sites. There is ieaddons.com, but most developers of Toolbars and BHOs either don’t want to be associated with Microsoft by having their add-on there, or they do have it there, but also include it at other third party software packages to "improve market share". Furthermore, ieaddons.com isn’t exactly advertised to end users as "the definitive place to get add-ons for IE", and Microsoft would avoid doing so, as it may lead to legal issues.

    Besies, the ieaddons.com site isn’t exactly as user friendly as the Firefox add-ons site. A lot of the add-ons are not categorised, and those are are categorised are only Accelerators, not binaries (Flash Player, Silverlight, etc.).

  51. Eyadema Desmono says:

    Although nobody’s mentioned it yet, the ActiveX approach is additionally vulnerable to incorrectly written binaries having data execution vulnerabilities. Running IE with DEP enabled is a good idea and pretty much plugs that hole to my knowledge. Also helped if you’re running with UAC on, or not as an administrator, since evil code may not be able to do what it wants with those restrictions.

    Firefox has a problem IE doesn’t though. A lot of code is out there for clipboard stuff that asks people to change the signed.applets.codebase_principal_support setting so pages can place text on the clipboard. If you change that setting, and then allow a site to do "untrusted" things (UniversalXPConnect), you’re allowing it to do ANYTHING a plug-in could do! It is ridiculous that you have to use flash to safely copy crap to the clipboard in Firefox.

    I think @boen_robot covered this, but they don’t have to come from the official add-on site. Ignorant users will install things if they’re enticed to do so (even after repeatedly being told not to). Firefox has an advantage of being used by a user-base that’s generally more educated (e.g. they realize you can’t open PowerPoint files in Word, that ALT-TAB and ALT-SPACE do things). As more ignorant people use your product, the more these kind of things matter. You can’t fix ignorance when people don’t care and perhaps a protected mode for Firefox (on Windows), like IE has, would be a good idea.

  52. Mitch 74 says:

    A lot of nonsense, a bunch of fanboyism here… Jscript is NOT Javascript, both languages are ECMAscript-compliant, and both have extensions.

    Firefox did NOT invent tabbed browsing, but the Mozilla programmers surely worked at it quite hard to make it popular.

    ActiveX sucks; even the MSIE team agree, but there is a commitment by MS at large to allow its use. So, downloadable code that can give an Internet website full control upon a machine still exist.

    Back to the article.

    I’ve read the study, its methodology, and noticed something: why, from the 12000 harmful URLs population, were only 608 kept as ‘valid’, and that, after a non-described 2-passes screening process? Personally, I find _that_ highly suspicious. Because, if all is said and done, it means that from services like SmartScreen and SafeBrowsing that provide a similar set of marked-as-unsafe URLs (the basis for the 12 000 statistical population, yet even that is left unspecified), browsers that use the latter actually can block only two thirds of them?

    So, the study is statistically sound; the methodology is correct; but I strongly question the population selection and its subsampling! That part smells like careful handpicking for acquiring desired results.

    There are lies, damn lies, and statistics.

    Now, I believe SafeBrowsing or Smartscreen must be roughly equivalent in effectiveness; reaction times to the addition of new threats were similar between IE and Firefox, for example (though even that lacked details, for the graph used 1-day increments), so I would be inclined to think that SafeBrowsing is, at least, effective.

    But you’ll pardon me if I feel safer browsing with Firefox 3.x+AdBlock+NoScript on an OS that metaphorically punches me in the face if I start a graphical session as administrator, much less browsing…

  53. hAl says:

    @

    Friday, August 14, 2009 3:09 PM by fari

    Friday, August 14, 2009 3:10 PM by waki

    Friday, August 14, 2009 3:11 PM by fipa

    Friday, August 14, 2009 3:13 PM by Rapid Capid

    Friday, August 14, 2009 3:14 PM by liar liar

    Friday, August 14, 2009 3:16 PM by LIARS

    Friday, August 14, 2009 3:18 PM by NSS Labs

    Wow, you must really be a sad person to come to MS blogs and use 7 (or more) aliases to diss IE. Mayby you should go to the cola newsgroup and join the rest the sad gits there.

  54. hAl says:

    @Mitch 74

    As I also read the study I saw they added sites to the testing automatically (from a net work of honeypots and spam traps) without validating them pre-test which is likely to cause testing of irellevant url (not containing malware) which were subsequently removed removed in post test validation.

  55. Josh says:

    "I think the reason they haven’t fixed it is simple – all Firefox extensions are by definition open sourced. More importantly, they are verified by Mozilla developers before being posted on the Firefox add-on site."

    Could you point me to where the Mozilla Foundation claims to verify all addons?  It isn’t on the page in which a user goes to download addons and I would think they would clearly advertise such a claim (I would, it is a hell of a claim, though it would open them up to liability if there was malware hosted).  Admittedly I have not gone to the site in which developers submit addons, so the notification might be on that site, but I am a little skeptical that all 5000 addons have had a thorough security code review.  For example, they did not catch this: http://blogs.zdnet.com/security/?p=2264

    GNUCitizen points out why code reviewing addons won’t be horribly effective: http://www.gnucitizen.org/blog/firefox-malware/.  When it comes down to it, simply being open source is not much of a benefit from a security standpoint.  I don’t know if you have ever done security code reviews but it takes a *VERY* skilled person who can both methodically concentrate on numerous lines of code and recognize security risks.  To be blunt, this is not most people, even the majority of skilled developers,  and I am skeptical that such skilled individuals have scrutinized even a significant minority of addons.

    Also, not all firefox addons are open source.  Quicktime, Flash, etc are binary plugins that are in no way open source.  They are also binaries with more holes than any of the browsers, and at this point, currently more exploited than any of the browsers.  That’s why being able to screen malware, not just phishing, is important.

  56. EricLaw [MSFT] says:

    Folks, just a reminder that the rules for comments are here: http://blogs.msdn.com/ie/archive/2004/07/22/191629.aspx

    Two things specifically prohibited are offensive language and misrepresenting your identity.

    Thanks!

  57. EricLaw [MSFT] says:

    Mitch 74: You’re welcome to express your own opinions, but please do not make inaccurate claims about what the "MSIE team" believes. Thanks.

  58. Nick says:

    kage, the comments on the blog post you point to are five months old.

  59. boen_robot says:

    @Josh

    Firefox has both "Extensions" and "Plug-ins". The non-open sourced stuff you’re talking about are plug-ins. Plug-ins are not available from the Firefox add-on site, and they therefore don’t go over the same testing and review as extensions.

    Also, the vulnerability in question is from a malware that drops into Firefox’s folder *by other means*. It doesn’t mean that it comes from an extension that was on Firefox’s add-on site.

    The review claim is on the submission page I think, yes. It surely is on the tutorials page though. See https://developer.mozilla.org/en/Submitting_an_add-on_to_AMO

    I can’t comment on how well the reviewers are doing (you may be right that they could miss a malware when they see it), but extensions are actually pretty sand-boxed, and for the stuff that’s still sensitive, yet allowed (e.g. file writing)… the reviewers seem to be doing fine.

  60. Josh says:

    @ boen_robot

    You are correct in the distinction between extension and plugin and it was sloppy of me to not illustrate that my last paragraph was a logical break from the preceeding.  My point, not well made, was to segue into why malware blocking was important, and that a browser’s own track record for patching vulnerabilities was not sufficient protection, however I can clearly see how the two thoughts would seem connected.

    However, you are incorrect in the assertion that the "vulnerability in question is from malware that drops into firefox’s folder by other means".  Per the linked article, the vulnerable EXTENSION was hosted on the mozilla site:  

    "Earlier this year, a more severe incident took place when the Vietnamese Language Pack hosted at Mozilla’s official list was infected with malware.".  

    Just because Mozilla hosts a file, that in no way is testimony to the safety of using the file and it would be dangerous for people to assume as such.  I suspect highly popular extensions are very well vetted – in the community in general there is a lot of vetting of something like noscript or firebug – but for a lot of the lesser used extensions (like, say, a vietnamese language pack) it isn’t much more safe than any other random file on the internet.

  61. Alan says:

    DEFCON 17 was a few weeks ago.  There was a talk called "Abusing Firefox Addons".  Here’s the abstract from http://www.defcon.org/html/defcon-17/dc-17-speakers.html

    ———————————

    Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don’t trust a single one, and we will show you why.

    This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.

    Don’t panic – the Addons manager can be found under the ‘Tools’ tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.

    Roberto Suggi Liverani Senior Security Consultant, Security-Assessment.com

    Nick Freeman Security Consultant, Security-Assessment.com

  62. boen_robot says:

    @Josh

    Oh. You’re right. I didn’t noticed the part about the "Vietnamese Language Pack" part. I focused on the actual issue, which doesn’t clarify an affected extension, and I therefore assumed it’s not from an extension, but from another binary that hacks its way through. The Vietnamese thing is indeed a more troubling thing. Like I said, reviewers could indeed miss malware… Open sourced or not, they’re still only human.

    Fun thing though. You can see the sandboxing in action – disabling the add-on does the trick of removing the malware. How many times have you had *that* with IE add-ons that have malware in them?

    Yeah, me neither. I wish we had that kind of limitations for IE add-ons, so that the above vulnerabilities and the like would be the worst thing around (add-on wise at least; there’s always scripting wise, social wise, etc. vulnerabilities).

  63. gill says:

    @Alan – good points. The trick of course is that IE doesn’t have an extensive collection of good addons due to the ugly COM-based extension structure in IE. Tons of users download Firefox extensions because they add even more functionality to an already great-out-of-the-box browser.

    Either way it doesn’t really matter.  At the end of the day users will pick the browser they like best, with the features they need and one that meets today’s expectation level for a browser.

    IE fails on all 3 of those thus is looked upon as the dead-last if-all-else-fails browser option.

    As a pro developer in the community I wouldn’t dream of telling people that I use IE as my default browser as I would lose instant reputation for being so behind the times.

    When I pull out my laptop at the local coffee shop would I use IE? not a chance! I’m not going to pick up any hot dates surfing in IE that’s for sure.

    It is sorta like Cola. If you were gonna grab a can of cola and head down to the beach for the sole purpose of a refreshing drink and looking cool you’d grab a Coke.  Firefox & Safari are in browsers what Coke is in the Cola industry.  Next best you’d grab a Pepsi. Chrome is the Pepsi of browsers… just as good, but it just won’t ever be a Coke.  Then there is IE.  IE is the no-name brand of Cola at the local supermarket.  If you poured it in a glass and drank it you might not even be able to tell the difference… but you sure aren’t gonna swagger down the boardwalk sipping from that can in public!

    Unfortunately due to Microsoft’s marketing strategy and their abuse of the market space in browsers (and all other markets) both in the past and now – IE has left a bitter taste in the mouth of the general public and no amount of advertising will fix that.  IE’s marketshare will continue to slide, esp. as more and more corporations and enterprises offer up the opportunity for their users to get of IE (often even IE6!).

    Last note.

    We had a 7yr+ web developer enter our shop the other day for an interview.  After a few questions we asked which browsers he had coded for.

    Him: "Only for IE our customers all use windows".

    Us: "Did you require ActiveX or something?"

    Him: "No I just don’t think users care if they have to use IE"

    Us: "So you didn’t even test in other browsers?"

    Him: "No if it works in IE thats all I care about"

    Us: "Well… for us supporting all browsers is important, if not critical.  Since you’ve never even tested in Firefox or Chrome then sadly there is no point in us hiring you since you don’t know how to code properly and you’ve obviously never used Firebug or YSlow to debug and optimize your pages."

    Us: "I’m afraid this means the interview is over. I’d highly recommend you download and install Firefox, Chrome and Safari… check your pages in each and see how they fail outside of IE. You’ll be amazed what modern browsers can do and how writing your code properly in one of them first will automatically make it work in the others.  Only IE will need tweaks because it doesn’t follow the specs."

    Him: "But I’m really good at ASP…{cut off}"

    Us: "Sorry but if you’ve never developed in Firefox then you are 5yrs behind the development curve.  Seriously we aren’t trying to be insulting but you need to start developing in better browsers if you expect to continue in this line of work. Developing in IE is unacceptable these days. This interview is over."

    The poor guy was a bit shell-shocked.  He had been living in a dark cave of IE only development for so long he failed to see that the industry had long since moved on.

    Us:

  64. Derek Jeter says:

    Firefox has such an ugly UI compared to IE8 that it seems they are 50 years behind.

  65. not derek says:

    @Derek – Are you serious? Firefox has an ugly UI? compared to IE8? You must be joking!

    The Firefox UI is **CONSISTENT**.  IE8 is far from that in every aspect.

    The command bar doesn’t follow the windows cascading menu standard since it flows to the left, not the right.

    Then menu dropdowns in IE8 do not contain icons except for the favorites.

    There is no history menu item

    The address bar is absolutely pathetic compared to Firefox.  Where’s the favicons? you know.. the thing that IE created, made popular was adopted by every other browser and then IE decides to throw usability out the window and drop support for them? Dropping them was the worst UI design decision ever.

    The toolbars in IE are hard to move around – the search bar doesn’t stretch, the tabs are ugly and the add/remove command tools dialog is straight out of 1995.

    The use of 3 or 4 different X icons for stop/delete actions in the IE UI is massively inconsistent.

    The lists go on and on.  IE8 is the worse case of inconsistent UI i’ve seen in any program of the last 5 years.

    If I was a UI developer working at Microsoft I would certainly not put the IE8 UI on my resume.

  66. boen_robot says:

    @not derek*

    Have you actually tried IE8 RTM?

    You can move the command bar on a another row if you really want it from the left. Personally, I like it better on the right.

    A lot of the dropdowns, or at least the dropdowns from the command bar do have icons. Icons are missing on the menu bar though, yes.

    There is a "History" menu item. From the favorites panel (the one activated by a button), or from the menu bar at "View" > "Explorer Toolbars" (or something similar… I use a localized IE8 build, so I’m just "reverse translating") > "History".

    It’s a pity that favicons are missing from typing in the address bar, yes, though personally, I don’t miss them that much. Other than that, I find the IE8 address bar just as good (if not better) than FF3.5’s.

    What’s so hard about moving the toolbars around? Yes, there are some limitations with what you can do with them (and the reason for this is "support desk"-ability, so to speak), but the things you can do, you can do easily. And the search bar IS stretchable. Not movable, yes, but it IS stretchable. Whether the tabs are ugly or not is subjective (I find them prettier than Firefox’s). And the add/remove command tools dialog is indeed old, yes. Perhaps "support desk"-ability again, or simply a lack of time to touch up on it.

    The different X icons I guess are exactly in order to differentiate between stop, delete and other types of actions, so that the icon could instantly tell you what are you doing. Speaking of which, where do you see the 4th X icon? I see three (Stop, deletion at the address bar, Work Offline), but I dont’ see a 4th.

    * Commenters on this blog keep amazing me with their ingenuity about nicknames, which is really funny when you consider the "Title" field is still there if you feel expressive.

  67. huh? says:

    It’s really not clear what you’ve measured here.

    Maybe you could actually patch the known security holes instead of making up some new stuff that creates a pretty graph.

  68. not derek or boen_robot says:

    I have indeed tried IE8 RTM – heck I helped report bugs to the IE Team during development.

    As for the command bar – yes you can move it to the left – the far left only – and even then the submenus still cascade to the left – check out the print/tools dropdowns.

    Yes there is a History sidebar (joined to the favorites) but no menu option.  However even with the history sidebar its still messed up!

    Go ahead and view by site, or by date…  since the folders each contain only links to a given site – why are they not showing the favicon for that site? If I could see a favicon for say YouTube I would be able to easily spot it in less than a second – but apparently MSFT doesn’t put users and usability first.

    favicons in the address bar – and the IE one vs. the Firefox 3.5 awesome bar. You’re taking the IE bar over the Firefox bar? not a chance! I’ve used every browser on the market since 1995 and can say without a doubt that the Firefox 3.5 address bar is better than any other, hands down.

    support-desk-ability? so bad design in IE is actually a feature now? Avoiding possible future IT support calls is *NOT* a reason to ship a regression in future browser versions (e.g. IE7/IE8)

    you are right – the search box is stretchable – just not discoverable since the grippy bar isn’t shown (see #1 point about consistency)

    As for the 4 X’s the count may not be exact but the point is.

    Some are used for "close", some are used for "delete" etc. but the same ones are used for both actions.

    I don’t want this to be another rant after rant though. I just wanted to see if Derek was trolling or seriously in the belief that the IE UI exceeded that of any other browser.  It turns out that it doesn’t matter because there are apparently others that do believe the IE UI is better. I think I need a drink. My brain hurts just absorbing this.

  69. Jagannath says:

    Had Accelerators been developed by any other browser other than IE, it would have been the greatest innovation since web.

  70. Jagannath says:

    Had Accelerators been developed by any other browser other than IE, it would have been termed as the greatest innovation since web.

  71. Geld Lenen says:

    Until today I didn’t want to use IE8, because I wanted to see what sort of problems people would get into. But until now no big problems where reported and after seeing these figures I’m going to install IE8.

  72. Wulcom says:

    @Mike

    Nice straw men:

    ""The fact that Microsoft is trying to do something to protect users does not seem like a bad thing to me."

    This is GOOD. Yes.

    "In order to judge effectiveness companies have reports commissioned."

    This is BAD. Not reports in themselves, but paying people to create dishonest and misleading reports like this one.

    http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8

  73. Wulcom says:

    @Josh: "the fact that IE is above the competion in this regard"

    Blatant lie. A dishonest paid-for report is NOT a fact. The previous report was exposed here:

    http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8

  74. Right You Are says:

    "Kai" wrote "Yet few people question the relevance of the Sunspider benchmark’s results."

    So that makes it OK to swallow Microsoft’s advertising without thinking?

  75. Mitch 74 says:

    @EricLaw: to make my point clear, and from developments made in IE7 and IE8, the IE team members don’t like ActiveX controls that can take complete, unchecked control of the system (like they could in IE 6) – if anything, the simulated registry and complete sandboxing of IE, and ActiveX being disabled by default, seem to indicate that if the IE team developers don’t want to take ActiveX out back and shoot it in its metaphorical head repeatedly, they’re doing a great job at neutering it.

    Which is the next best solution, IMHO.

  76. vnwiblog says:

    Again, Microsoft achieves greatness! I upgraded to IE8 on all my computers the day it came out and I couldn’t be happier. I thought the accelerators and web slices were great, but knowing that IE8 tops the malware protection charts makes it that much better.

  77. EricLaw [MSFT] says:

    @Mitch: Yes, you are more correct to note that the IE Team is working hard to help prevent creation (and subsequent abuse) of vulnerable ActiveX controls.

    @Wulcom: Continuing to post the same link 3+ times may be deemed spamming. Your journalist provides no statistical basis for his claims against the study from 6 months ago.

    While it’s true that NSS’ testing covered the base browser and not any 3rd party browser addons, this fact was not concealed in any way. The fact remains that most users have no such anti-malware capabilities outside of the protection provided by the browser, so arguments that users of other browsers can "assemble their own" protection are specious.

  78. techbiz says:

    While I highly endorse keeping internet users safe, I wonder if IE8 hasn’t gone too far.  This video clip is being blocked.  How can I get IE8 to recognize that it is safe?

    <div style=’position:absolute;margin-left:60px;margin-top:220px;width:348px;

    height:348px;z-index:162′><OBJECT ID="MediaPlayer"

    CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6"

    standby="Loading Microsoft Windows Media Player components…"

    TYPE="application/x-oleobject" width="350" height="350">

    <PARAM NAME="url" VALUE="http://205.178.152.122/1259580/DVD2_Preview.wmv"&gt;

    <PARAM NAME="AutoStart" VALUE="true">

    <PARAM NAME="ShowControls" VALUE="1">

    <PARAM NAME="uiMode" VALUE="full">

    </OBJECT></div>

  79. EricLaw [MSFT] says:

    @techbiz: What do you mean by "blocked"?  What specifically happens? What is the exact text of any error messages you see?

  80. techbiz says:

    @EricLaw:  The page opens with a blank space where the code embeds the player.  Beneath the tabs, the security icon appears with the statement:

    "To help protect your security, Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer.  Click here for options…"

    Selecting "Allow blocked content…" from the drop-down menu causes the player to appear properly embedded in the page.

    FYI.  I have four pages on my site that contain different embedded videos, and all pages behave the same.  Going into the browser settings and allowing ActiveX causes the pages to properly launch, but doing that on MY browser is of little comfort.  I have no control over the settings of all those people out there who LAUNCH my webpage and are scared away believing my page just attempted to breach their security.  My webpage is being blackballed because Mircosoft chooses to block its own media player from launching on its own browser.

  81. EricLaw [MSFT] says:

    @Techbiz: That doesn’t happen on the URL you provided, and will not happen with default IE settings (except when viewing copies of these pages on your local computer).  If you see this behavior on the public Internet site, click Tools / Internet Options / Security / Reset all zones to default settings.

  82. William says:

    @EricLaw

    Hi Eric,

    I did as what you said:

    1. Upgrade to Vista Service Pack 2

    2. clicking START | RUN and typing: iexplore.exe -extoff, also close Skype, MSN etc.

    3. Open the url in IE 8 :

    http://www.jazan.org/vb/showthread.php?t=146570

    IE still dead!

    Note: I use Vista not XP, there is no problem with XP.

    You said you can open the URL, did you use XP+IE8?

    Thanks!

    William

  83. hAl says:

    @William

    That page hangs my IE8 on Vista as well forcing me to kill IE

  84. drumm says:

    @paf,

    Phishing and socially engineered malware are two different things.

    phishing is basically faking another website, for example your bank site, and trick you into entering your account and password there.

    socially engineered malware is basically a random site hosting a trojan and telling you it’s not a trojan, but the world’s fastest and safest browser named Firefox, and encourages you to download and install it (the trojan, not real Firefox).

    Or those antivirus software that will detect hundreds of virus on your computer and ask you to pay $500 to clean those virus, but in fact it itself is the virus.

    anti-phishing is technically easier, since those phishing sites usually have similar url patterns and designs to the genuine sites, while socially engineered malware are harder to detect, since there’s no set pattern to the sites hosting malware.

  85. tim hobbes says:

    Hi. Was the report sponsored by Microsoft or not? It is not clear in the report itself, I just want to be sure.

  86. With the emergence of social media I think there has been a whole new type of threat created to internet users. The funny thing is we are only on the nose end of things.

  87. Matt B says:

    How about less blogging about the stuff you’ve done in IE8 and get on with IE9? Firefox has released 3 and 3.5 since IE8 has been in beta till now. I don’t see MS making the same effort to keep up.

  88. techbiz says:

    @ErikLaw: You obviously missed the entire point.  As the webmaster for vbatech.com, I cannot be sitting next to everyone on the internet, advising them how to change IE settings so that an embedded Microsoft Media Player will run when they launch my webpage.

  89. EricLaw [MSFT] says:

    @techbiz: I think you misunderstand. Users with default settings don’t see a "To help protect your security" prompt.

    However, if a user has reconfigured their browser to show that prompt, why do you think IE would allow your website to override that reconfiguration?

  90. Mitch 74 says:

    @EricLaw: I tried techbiz’s code, pasted inside a Strict-mode compliant web page on a WinXP SP3 + IE 8 up-to-date system, clean and including all updates as of today. I did reset all zones security settings to default (although they already were there).

    And indeed, I get, in all cases, a prompt telling me that the content has been blocked – so techbiz isn’t dreaming.

    But then, I pasted the page on a server that qualifies as ‘the Internet zone’ for IE, and there, it indeed works as intended (which is probably the test you did).

    So, @EricLaw: it might be a good idea to allow the developers’ tools to say what zone a page belongs to at its current address (a warning that all pages loaded from Workstation are locked down would be highly useful, for example) – this may help in preventing this kind of snafu.

    And, @techbiz: always look at what zone your test code belongs to in IE: the workstation zone (when you open an HTML page saved to disk) is highly locked down.

  91. Will Peavy says:

    Is there a VPC image available with IE6 on XP SP2? I have an app that has a display issue that appears in IE6 on XP SP2, but it displays normally on SP3 (only SP3 is available at http://www.microsoft.com/Downloads/details.aspx?FamilyID=21eabb90-958f-4b64-b5f1-73d0a413c8ef&displaylang=en ).

  92. edward says:

    @Will Peavy – What is the display issue? there shouldn’t be any rendering differences between those to versions.

    As for having to support IE6 on WinXP SP2 I truly feel sorry for you.  I wouldn’t wish that pain on anyone not even my worst enemy.

  93. EricLaw [MSFT] says:

    @Mitch, no one said "techbiz" was dreaming. I explicitly stated that users visiting the URL provided would not see that prompt, as it only appears when "when viewing copies of these pages on your local computer."  

    The "Mark of the Web" is the mechanism used to push a page from the LMZL zone to the Internet Zone, and it’s been available for just over 5 years now. Learn more over on MSDN.

  94. Joel says:

    Sorry for the off-topic comment, but I was hoping to bring to the attention of the IE team this easy and concise repro case for a stack-overflow bug that occurs in the IE8 native JSON parser, but not in json2.js, or in the native parsers for Firefox or Chrome.

    http://stackoverflow.com/questions/1288962/ie8-native-json-parse-bug-causes-stack-overflow

  95. Mitch 74 says:

    @EricLaw: yes, you did say so; but then, please understand that not all developers are aware of IE’s ‘zones’ and what goes in each of them; even worse, in that case the local file system is not part of the zones that can be set up in Internet Properties – so, there is a lack of visual clues.

    For example, developers that work in Firefox + Firebug to then merely test under IE have a good chance of not knowing anything about that; for us (I might consider switching the day IE is available on UNIX platforms again), if it works in Firefox, then in Opera, then in Chrome, then in Safari, and goes boom in IE, well, it’s an IE “bug”.

    Please note that I understand the reason behind ‘zones’, I also understand that this is not a bug, but geez, is it confusing!

    In short, asking for a developer to go and read MSDN looking for an answer to ‘why is the WMP control blocked when I load this dumb-rse static HTML file that I wrote in Notepad and saved to desktop?’ would require:

    1- knowing about Zones in IE (quite common, but still not a given)

    2- knowing that the local file system is not the same as localhost (it would be a reasonable assumption)…

    3- …but part of a completely blocked zone which does not appear in the Internet settings panel (a bit more involved).

    A visual clue (such as a pop-up balloon on the status bar where the current zone is displayed) describing the zone’s properties and current security settings (‘the Internet: all documents that belong to a subnet different from your own; [v}+’ or ‘Intranet: all documents on our computer’s subnet; [v}-‘ or even ‘local file system: all scripts and applets are always disabled; [X}’) would be really helpful.

  96. EricLaw [MSFT] says:

    @Joel: Thanks for the report; the scripting team is looking into the JSON issue.

  97. filipe says:

    @EricLaw / @Mitch 74 – I’d like to add my 2 cents to this conversation too.

    There needs to be an addon for IE that shows what mode/zone/etc. a page is in when viewing it WITHOUT opening the dev toolbar. Ideally it would enable changes at the same time.

    Its been said many times many ways…. developing in IE is a major pain and thus why everyone develops in Firefox, Chrome or Safari.

  98. William says:

    @EricLaw

    See my above comment,

    Any solution to avoid IE dead on

    http://www.jazan.org/vb/showthread.php?t=146570 etc?

    We need use IE to browse these pages everyday.

    Thanks!

    William

  99. EricLaw [MSFT] says:

    @filipe: IE8 has a solid set of developer tools that are a simple keystroke away.

    However, the page’s zone is shown in the IE status bar. If you’d like, you can use a bookmarklet to show the document mode (see http://www.enhanceie.com/ie/ie8.asp) with one click from the Favorites bar.

    @hAl, William: I have no problem with that page in either XP or Windows 7. What locale/language operating system are you using? What anti-virus program are you using? Do you have to do anything to repro the hang other than loading the page, selecting text, and scrolling around?

  100. hAl says:

    @Ericlaw

    The hanging page effect on javan.org reproduces 100% in IE8 op a Vista Home basic (NL) laptop and it also does if I go there with the "-extoff" switch.

    Nothing visibly loads (the tab stays empty or a previous page stays in view)

    I will send you a fiddler2 sessions file and a sysinternals procmon file as well.

  101. mark says:

    @EricLaw – the "solid" set of tools a keystroke [F12] away doesn’t cut it.

    When I view a local page in Firefox, Chrome or Safari I see it **EXACTLY** as I would on a production server (without needing to touch a thing) [ZERO steps]

    Note that this is something a developer checks 50-100 times a day.

    Loading the same file in IE8 – Woah! You are loading a page riddled with unsecure ActiveX Warning Bar! [Step 1] move the mouse up to the bar because there is no keyboard shortcut. [Step 2] click the bar. [Step 3] move the mouse to the ignore option (again no keyboard shortcut). [Step 4] click the ignore option. [Step 5] A new security window popped up move mouse over to it or press Tab to set focus on Yes button. [Step 6] click Yes button or press Enter.

    OK, so 6 steps later I can actually view and interact with the page… almost

    Since IE8 has 3 rendering modes – which one am I in? The broken page icon has been removed from this view so I can’t just visually look and see what mode I’m in.

    Now like most developers I just need to verify what mode I’m in.  The rest of the IE dev tools I don’t care about – if I want useful dev tools I’ll go back to Firefox/Firebug or Chrome.

    Since all I care about is the mode and there is no option in IE to display it I wrote a bookmarklet that displays a quick overlay for me indicating the mode. (I’ll rant another time about how insanely hard it is to add bookmarklets in IE)

    But for the sake of this discussion, lets say that the user presses [F12] to get the dev tools up, and again to make it go away.

    Alright, time for some quick math.

    50-100 page checks a day

    6 + 2 steps per page load

    ============================

    400-800 steps per day to test pages in IE8 versus [0] (ABSOLUTELY NONE) in Firefox or Chrome or Safari etc.

    That is simply NOT ACCEPTABLE for a developer that needs to Get Things Done!

    Lets not forget that that is only IE8! There are 3 other IE browsers that need to be checked!

    1.) IE8 running in IE7 Compatability mode

    2.) IE7

    3.) IE6

    The mode checking steps aren’t required for these 3 but the other 6 steps to dismiss the ActiveX attack warning bar are.

    so, more math:

    50-100 page checks a day

    6 steps per page load

    3 browsers to test

    ============================

    300-600 * 3 = 900-1800

    So in summary, to properly test JUST THE SIMPLE LOADING of 50-100 pages a day in Firefox, Chrome or Safari takes:

    [Zero Steps]

    =============================

    To properly test JUST THE SIMPLE LOADING of 50-100 pages a day in IE (6,7,8) takes:

    [1,300 to 2,600 Steps]!!!!!

    =============================

    0:2,600 is quite the ratio!

    I haven’t even done any interaction, inspection, debugging yet and already IE has proven to be a nightmare to test against.

    There are several reasons why developers do not develop in IE.  This is just one of them.  

    A Severe Barrier to Entry.

    I can’t wait until IE9 throws new obstacles in the way. I think 4 rendering modes would be just awesome. How about 3 different JavaScript engines instead of the ~pseudo 2 we have now in IE8. Can you lock up the toolbars some more too there’s still a little bit of flexibility in there. Please also add another second to the load time for new Tabs – mine are not slow enough yet. – Ugh! I get so angry just thinking about how much developing in IE just !@#$%^ me off.

  102. Brad says:

    Wow, Mark, it sounds like either you’re not really a professional developer, or you haven’t spent any amount of time trying to make life easier on yourself.

    If you don’t develop against a local webserver (really???), you can turn off the Lockdown for the Local Zone using the checkbox in IE’s Advanced Options. No more info bar. (Oh, and the hotkey for the info bar is ALT+N, by the way.)

    enhanceie’s bookmarklet was published over a year ago, so I’m not sure why you needed to write your own. But more troubling is the idea that you don’t simply have the dev tools showing all of the time. If it’s a screenspace issue and you’re really stuck on a single monitor, I’d suggest that maybe you should go work for someone that will provide you with a developer-class computer.

  103. Nelson says:

    @Brad: Marks’ comments are appropriate. I’m a professional web developer (12years now) and you couldn’t pay me to develop in IE I would turn down 250k USD/yr if I had to develop in IE.

    The Alt+N hotkey does focus the security bar but then you need to still choose the option and then dismiss the other dialog.

    So Alt + N + Space bar + (down arrow + enter or A) then Y. Still way to many steps.

    I develop off a local webserver of course… but sometimes you want to quickly test something so you simply launch an HTML file/JS file/CSS file.

    What is anoying there is that it doesn’t matter if there is any scripts or not you get the warning about active-x content.

    So you recommend turning off the local zone security in a browser that runs Active-x, VBScript and JScript (JavaScript) that can access the local file system? No thanks I don’t trust security in IE for a second with that setting turned on. MSFT seriously needs to separate the "web" javascript from the "filesystem" JScript/Active X.

    The other issue with a local server is that the IE8 default settings for compatibilty are LOCKED down.. the Compatibility mode icon doesn’t show up which is a major pain and a faulty design.  I have to go into the options and specify EVERY single intranet server I use /test on with settings.

    thus I have to set up for my box

    localhost,

    127.0.0.1

    192.168.100.x

    actualhostname

    and then for every other internal server

    192.168.100.x

    actualhostname

    my compatibilty settigs are a mess with every single entry for these.

    On top of that although 95% of our development is standards based (thus we do not want the compat mode) we do use some tools that run on some of these servers at a different port.

    I can’t however set these settings by port or by subdomain or path.

    So I have to add all sites the list to NOT show in compat mode then manually tweak for apps that don’t handle it and when I want to test in "IE7" mode.

    As for the enhanceie bookmarklet I had to tweak it anyway to work in older IE versions and since it popped up a modal alert dialog it was ugly, shows up on the wrong screen in my dual monitor setup and requires user interaction to dismiss so I wrote my own (which provides a bit more info too)

    As for my setup I actually have 3 screens in total across 2 PCs using synergy so my company is just fine thanks for hardware.

    I have my IDE and other dev tools running in one screen, email and chat in another, and typically my browsers in the 3rd.  I do not want to open the IE devtools on another screen nor on the IE window screen. Like most I have no interest in the IE tools because they suck.  Sounds cheap maybe but seriously they are hard to use, years behind similar tools on other browsers and have major focus stealing/reloading/reflow issues.  You can’t even edit all the HTML on a page while viewing so whats the point in using inferior tools?

    Let me guess Brad – do you work for an MS dev shop using Visual Studio, .Net and IE? Please be aware that a large portion of developers don’t use that stuff so being forced to use IE isn’t required.

    Don’t get me wrong I’m no Linux fanatic I love Windows, I just hate using and developing in IE.  IE is way behind the times in terms of technology and developer tools – the only thing IE excels at is bugs.

  104. Brad says:

    Nelson, thanks for identifying yourself as a prima donna developer. It makes it easy to distinguish your rants from the concerns of actual working developers, who just want to get their jobs done and are much happier with the IE8 dev tools.

    (btw, rant about compatibility mode doesn’t make any sense. If you want to turn compatibility mode for the intranet, just uncheck the checkbox. If you do want compatibility mode, then quit pretending like you build standards-compliant sites)

  105. Will Peavy says:

    @edward – All I have is a screenshot, taken in IE6 on XPSP2, of a fieldset with a gray line through the middle. I can’t replicate the issue in any other browser (including IE6 on XPSP3). So I am *assuming* it might be an XPSP2 issue (it could just be a weird user setting… I can’t tell without testing though).

    As far as supporting legacy browsers goes – we recently ported an old AS/400 app into a web app. So for the people who have been stuck using AS/400 (yes they were using AS/400 apps in 2009 at a very large credit card company), an app that runs in IE6 feels really *modern*.

  106. I luv IE says:

    Microsoft, Internet Explorer and security all go together like rice and beans.  This study proves what we’ve always known:  No browser is more secure than Internet Explorer and no company is more committed to online security than Microsoft.  Congrats to all involved.  Microsoft’s reputation would not be what it is without you.

  107. Juan says:

    @Brad – OMG! you are the one acting like a prima donna developer! have you even read your replies?

    @I luv IE – are you applying for a job at microsoft or something? That is the most obvious MS-fan-boy comment I’ve ever seen! Not only is it completely wrong it is hilarious that you think anyone will read it as anything but a joke.

  108. William says:

    @EricLaw

    Hi Eric,

    Thank you for your reply.

    >>I have no problem with that page in either XP or Windows 7

    Here is out test result :

    HP + Windows XP (Simplify Chinese) + IE 7 ==> Works

    DELL + Vista Sp1 (Simplify Chinese) + IE 7(Norton) ==> Dead

    DELL + Vista SP2 (Simplify Chinese) + IE 8(Norton) ==> Dead

    DELL + Vista SP2 (Simplify Chinese) + IE 8(Norton)  -extoff ==> Dead

    DELL + Windows 2003 Server (English, Trial version) + IE 8 ==> Dead

    at least 2G memory, closed Skpy, MSN etc programs.

    We have no Windows 7.

    Dead means: open the URL:

    http://www.jazan.org/vb/showthread.php?t=146570

    or

    http://www.aldair.net/forum/showthread.php?t=81162

    IE will only show title of the page, no response, seems keep loading, in fact if you click on the page area, it will become whiter, show "no response" in IE title. then wait 5-10 minutes, keep the same status, finally we have to kill IE process.

    thank you for your help.

    We meet at least 30 URLs that will cause IE dead.

    We also user WebBrowser control to visit these URLs , dead too.

    If we same the source code of the page,to local, then open the local file in IE on Vista/Windows 2008, dead too!

    then if we remove some Arabic text in the local page, open it in IE(there are a lot of Arabic text in these pages), IE works.

    We also tried set the options of IE to default, no effect.

    Thank you for your Help!!

    William

  109. drumm says:

    @Nelson,

    "I’m a professional web developer (12years now) and you couldn’t pay me to develop in IE I would turn down 250k USD/yr if I had to develop in IE."

    I guess you don’t need to feed your family then, considering over 50% of internet users are using IE.

    @Juan,

    "@Brad – OMG! you are the one acting like a prima donna developer! have you even read your replies?"

    Clearly, the prima donna developer is the one who wouldn’t develop for IE (that the majority of people uses) for 250k USD/yr.

    I wouldn’t call someone a real working web developer if he/she doesn’t check his/her websites in IE. Actually you’ll hardly find a work if you don’t make sure your sites work for IE, even the Mozilla, Apple and Opera websites make it sure they work in IE.

  110. Derek Jeter says:

    C# is the best programming language ever. PHP su*** big time.

  111. Mitch 74 says:

    @drumm, etc.: There is quite a difference between developing under a browser and testing under a browser.

    Essentially, it goes that way:

    – you love IE, you develop for IE: you use IE 8 as a test/development environment (yes, the IE dev tools are quite good; combined with Fiddler, they are very good), and once you’re done, you quickly add a few CSS workarounds for IE 7 and 6, for which you have virtual machines to test under. And then, you start wondering about ‘those other browsers’ that don’t all understand document.all (what’s ‘document.getElementById’? And why doesn’t it always work the same in other IE versions?), or that throw an error when Ajax headers are specified after ‘send’ (you always specify headers after the content is sent, right? No, wait…), or that don’t support attachEvent (what’s that addEventListener thingy for? And what’s ‘event capturing’?).

    – you don’t like IE, or you develop on a machine that doesn’t have IE available (say, a Mac because you enjoy graphics suites which come in handy for creating visual Web content, or a Linux box, because this way you don’t have to worry too much about differences between your test and production servers); you then develop under Firefox+Firebug, which takes care of all modern browsers in a single pass; then you fire up the VMs to test under all versions of IE (you’ll need 3 VMs), where Jscript goes boom, or IE throws an error because innerHTML rewrote part of a table or activated before the page’s DOM was done loading, or there is no DOMContentLoaded event, or (IE 7+IE8compat) your CPU suddenly maxes out and after a few seconds the browser crashes (out of viewport resizable box that conditions the size of a scrollable content, auto-sized box), or even (IE 6) your browser ignores you when you tell it that you want to draw a box at coords (x1,y1,x2,y2) in CSS (IE will ignore BOTTOM if TOP is set, and will ignore RIGHT if LEFT is set). Let’s not forget the complete lack of support for XML-based XHTML, MathML or SVG.

    So yes, testing under IE is quite a pain; for us developers that use browsers other than IE, any attempt at running IE to test our web pages against is right down painful:

    – we have to rewrite code for features that are completely unsupported under IE (the opposite is quite often not true);

    – we have to create a secondary code path for features that are badly supported, or supported only through an IE-specific feature (the opposite has the merit of covering all browsers with a single code path);

    – we are often baffled by errors IE throws at us (except in IE 8, where the debugger is good, stuff like Jscript throwing an ‘unknown error in unknown at line 0’ is downright unhelpful).

    Personally, I, too, wouldn’t accept a job telling me ‘you have to develop under IE’: I’m not enough of a maochist (and the money would have to be spent on antidepressant, and stress-related illnesses treatment); I do, however, make sure my websites work in, and don’t crash, IE. Even better, I make sure they work in ‘genuine’ IE 5, 6, 7 and 8 (because Chrome, Safari and Opera are already very well supported by the time I’m done developing in Firefox); do you?

    Please note: bringing down Windows Explorer when IE crashes is Not Good ™. I have yet to achieve that in Firefox, Safari etc. It also is not very good when IE 8, freshly installed on a clean machine, crashes on loading once in a while.

  112. Riley says:

    Mitch: "bringing down Windows Explorer when IE crashes is Not Good" — Agreed, but I haven’t seen that happen since Windows 98.

    If you do, you must have a buggy plugin, because Explorer doesn’t even host the browser anymore. A buggy plugin would also nicely explain why you crash on load as well.

  113. drd says:

    So if IE is now safe, could the team next work on the Perf? I would like to suggest a soliciting post where people could send comments about particularly slow pages. In particular I find scrolling with zoom set to 115% range from bad to nigh unusable with short pauses depending on the page contents. In small way this can even be seen in some MS’s own marketing sites which run noticeably better with Opera.

    Adding some perf & system detail recording&reporting button option into current IE, way before it’s too late take in major changes to IE9 code might also be helpful as it’s so much harder to get the perf data into some manually submitted report after the fact.

  114. Mitch 74 says:

    No plugin, not even Java nor .Net: this machine is almost as bare as you can get. It’s an up to date Windows XP sp3 with IE 8 and all latest fixes installed, and a light antivirus (AVG Free). All drivers are those provided by Microsoft (old test machine) in SP3. Themes, network sharing and a few other unused services were disabled.

    It crashed last month.

  115. @Mitch74: Did you manually disable the AVG browser add-on? When you look in Manage Add-ons, are ALL add-ons marked as disabled?

    If you encounter a crash, I can analyze it further if you send me the Watson ID # from your system event log, or send me a .dmp file (generated by WinDBG).

    @drd: Performance of IE (and popular add-ons) remains an area of strong interest for the IE team.

  116. antivirus says:

    I have tried the new IE8 and I must say, that the IE8 is much more better than IE7.

  117. Mitch 74 says:

    @EricLaw: I’ll try and crash IE again, no problem ^^

  118. watzabatza says:

    @ I luv IE

    yeah you’re right! IE rocks…

  119. Jill says:

    I develop in Firefox – period.

    As for testing in IE – of course I have to since many users haven’t upgraded to Firefox or Chrome yet.

    However the idea of developing in IE?! OMG you’ve got to be kidding me! Never would I dream of doing that.

    Wev Developer since Netscape 2.0

    (so yeah, I think I know a thing or two about the best tools out there.)

    Jill

  120. I allways use Firefox. Because ther is much esyer to handel. A simple ie, and i will use it.

  121. Mitch 74 says:

    @EricLaw: well, in fact, I don’t have any antivirus running on this machine (I thought I had installed AVG on it, but no); the only two plugins that are active in it are the Spybot S&D IE settings protector addon, and Adobe Flash. One of the two may have caused the crashes, but anyway since IE, Spybot and Flash have all been updated since last time I tried crashing the browser, it may be considered resolved fixed.

    But boy, is IE 8 sluggish on that machine… Could it be that IE relies upon 2D hardware acceleration, making it crawl on VGA/VESA-only adapters? I’ll try popping in a supported 2D card in it, just to be sure.

  122. whats up says:

    OK I read the comments yesterday and there was a comment near the end that had 2 links on how to use a Google toolkit to get SVG to work in IE.

    Since MSFT has failed to deliver native SVG support in IE7 and IE8 and has made no promise to deliver it in IE9 why on earth was the comment removed?

    Is MSFT seriously concerned that Google’s toolkit will cause them some sort of competition?  I doubt there is an issue here as Google is not forcing users to ditch IE but rather embrace IE users and improve their experience by adding support for features that the IE Team left out.

    I didn’t realize that "SVG" was a dirty word on this blog.  Oops! I guess I’m going to have this comment filtered out because I mentioned the "SVG" word. Doh! did it again!

  123. N3 says:

    Now that IE is ready for basic users. When do you plan to support standards for normal users and developers ?

  124. Mike says:

    I am thinking of leaving the webdevelopment business because of the levels of frustration I run into developing for your browser.

  125. hAl says:

    @Mitch 74

    You might try if the Flash or Spybot S&D addons cause the slowness first by running IE8 without addons

    "run iexplore -extoff"

    and see if that is still slow.

    Also check the restricted sites list in IE8 as Spybot S&D fills that up which causes slowness (albeit less than before after an IE8 update)

  126. hAl says:

    @EricLaw

    Have you found out anything on the hang of IE8 on the javan.org page as reported before ?

  127. ieblog says:

    @whats up: Comments which violate the comment policy (http://blogs.msdn.com/ie/archive/2004/07/22/191629.aspx) are removed.

    You’re free to discuss SVG all you like, so long as your comments do not violate policy.

  128. Mitch 74 says:

    @hAL: running without addons, done. No change. I got a remarkable speed boost by using a card with 2D acceleration: IE is now as fast with accelerated 2D (UI, page scrolling, page content scrolling) as Firefox 3.5 was when running under VESA.

    But then, Firefox 3.5 with accelerated 2D became sleek and fluid. Ah man… Missed again. Considering that Firefox’s UI is drawn through the same gecko engine that is used to render web pages (meaning, the whole UI is made using interpreted languages, and these aren’t even using the JIT optimizations that are in use for pages) whie IE 8 is C++ compiled into machine code, there’s quite a strangeness happening here: interpreted code is supposed to be much more CPU-intensive and, thus, slow on slower machines than native machine code.

  129. Mitch 74 says:

    A man, I noticed that my comment is not on topic any more.

    Sorry, but as I couldn’t really use IE 8 before now (it would crash my machine, see) I couldn’t give it a real test drive in ‘normal’ browsing. The engine is now much less of a pain to work with (no more morbid anticipation about what part of my CSS will have to be rewritten), the tools are infinitely better (I mean, it’s a relief when a Jscript debugger gives the actual source file and line number where the error occurred).

    But damn, does it feel sluggish…

  130. rey says:

    Hey Microsoft, when are you going to fix Windows’ idiotic "Hmmm…the link you clicked has a PDF extension, but I see that in reality it is an EXE, so let me run it for you without telling you that I am going to do so so I can infect your computer with a trojan" issue?  If I click a PDF on the Internet and its not a real PDF but an EXE, then I should just get Adobe to come up and say its corrupt, not the freaking EXE running without me knowing what’s going on until my computer is dead.

  131. EricLaw [MSFT] says:

    @rey: Technically, file extensions really have no meaning in URIs; you cannot reliably look at a given URI and determine what it will return.  For instance, a .PHP page can return a PDF, a EXE, a HTML page, or an image.

    There is no bug where IE will run a downloaded executable “without telling you.”

    If you click a link that leads to an executable file download, SmartScreen will evaluate it and you will receive the standard “Do you want to download this file” security prompt, indicating that you are downloading an executable file.

  132. William says:

    @EricLaw

    Hi Eric,

    Thank you for your reply.

    >>I have no problem with that page in either XP or Windows 7

    Here is out test result :

    HP + Windows XP (Simplify Chinese) + IE 7 ==> Works

    DELL + Vista Sp1 (Simplify Chinese) + IE 7(Norton) ==> Dead

    DELL + Vista SP2 (Simplify Chinese) + IE 8(Norton) ==> Dead

    DELL + Vista SP2 (Simplify Chinese) + IE 8(Norton)  -extoff ==> Dead

    DELL + Windows 2003 Server (English, Trial version) + IE 8 ==> Dead

    at least 2G memory, closed Skpy, MSN etc programs.

    We have no Windows 7.

    Dead means: open the URL:

    http://www.jazan.org/vb/showthread.php?t=146570

    or

    http://www.aldair.net/forum/showthread.php?t=81162

    IE will only show title of the page, no response, seems keep loading, in fact if you click on the page area, it will become whiter, show "no response" in IE title. then wait 5-10 minutes, keep the same status, finally we have to kill IE process.

    thank you for your help.

    We meet at least 30 URLs that will cause IE dead.

    We also user WebBrowser control to visit these URLs , dead too.

    If we same the source code of the page,to local, then open the local file in IE on Vista/Windows 2008, dead too!

    then if we remove some Arabic text in the local page, open it in IE(there are a lot of Arabic text in these pages), IE works.

    We also tried set the options of IE to default, no effect.

    Thank you for your Help!!!!!!!!!!!!

    William

  133. Daniel says:

    My question is about traffic and communication with the "evil site" blacklist database.

    How much traffic does SmartScreen generate over the network?  What happens when the blacklist database is not reachable?  Is the communication with the blacklist in the clear, or is it authenticated in both directions?  Can it be spoofed by an infected machine on a LAN that sniffs out the SmartScreen traffic and floods the wire with "Good site" response packets before the remote blacklist server can respond?

  134. EricLaw [MSFT] says:

    @Daniel: SmartScreen is optimized to require very little network traffic; it uses small XML requests and responses (<1k per check). When the SmartScreen webservice isn’t reachable, notification is provided in the status bar/download dialog.

    Communication with the URL Reputation Service is done via HTTPS, and hence infected machines on the network will be unable to emulate the legitimate responses from the server.

  135. drumm says:

    @rey,

    "Hey Microsoft, when are you going to fix Windows’ idiotic "Hmmm…the link you clicked has a PDF extension, but I see that in reality it is an EXE, so let me run it for you without telling you that I am going to do so so I can infect your computer with a trojan" issue?  If I click a PDF on the Internet and its not a real PDF but an EXE, then I should just get Adobe to come up and say its corrupt, not the freaking EXE running without me knowing what’s going on until my computer is dead"

    I think you should say that to Adobe, not Microsoft, since that’s exploiting a PDF vulnerability, not much to do with IE. The problem is not IE downloading and running a exe file, the problem is IE sees the file is a PDF file, so it passes control to the Adobe plugin, and the Adobe plugin has some holes that allow the malicious PDF file to run arbitrary code on your machine.

    plugins are little programs that runs independently from the browser, only that they display output inside the browser window. But the browser has little control over what the plugin is running.

  136. Mitch 74 says:

    @Rey, Drumm: one solution, don’t use Adobe Reader. Foxit Reader does have a plugin, and is much lighter.

    And it really seems not to have an exploit waiting every dozen lines of code either, like Reader. It, at least, is updated and fixed much faster.

  137. Jure says:

    "Success: NSS Labs defines “success” based upon a web browser successfully preventing malware from being downloaded, and correctly issuing a warning."

    IE8 issues a warning to everything, but I don’t see how that qualifies as real-life security for unsophisticated users.

    Does anyone here even know a user that was ever stopped from downloading malware by an "Are you sure?"?

  138. Phil Rigby says:

    Yeah this is how good it is – suddenly uk.com websites are all bad…

    http://www.theregister.co.uk/2009/08/26/ms_phishing_filter/

  139. Matt says:

    Jure: You need to do more research. It doesn’t say "Are you sure?" it blocks the download.

    http://blogs.msdn.com/ie/archive/2009/02/09/ie8-security-part-viii-smartscreen-filter-release-candidate-update.aspx

    Phil: "Uk.com" is trying to act like a real top-level domain, but according to the rules of DNS they’re not one. So it’s **their** responsibility to ensure that none of their sites are being used for phishing.

    Real companies would be well-advised to buy a real domain name instead of borrowing part of the domain space from a company that hosts phishing sites.

  140. Gerald says:

    @Phil/@Matt – and this is why the address bar highlighting in IE8 is an Epic Fail.

    Due to the flawed implementation that can’t handle UK and Australian double suffix extensions users have already accepted that the highlighting can’t be fully trusted.

    Now you throw in IE’s phishing filter that isn’t careful enough to use the right combo of subdomain, domain, ext1, ext2, port, & application and you have another level of flawed security.

    Usability was thrown out the window when IE grayed out part of the address bar (instead of bolding the important part etc.) and now users don’t know what to trust with all of IE’s security warnings.  I get a security warning every time I load an HTML page from my computer… so now I’m numb to dismissing the security bar because I have to do it all the time when it isn’t even necessary.

    As for the results of the test – the standard phrase applies.

    Do you trust the results of a sponsored test?

    If you do you are a fool.

    If Microsoft really wants us to believe the results, they need to find an independent 3rd party that is doing such a test and publish those results or join forces with other vendors to provide equal financial incentive to the 3rd party research… and FULLY disclose this as the FIRST line of the report.

    MS can’t publish a blog for their own browser that renders in Standards Mode.  This doesn’t give me any faith that they have the "best interests" of the Web users/developers across the globe.

    Pair all this with the fact that I can’t even uninstall a nasty addon from IE if it gets in there and you just roll your eyes trying to figure out what MS cares about most.

  141. Daniel says:

    @EricLaw: Thank you for the response.

    I’ve not done the analysis of web traffic (I had to uninstall IE8 from my home system because the IT department at my employer does not yet deploy a remote access client that works with IE7 or IE8), but did notice that IE would pause when I went to visit a new page more than I would have expected, and was thinking that the transaction with the database might be the reason.

    Have you considered (or incorporated) proactive queries, where URIs that are directly available in the loading HTML (don’t have to wait for the full page to load) are collected and queried before the user attempts to click on them?  Links identified as suspect could get a different pointer shape for the mouse, giving an indication to the user that the link is potential trouble.

    When I was doing internet security work, I found that the response time of the network could affect security when it came to whitelists/blacklists and authentication transactions.  One of the angles we studied was a human behavior angle, which is that if the response to an action taken by the user is too slow with maximum security, a large number of users will simply turn it off under the assumption that they’re smarter than the average user.

    A DOS against one side of an SSL link (flood the local machine’s receive socket with inauthentic garbage) could cause legitimate packets to be lost and the response time got much worse.  We did not see this exploited in the wild, but then again, I did this work back in the late 1990s; dial-up was still the dominant connectivity option, and a large number of ethernet LANs were either thin-net or UTP using hubs, not switches, so all traffic on the LAN was usually visible to all systems on that LAN.

    I don’t do internet security these days, though I worry about it a lot.

    I found the study that’s now under rather hot debate non-credible, not because of its conclusions, but because the methods were not sufficiently transparent, and the data set not defined.  I did not attack IE8 or SmartScreen, nor did I say that the conclusions of the study might not be correct, but from the data available to me at the time I read the report, I did not feel that it’s conclusions were creditable at the browser vs. browser level.  The system, as a whole (browser + database + telemetry + scavenging) does appear to provide better protection against the particular type of malware.  As more information becomes available, my opinion may change.

    One problem that I had when I let Windows Update install IE8, and that still persists now that I’m back at IE6, is that my desktop system tray no longer shows most of the icons it’s supposed to (volume control, removable storage, etc.) at log in.  I have to kill the explorer.exe process in Task Manager and then start up a new instance; the icons then appear as they should.  I’ve found nothing in the knowlege base (using the search terms I could think of) about this, but it’s darn annoying.  It appears to be a sequencing problem, but I don’t know enough about the system tray notification messages to be sure.

    Thanks again for the response.

  142. Phil Rigby says:

    @Gerald…

    Ideas are good if they’re implemented properly, agreed?  I would agree with you by saying the execution of Microsoft’s ideas is flawed to the point of a fail.  However, I think the idea behind is actually a good one.

    From my perspective – as a highly technical user, I’m not a web developer – I think the idea of the address bar highlighting/de-highlighting parts is quite good.  Again, the execution of that idea is at best, questionable.

    It is also flawed to be prompted for security warnings when accessing local html, no argument there.

    It’s bad that v8 of a web browser scores less than 20 on Acid 3 when other browsers of the same generation are scoring in excess of 80.

    It is bad when MS can’t even code their own websites to be compliant in their own web browser.  I happened to be using IE 6 the other day and msn.com couldn’t display media embedded in the page (media player videos, not flash etc).

    Color coded tabs are good – I like that idea – I don’t like waiting ~2 seconds to open the next tab.

    I like the new UI – I think it’s quite slick – but I don’t like I can’t skin the product, like I can Firefox, Opera…

    No I don’t trust ANY report.  Lies, damn lies and statistics.  That’s all you need to remember.

    As for what MS cares about, it’s squishing the competition by whatever means are available.  Nothing more.  The only reason Firefox and Opera exist is because Microsoft can’t legally buy out the companies that produce them, plain and simple.  That’s why IBM bought Lotus, so that MS couldn’t!

    IE8 is generally a good product, but take into account useless eye-candy like Accelerators and Slices, combined with straight-forward rendering issues like no SVG (c’mon MS, for God’s sake!) and I see no reason to leave Firefox.

    Eric and Dean, I hope you’re paying attention.  Go tell Mr Balmer to throw some chairs and have the engineers make IE 9 the browser it should be, the way Windows 7 is going to be what Vista should of been.

  143. Phil Rigby says:

    @Matt – it’s **who’s** responsibility?  If it did work, now doesn’t after an MS update, who’s issue is that exactly?  QA anyone?  Testing?

  144. Matt says:

    Phil: It’s Uk.com’s responsibility not to be hosting pages with phishing and malware content, if they don’t want pages in their domain to be blocked.

  145. Phil Rigby says:

    Matt: It’s MSs responsibility not to block an entire sub-domain because of some web sites.  There can be genuine sites on there also.

  146. Matt says:

    Phil: So you’re saying that phishers and malware authors should be allowed to trivially bypass Smartscreen using wildcard-hostnames?

    I prefer the safer browsing experience where domains that don’t prevent hosting of malware are blocked, thanks.

  147. Phil Rigby says:

    Matt:  No.  I’m saying that if http://www.a.uk.com is malware but http://www.b.uk.com is a genuine site, MS shouldn’t block *.uk.com.  They should block *.a.uk.com.  Make sense?

  148. Matt says:

    Phil: You’re missing the point. "Uk.com" owns and is legally responsible for both "a.uk.com" and "b.uk.com". So if they’re hosting malicious content on "a.uk.com" why do you assume that they wouldn’t also host malicious content on "b.uk.com" pointing at the same IP address?

    Uk.com is **not** a top-level domain.

  149. Phil Rigby says:

    But, you’re assuming in that case that every site within that sub-domain hosts malware.  You can’t make that assumption unless you either:-

    a) Have facts and evidence to support it; or

    b) You’re policing the Internet.

    I know for a fact MS are not doing b).  I suppose they made their decision based on some of a).  For the most part I would agree it’s best to take the safer path – however, not at the expense of shutting out potential sites that are good.  You can’t say every site within uk.com is malware.

    To evolve this system, wouldn’t it be better to block any actual attempt to install malware or phishing rather than just throw warnings about the site?

    But I do fully take your point about b.uk.com’s IP address pointing to a.uk.com, that is a valid concern.  All I’m saying is you shouldn’t necessarily block an entire sub-domain just because you can.

  150. whatever says:

    So did everyone in the UK switch to Firefox or Opera?

  151. drumm says:

    @ Jure,

    "IE8 issues a warning to everything, but I don’t see how that qualifies as real-life security for unsophisticated users.

    Does anyone here even know a user that was ever stopped from downloading malware by an "Are you sure?"?"

    It’s not about the "Are you sure" toolbar that pops up all the time when downloading files, which I do think is very annoying and next to useless.

    This article is about the SmartScreen filter, which means when you goes to a site hosting some malicious code, the whole page goes red and displays "This page has been reported unsafe", which blocks the user from accessing the web site itself, not just the downloads.

  152. drumm says:

    @ Phil,

    The thing is, web pages from the same sub-domain are generally considered from the same website, and the whole site is blocked when some pages on it are found to host malicious code. That’s how ALL current content blocking mechanism functions, including Chrome, Firefox, McAfee SiteAdvisor, Outpost Firewall, etc. etc.

    So far content blocking is all site-based, not page-based, and I’ve seen Google Chromium at one time blocking the entire 163.com site (163.com is one of the largest general portal sites in China) just because its software hosting site has an adware download, that sub-domains like mail.163, news.163, etc. etc. are all blocked. Later when it’s unblocked, the whole site including the page that has the adware download is unblocked.

  153. drumm says:

    @ Phil,

    The thing is, web pages from the same domain are generally considered as pages from the same website, and the whole site is blocked when some pages on it are found to host malicious code. That’s how ALL current anti-malware content blocking mechanism functions, including Chrome, Firefox, McAfee SiteAdvisor, Outpost Firewall, etc. etc.

    So far anti-malware content blocking is currently all site-based, not page-based, and I’ve seen Google Chromium at one time blocking the entire 163.com site (163.com is one of the largest general portal sites in China) just because its software hosting site has an adware download, that sub-domains like mail.163, news.163, etc. etc. are all blocked. Later when it’s unblocked, the whole site including the page that has the adware download is unblocked.

  154. rey says:

    @ericlaw, mitch74, drumm

    Well, I’m not sure if was Adobe or Windows itself (not IE per se), but either way I think they have probably both fixed it because I can’t reproduce it on a PC with both fully up to date.  Sorry for my pointless question.

Skip to main content