XSS Trends and Internet Explorer

As far back as 2005, cross-site scripting (XSS) was recognized as
the most commonly reported
type of software vulnerability. A more recent

study by Veracode
using data from the
Web Hacking Incident Database
shows that XSS is the most prevalent vulnerability
in Web applications and the second most likely to be
leveraged in real-world attacks

alt="Chart showing cross-site scripting (XSS) as the top vulnerability with 68% of Web applications affected. Information leakage is number 2 with 66% of Web applications affected." src="https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/38/71/metablogapi/5340.xtaie-image1.png" original-url="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-38-71-metablogapi/5340.xtaie_2D00_image1.png" />
Chart courtesy of Veracode; used by permission

Data from the Microsoft
Security Response Center
(MSRC) demonstrates the growth in reported XSS

alt="Chart showing the growth in reported cross-site scripting vulnerabilities from 1 in 2004, 3 in 2005, 7 in 2006, 16 in 2007, 9 in 2008, 7 in 2009, 8 in 2010, 22 in 2011, to 39 in the first half of 2012." src="https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/38/71/metablogapi/5265.xtaie-image2.png" original-url="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-38-71-metablogapi/5265.xtaie_2D00_image2.png" />
Growth in reported XSS vulnerabilities 2004 – 2012 (first half)

The chart above illustrates how we are seeing XSS actually start to crowd out other
types of reported vulnerabilities percentage-wise, year-over-year.

To help protect users, Internet Explorer pioneered the implementation of multiple
overlapping mitigations targeting XSS, including
security=restricted IFRAMES
, and the
IE XSS Filter
. IE10 introduces support for the new
HTML5 standard
IFRAME Sandbox,
which allows developers of Web applications to more tightly control the behavior
of embedded content. We’re intent on continuing these investments, as real-world
data continues to show an uptick in the relative quantity of XSS vulnerabilities
in the wild.

To review the impact of the IE XSS Filter, we’ve done a deep analysis of all vulnerabilities
reported to MSRC in the first half of 2012. This analysis has shown that currently
the IE XSS Filter applies for 37% of all legitimate vulnerabilities
that are reported to the MSRC. (For some perspective, another highly reported vulnerability
class is memory safety, accounting for 24% of vulnerabilities within the
same data set.)

The IE XSS Filter is just one example of how our browser’s threat-mitigation strategy
doesn’t stop with memory safety mitigations like
. As more customers and businesses leverage Web technologies,
mitigating XSS and other Web application vulnerabilities has become increasingly
important. We are happy to see the impact mitigations have made against the threat
of XSS, and are looking to continuously innovate in this space going forward.

—David Ross, Principal Security Software Engineer, Microsoft Security Response Center

Comments (88)

  1. blackbart says:

    Normally I wouldn't leave a comment like this, but….

    Don't care about this post. I didn't even bother to read it (I normally enjoy reading your posts). Why? BECAUSE I'M STILL WAITING FOR IE10 FOR WINDOWS 7!

  2. I don't care about Ie10 ! says:

    I don't care if this comment hearts anyone here but are IE really a good thing. Even I tried Ie10 I still force to install chrome frame. I use many site on my daily rutine and they have different kind of trouble in Ie10. When I talk most of them they simply let me go for Firefox or chrome.

    so many time I see error like "unsupported browser". "our site is not worked in your browser". "you need to use google frame". I even not got any answer for this kind of issue.

  3. japanese man says:

    When to come to use IE10 by Windows 7?

    Please carry out early.

  4. Prior Semblance says:

    "so many time I see error like "unsupported browser". "our site is not worked in your browser". "you need to use google frame"."

    Thats because whoever made those websites is either a horrible web designer or is purposefully making their site not work in IE.  Its one thing to have problems getting your site to work in IE7, but theres no excuse for a site to be broken in IE9.

  5. Brian says:

    *yawn* Sorry, this really is cool. But it is useless rather pointless since IE10 IS NOT AVAILABLE ON WINDOWS 7.

  6. Windows seven says:

    Where is the windows 7 version?!

    Where is the post about the Flash list issues!?!?!

    Where is the post about Microsoft just lost the only engineer that cared about the future of IE because Eric Lawrence quit Microsoft after they refused to be reasonable about Flash in Metro mode!

    When is the blog software getting fixed?!?!

    When are the three windows phone 8 developers going to get an SDK?!

    So many questions and yet Microsoft is still playing the silence game!


  7. Armend Mitrovica says:

    ie10 for windows7 to be released 24 September ?

  8. George says:

    7 comments above, none related to the subject. Facepalm.

  9. Randall says:

    Ahh, CommunityServer may've eaten my last comment after I took too long to write it.

    Short version: XSS filters can allow attackers to selectively edit individual script tags out of a target page, by making it appear that reflection XSS is happening when it's not. It's possible for that to be a security problem in itself, for instance if one script tag sanity-checks some parameters then a second script tag acts on them. What's Microsoft's thinking on this? One other browser seems to block all script on the target page if it suspects an attack, which seems like a good workaround to me.

    And: this filter has some compatibility impact, even if it's small. The post introducing the filter talks about compatibility a bit. For example, site where you upload webpage templates then immediately preview them might work in other browsers but fail under an XSS filter–I had that problem with another browser's filter. (That's how I disovered that that browser stops all script on the target page. 🙂 ) Should browser makers standardize their rules?

  10. @George says:

    Well, guess it makes 8 including yours that wasn't related to the subject either. Seriously, what to comment on a subject like this? I mean, is there really no more important stuff the IE team can blog about? All the questions and topics people really do care about are reflected in the comments.

  11. Prior Semblance says:

    Except these people are just being stupid and asking questions that were answered months ago.  IE10 on Windows 7 will be out when its ready, which might be before the official release date but they might just decide to wait for the release date which is probably around when Windows 8 comes out.

  12. Royan Carein says:

    IE Team should delete or even don't approve in the first place off-topic messages. How can you tolerate all these trolls talking about a totally unrelated subject ("IE10 for Windows 7", for example)?

  13. @I don't care says:

    [quote]so many time I see error like "unsupported browser". "our site is not worked in your browser". "you need to use google frame". [/quote]

    I never encountered that message.

    Give us a list of those many sites that do this ?!!!

  14. Martin says:

    So when are we going to get a response from Microsoft?

    Zero feedback is not helping your image Microsoft – it shows you have no passion and no comitment to developers. Our concerns go unanswered and our distaste for Microsoft and Internet Explorer grows.

    Worst of all we've told you plenty of times for many years that the comment form is broken on the IE Blog.  It's been confirmed by Microsoft employees and we've even provided you with the fix yet it has not been addressed.  How else are we supposed to take this other than as a slap in the face?!


  15. Lynn says:

    Need IE 10 on Windows 7

  16. Randall: If you'd like an XSS detection to prevent rendering of the page in its entirety, use the MODE=BLOCK attribute. I wrote about this here: blogs.msdn.com/…/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx

  17. Facts says:

    Armend Mitrovica:

    "ie10 for windows7 to be released 24 September ?"

    Huh? Where you have got that date?

  18. Disappointed says:


    Ridiculous, just ridiculous guys how you avoid to answer any questions on IE 10 for Win 7. Your post right now is another slap in the face! Instead of finally saying something about Win7 availability, you adressed the one single XSS comment.

    Why aren't you guys posting that IE 10 is coming for Win 7? Just a short little sentence:

    "Don't worry guys, IE 10 is coming for Windows 7!"

    ONE SENTENCE LIKE THIS and you would calm everyone down. It's maddening how stubborn Microsoft became since the reign of King Sinofsky the first, ruler of the Sinpire.

    Or is the reason for the all this silence that IE 10 won't be available for Windows 7 indeed?

  19. Yannick says:

    @ I don't care about IE10 – Then you're visiting out-of-date websites that doesn't know there is something as IE9-10, the webdeveloper of those sites is just a IE-hater or you seriously have to stop activating Compatiblity View.

  20. It is concerning to see XSS growing so exponentially. I should check to see what measures the mainstream web browsers and security software have to offer.

    Speaking of mainstream web browsers, it reminds that Internet Explorer was once such a browsers. Now, if one asks the question "Is Internet Explorer version X supported on my version oF Windows?" the answers is most likely "No!"

  21. Rob says:

    I am having issues with checkbox not showing the checks, but show up fine with Firefox. I have made sure my system has all the Microsoft updates and have comparied all the add-ons with a co-worker that does not have this issues and diasbled any add-ons he did not have.

    Thanks for any help

  22. dross says:

    Randall: In addition to EricLaw's blog, it's worth noting that in the scenario you describe the IE XSS Filter will disable both script tags.  Try it!

  23. @Dissapointed says:

    They shouldn't need to say anything because they already told us when it would be coming out months ago.

  24. abc says:

    "They shouldn't need to say anything because they already told us when it would be coming out months ago."

    Months? Almost a year ago was the last word on IE 10 for Win7!

    Since then there is nothing but ominous silence.

  25. pmbAustin says:

    Even a "We hear you… we'll have more to say about IE10 on Win7 soon!"  would be better than this silence.

  26. ieblog says:

    We hear you. We'll have more to say about IE10 on Win7 soon.

  27. Gary says:

    @ieblog FINALLY!!!

    As for the comment after EricLaw replied please note that EricLaw was being very helpful especially when this Monday he announced that he managed to escape from Microsoft to move up to work for Telerik by working on Fiddler full time.

    Likely not directly related but there are many developers/testers on the IE team that are very upset with where Microsoft has completely derailed IE development by adding the ridiculous flash blocking by default list.

    Actually let me rephrase that – Everyone! Not just the IE team thinks that this new plan is I'll conceived, creates horrible usability issues and ruins the user experience.

    The attempt to downgrade the PC IE experience to match the low end capabilities of the new Windows 8 tablets/phones was a major mistake and one that needs to be reversed ASAP!

    I won't even go into the insane developer submission requirements that are totally unacceptable.

  28. Yuhong Bao says:

    The Flash blocking by default applies only to Metro IE. They are not degrading "PC" non-Metro IE.

  29. An says:

    There are many problems in the Do Not Track function of IE10.

    The developer of Apache began to ignore this.

    Microsoft should cope with this problem immediately.


    Apache Web software overrides IE10 do-not-track setting



  30. Win8 or the highway says:


    >Still waiting for non-existant IE10 for Win7


  31. Yannick says:

    @  Win8 or the highway  

    You mis the comment of IEBlog?

  32. Martijn says:


    That can still go both ways. There is simply no way that you DON'T know whether IE10 is going to be on win7 or not. This has to be known, and has to have been known for several months at the very least. We NEED closure, as you can see.

    Also, ieblog, you're going to keep getting these offtopic remarks, as long as you keep posting about the things we are not waiting for, which is to say IE10-on-win7 and the Flash-on-Metro issues. Don't leave your developers in the dark.

  33. Randall says:

    @EricLaw, dross: Thanks for the replies, and cool to know the second script tag is blocked as well.

  34. Terry says:

    For all who are waiting for Windows 7 support, Read my email to IE team below:


    Subject: Internet explorer 10 for Windows 7?

    Sent: Wednesday, August 22, 2012 4:38 PM

    According to this KB article: support.microsoft.com/…/2718695, Internet Explorer 10 is not yet supported on Windows 7. But this article technet.microsoft.com/…/hh846773.aspx suggests that its only supported on Windows 8 and Server 2012.

    Does it mean that its scheduled for Windows 7 in future?



    Subject: RE: Internet explorer 10 for Windows 7?

    Sent: Thursday, August 23, 2012 3:19 AM

    IE 10 is planned for Windows 7. It’s being worked on. We just don’t have a release date to announce yet.

    The documentation is written for today. Today, IE10 is only available on Windows 8 and Windows Server 2012.

    –Ted Johnson for IEBlog


  35. Pino says:

    Please support IE10 on Windows 2000, XP and Vista.. make a standalone/portable version for these OSes (let the IE8/7 keep the deep integration at OS level). Please consider this request. Among mainstream browsers, IE is already the only browser supporting just Windows (officially).

  36. haha says:

    @pino  LMAO.  Windows 2000 doesn't even support IE7, 8, or 9.  Nor does it even get security patches anymore.  Your also stuck on insecure versions of Adobe Flash and most other software.  You want a version for Windows 3.1 too?  Development isn't free.  

  37. dave says:

    i reckon IE10 will be released on oct 26th the same day as win8 goes on sale to the general public. I still can't believe they didn't give us a new version before RTM, i'm expecting it to be rather buggy.

  38. OOO says:

    I am sorry for the comment which is not related to a report.

    Windows 8 should return a start button immediately.

    It is hard to use too much.

    Since it became behind to a slight degree, it is made to have liked you to abolish.

    Would you report to OS team?

  39. Pino says:

    @haha, Opera supports win2000 to win8. till date. Chrome and FF support latest verson from XP to 8. If IE10 supports 2000-Vista as a standalone installatiin (without affecting the other OS components), it would give IE marketshare some goosebumps…

  40. @OOO says:

    Start button was an old age.. welcome to new age.. and try to adjust yourself its extremely easy!!!

  41. comments-before-doctype-bug says:

    I was wondering, can anyone please confirm if IE10 still reverts to quirks mode if there's a comment before the DOCTYPE?  Earlier alphas of IE10 did, but I believe Microsoft were working on a fix.

    It's discussed by user sahack1 here: msdn.microsoft.com/…/cc288325.aspx

  42. @comments-before-doctype-bug says:

    As of IE10 RP this issue is resolved.

    Public test case: newilk.com/…/comment-before-doctype

    IE9 renders in Quirk Mode

    IE10 RP renders in Standard Mode

    IE9 treats Doctype as comment if there is a comment before doctype. IE10 respects the comments before doctype and treat doctype separately. This behavior can also be observed via F12 developer tools.

  43. @@comments-before-doctype-bug says:

    Well that is marvelous news.  Thanx for confirming.

  44. den says:

    wheel invention was some thousand ago , but now we use it.

    Start menu can be inside Windows .

    i can see and use one icon in 48*48 . but in large tiles or icons user eyes become dizzy ( in Desktop )

  45. chevysales says:

    can someone explain to me how ie9 scored soooo low on toms hardware tests?

    I am no MS basher and love IE9 but the score was 1/3rd of chrome and firefox?

  46. Trooper says:

    @chevysales, If you take Google's V8 javascript benchmark, Chrome21 is the top scorer. If you take tons of tests on Microsoft TestDrive, IE10 is the top scorer — Chrome fails miserably. Its not that they are checking the browser version, but its about exploiting the strengths of your browser where other browser is weak.

    I am not employed by Microsoft. But let me tell you, last year in April on IE9 release. IE9 was TOP SCORER in ECMA's javascript conformance test (the official JS body), Sunspider webkit test (JS and DOM engine's conformance test by Apple) and Karaken (Mozilla's).. Now after 16 months, IE10 RTM is number1 on ECMA test and Sunspider.

    Tom's hardware is not official scoring system.

    IE10 is getting way too much faster and complying with HTML5 and CSS3 standard to FULL extent. Take an example of placeholder attribute of HTML5 < input > tag..

    Firefox provide :-moz-placeholder for CSS3.

    Safari and Chrome provide ::webkit-input-placeholder.

    IE10 provide :-ms-input-placeholder

    If I tell you this information, you may say its a good news and move on. But what about "the quality" of this implementation: Firefox doesn't support line-height property for placeholder. Chrome doesn't support padding, Safari supports 5 out of 13 properties listed here newilk.com/…/Placeholder_styling

    Opera dropped the support of placeholder styling since Opera 11.

    IE10 is the only browser supporting all properties for placeholder style.

    So the folks at HTML5test might have bashed IE for not covering aspects of HTML5 as much as Chrome. Why? Because W3C's working drafts are NOT recommended for implementation. All the candidate recommendations as well as most of the near-to-approve has been implemented in IE10. AND IE is at least giving "complete support" when the folks at W3C approve the working draft.

    Here is another example what happened with CSS3 Gradient support: blogs.msdn.com/…/unprefixed-css3-gradients-in-ie10.aspx

    In order to avoid such conflicts, vendors should wait before the standard get final approval from the body.

    Also, due to the hardware accelerated graphics in IE10 and the entire Windows 8, IE10's (even IE9's) graphics capabilities are significantly better than others. Nonetheless, there is a BIG difference between IE10RP and RTM when it comes to performance of DOM manipulation. If you were following the issue at Microsoft-connect, you might have observed it (connect.microsoft.com/…/a-dom-manipulation-test-ie-performance)

    Finally, after IE10's general-availability for Win8 and Win7, you can then ask uncle Tom to run his tests on it and compare with his beloved chrome (unless he is not only relying on V8 benchmark — and now you know why V8 is not neutral).

  47. George says:

    @Trooper – Exactly! Neutral tests have shown that IE10 is slightly ahead! I've caught myself writing too much "-webkit-" these days, man!

  48. Endless silence says:

    @ieblog you've promised a Windows 7 version of IE10 and it is nowhere to be seen (thus developers have not yet tested the browser you plan to release in shortly over a month)!

    @ieblog there has been nothing but complaints, questions, confusion, and utter hatred for you proposed "Flash Compatibility List" (the concept, the submission process and the implementation) however you seem to have refused to respond to any developer concerns, period.

    As a long time Web Developer and IE beta tester this shows all the signs of a browser vendor that does not care about its 3rd party developers which is extremely sad to see.

    Please indicate if Microsoft intends to continue ignoring users, testers and developers or if this gross negligence is a massive oversight is the result of a poorly understood PR proceedure and that Microsoft plans to rectify this by opening up communication and start responding to each and every concern we have put forth regarding this utterly incompetant solution to a non-existent problem.

  49. Paul says:

    @Endless silence, observe:

    – Microsoft provided guides and tools for developers to install Windows8 developer preview on your system (or virtual machine) an year ago – Sept 2011 – to test and submit feedback for Internet Explorer 10. It takes me (or any real developer) 20 minutes to install win8 preview (developer-preview then consumer-preview and now release-preview) on VirtualBox (freeware). Microsoft-Connect is filled with thousands of feedback-bug-reports. Where were you? Are you even a developer?

    – IE10 for desktop supports all-kind-of flash content like IE9 does.

    – For IE10 metro (mainly targeted for low-power tablets and mobile devices), Microsoft expect the developers to test their existing applications for number of aspects, such as power, memory-leaks, touch, multitouch and orientation and submit your result. If it doesn't qualify, fix the issues and submit again. They will review and approve it and allow it to run on IE10-metro. Some million flash movies are already approved.

    – In comparison with WinRT, iOS doesn't support flash at all.

    – In comparison with WinRT, Android (since version 4.1), dropped the flash support.

    – Adobe (the vendor of flash), is moved to adopt HTML5 for mobile platforms rather than Flash since last year. (if its a news for you, google/bing how aggressively Adobe is trying for this paradigm shift).

    Given these circumstances, Microsoft is still doing a better job than others who has completely dropped the support.

  50. Armend Mitrovica says:

    can someone confirm that ie10 for windows7 will be released the 26-September or 2-October ?

  51. George says:

    @Armend Mitrovica – either tell us your source or stop spamming.

  52. Bob Lamb says:

    IE 9 Sucks big time! Every time I go to use it the damn browser quits working and crashes. Wish Microsoft would fix what they have before they move on! bob@far-llc.com

  53. Adam says:


    Developers don't have a spare PC lying around to install an entire OS just to test a browser!

    Developers don't have touch based PCs/Laptops because they don't exist and no one wants one! If you've got a keyboard and mouse why would you suffer through less accuracy to use touch and get smudges all over your screen?!

    Developers don't even have windows 8touch tablets because once again they are even for sale yet, and they will be f— ing expensive when they do come out!

    According to the very specific rules for applying to the censorship list you must test on hardware that runs windows 8 and supports 10 touch points… Since none to this day are purchasable (and we don't want to buy them anyway) I fail to see how anyone applied "legally" to the flash list unless they are a major Microsoft partner and were given pre-production/sale units!!

    We all know that the flash list approval is targeted at low end tablet performance but Microsoft keeps forgetting that the BILLIONS OF PCs out there now are DESKTOP/LAPTOP PCs and they all plug into the god damn wall for Pete's sake!!!! Businesses need to run sites period… But Microsoft has intentionally crippled its default browsers in an extremely lame hope that this will somehow help them make tablet sales so they can finally join the tablet market!

    Finally Connect is a joke we all gave up on that after Microsoft turned their backs on us after IE8 beta… We refuse to use that system ever again.

    So to wrap up…

    We haven't tested on IE10 yet because there is no Windows 7 version yet!

    We haven't submitted to the flash list yet because it is technically impossible to comply (and those that have submitted have faked their compliance!

    We are all extremely annoyed that Microsoft has flat ou failed to address a single one of our concerns or questions!  I talk to dozens of developers every week and NOT A SINGLE ONE is happy with Microsoft right now regarding where Microsoft is blindly going with IE10 and not listening to testers, developers or even end users!

    Calling it a disgrace would be a severe under statement!

  54. hamakon2012 says:

    It is said that it was pronounced that Google cut support of Internet Explorer 8.

    Take out Internet Explorer 10 turned Windows 7 early and let me restore with Windows 8.

    If the back can do, I will want Internet Explorer 10 for Internet Explorer 9 to correspond to Windows XP and to correspond to Windows Vista.

    Otherwise, it falls to a share breath of Internet Explorer.

    Microsoft and idea repair!

    (Also whether it says and that which the way where Internet Explorer 6 and Internet Explorer 7 also closed own support quickly except the company says.)  

  55. - says:

    IE10 turned Windows 7 should realize speed and lightness equivalent to Chrome.

    If memory usage also becomes a prevention eye to a slight degree, I will think that it is still better.

    Would you also take the point into consideration, when announcing?

  56. IE10 for Win 7 says:


    It is the formal version release on October 26!!

  57. IE10 release date says:

    The official release date of IE10 for Windows 7 is February 29, 2013.

  58. Yannick says:

    IE10 release date – Don't say stupid things. If we reach that date, we are already using an IE11 Platform Preview… At least, I hope so.

  59. Arieta says:

    @Yannick: If we go by how things are currently handled, that platform preview would be Windows 9 exclusive.

  60. Ben says:

    @ieblog almost a week ago you indicated that news about the Windows 7 release of IE10 was coming soon… if it wasn't going to be in a blog post in a day or two, why didn't you answer our questions in the comments?

    Likewise what is the deal with the Flash compatibility whitelist? we've indicated VERY CLEARLY over the past 2 months that we are NOT PLEASED with your suggested implementation one bit – yet you've been totally silent with all of our questions and complaints!

    I think there have been at least a dozen solid points raised about how this whitelist and the method required to apply for it are completely unreasonable yet Microsoft hasn't responded to a single comment.

    Needless to say this makes Microsoft look horrible for not listening to its developers and completely ignoring the desires and needs of its end users.

  61. @Arieta says:

    You know, releases named publicly "Platform Preview" are available on the working version of Windows.

    @Ben – The Flash Compatibility View list is here to stay, get over it.

  62. ieblog says:

    @IE10 for Win 7 and @IE10 release date: I don't know where you're getting your information but I do know that both of you are wrong. We have not yet announced a release date for IE10 on Windows 7.

  63. Armendi Mitrovice says:

    @ieblog but ie10 will not be released in December 2012 right ?

    it must be released earlier then Novemember 2012 or else people will chose firefox15- 16, or opera, or google chrome, then they don't want ie10.

  64. Nelly says:

    @ieblog rather than provide random comments indicating we are wrong and that you may be providing an update about Windows 7 support.

    Just post a date… Even a rough ballpark! Or even a "yes there will be a version for Windows 7 before Windows 8 goes live at retailers"!

    The simple fact you haven't given a date seems to indicate that you're either way behind schedule or that you actually have no intention of making a release before windows 8 comes out.

    As for the Flash list I am extremely disappointed as well as angry that Microsoft is not even discussing the issue.  I used to have a little faith left in Microsoft last year but as of now you've lost me completely.  I will not extend any effort whatsoever for Internet Explorer in the future.  If my users have issues I will provide a link to full quality browsers like Chrome and Safari.

    I'm sick of Microsoft's game playing as is everyone else.

  65. hama says:

    Critical zero-day bug in Internet Explorer under active attack ars technica: September 18, 2012


    In a monthly patch next month, if early, please release an emergency patch at the end of this month.

    While Java of an oracle is also early, I would like you to release a patch.

  66. hamakoi says:

    Please release IE10 turned Windows 7 early!

    (beta version or formal version)

  67. dave says:

    IE9 vulnerability is released yet their is no IE10 to upgrade to, to escape this vulnerability. I expect quite a few people to switch to chrome as a result of this vulnerability. Would be better for MS if they released IE10 and told people to upgrade to that.

  68. JS says:

    The publishes IE zero day exploit is not working when DEP is enabled.

    It only works on Windows XP with the current exploit.

    IE8 and IE9 on Windows 7 might be vunerable but not to the current exploit alone.

  69. @dave says:

    You do realize that microsoft regularly releases security updates for IE9, right?

  70. Evan says:

    Thanks for the silence Microsoft!

    You've totally restored my faith in Microsoft by completely ignoring us.


    I guess this means I won't be putting big fixes in my apps to handle IE until we get clarification from Microsoft that they are actually working on IE and plan to ship a beta for Windows 7 and explain what the heck they were smoking when they dreamed up a whitelist for flash!

    Microsofts big blunder list:

    Bob, ActiveX & BHOs, IE6, VBScript, VML, Behaviors, Zune, WebTV, WinME, PlaysForSure(well maybe not quite), Windows Phone, Windows 7 tablets, and now the Flash Compatibility Whitelist & Metro IE usability failures…

    It's no wonder the top two architects on the IE Team left Microsoft (Chris Wilson and Eric Lawrence)… I wouldn't want to be associated with Metro IE either!

  71. Yannick says:


    Bob, ActiveX & BHOs, IE6, VBScript, VML, Behaviors, Zune, WebTV, WinME, PlaysForSure(well maybe not quite), Windows Phone, Windows 7 tablets, and now the Flash Compatibility Whitelist & Metro IE usability failures…

    IE6 wasn't bad for his time, now it's bad, but is that Microsofts folt? There are now 3 new versions, 4th comming. Zune was an amazing thing, that something isn't populair doesn't mean it's bad. The same point for Windows Phone, what's a great platform.

    Be happy Microsoft support Flash in Internet Explorer, you can't say the same thing about iOS or Android.

  72. palmer says:

    Congrats on another critical vulnerability and zero day attack guys.  You know what makes America great?  Tradition.  And I am just pleased as punch to see today's IE team continuing with the traditions established by MS all those years ago.  C'mon Ballmer, raises all around!

  73. TS says:


    Zerodays are common place not only in IE but in other software as well.

    Since today, the Webkit browser of the iPhone 4S, iPad and iPhone 5 also contain a zero day vunerability.


    and solving a vunerability in a mobile device in general takes much longer.

  74. Steve says:

    Just testing Windows 8 Metro IE finally (after getting new hardware to test it out).

    OMG what a mess!  This sucks on a laptop/PC totally sucks… its hardly usable!

    There is no flash on any site I care about, and no indication why it doesn't work… just an empty box!

    The file upload abilities are horrible – its a single branch tree to the file you want with no easy way to navigate

    The grab hand at the top of the screen is pointless

    The right click options to do anything other than copy are all gone… not a single other option!

    If you don't have anything selected it brings up your tabs – which is somewhat important cause there is no other way to see all your tabs

    Response time to load a page (even the google home page) is very, very slow… it feels like IE has crashed

    Where the heck did my favorites all go? I can't see them anywhere!

    Zooming (CTRL+[+]) has reverted back to centered zoom meaning you lose context of where you were

    Zooming out (CTRL + [-]) does not work at all… minimum zoom is now locked at 100%

    CTRL+[O] to open a page no longer works

    [F6] to focus the address bar no longer works

    CTRL+[B] to organize favorites doesn't work (not surprising now that favorites have been removed)

    CTRL + [J] to view downloads doesn't work

    There is no save picture As… option anymore

    You can't always save a picture if that picture is used for a link

    The whole interface looks like a Balsamiq mockup… that was never finished

    I'm only 5 minutes in and I have to say I'm totally unimpressed!

  75. aoi teru says:

    I think that IE10 probably has the same brittleness.

    Because a base will be a product suitable for IE9 or it.

    Should not Microsoft back out from development of a browser soon?

    However, please carry out support of the version released until now.

    While IE10 turned Win 7 is early, I want you to release.

  76. George says:

    @Steve – disagree on many points but what got me on my nerves was "now that favorites have been removed"

    FAVORITES ARE THERE! Just click the location bar for God's sake!

    To add a site, click the pin button and select "Add to Favorites".

    To remove a site, either:

    1. start typing its name in the location bar. Then right click it and select "Remove".

    2. click the location bar and scroll to the right of "Frequent" sites; you have your "Favorites" there. Right-click the one you want and select "Remove".

    Got it?

  77. Steve says:

    @George please feel free to expand your comment because there is NO SUCH OPTION on my RTM version of Windows 8 Metro IE 10 – NONE!

    I do have a Pin option (Something I hated in Windows 7 and have no intention of using in Windows 8, but there is certainly no Favorites or the classic star icon anywhere to be seen.  Zip, nada, ziltch.

    For a new side note… how do I get "real" scrollbars Desktop Windows?  These Mickey Mouse… a.k.a. "My PC thinks it is a low-capability tablet" scrollbars are very ugly and look like someone failed to finish the UI.

  78. Steve says:

    I have a correction to make about Zoom.

    In Metro IE10… the keyboard shortcut for [CTRL] + [0] doesn't return to 100% like it does in *EVERY OTHER BROWSER ON THE PLANET* it actually returns the user to the "default" setting that was created as a result of going into the Charms > Internet Options > Zoom and changing the setting… so if you set it to 50% then that is what it returns you to, if you set it to 300% then that is what it returns you to and the [CTRL] + [-] still doesn't work no matter what.

    Needless to say this behavior is ridiculous and a major regression from previous IE (and in general all browsers) behavior.

    However I have a few more items to add to my previous list:

    F12 – Developer Tools!?!? The lack of tools here is going to make it very hard to fix bugs that appear in Metro IE when we can't debug them

    Compatibility Mode – I guess this is locked on whatever the site loaded as… I can't flip it for a site that didn't design their site/app well – this sucks

    mailto: links now prompt me if I really intended to open up "Other App" to send an email… wow that sucks… you would think that the user action I performed by clicking the link was sort of obvious.

    Note when the confirmation box pops up you can't clear it with the Escape key – usability fail

    I'm impressed.. IE10 (both Metro and Desktop only fail 1 test on the classic "IE Fail Whale" Test! – only the document.anchors collection is still polluted with members from the DOM with id attributes… vs. name attributes as the specs have clearly specified since the HTML 2.x era.

    The speed to load pages really is atrocious I'm not sure what is going on here (I can't look a the Dev Tools Network tab) but Metro IE is horribly slow at loading pages… even ones it has cached because I visited it 5 minutes ago.  Either something is horribly wrong with this RTM build or there is a major bug that is going to affect a lot of users.  I seriously could not use this permanently.

  79. Jake says:

    How do I tell "Microsoft Reader" in Windows 8 to never, ever, EVER open up a file ever again!?

    If I am in my desktop browser opening a PDF and I've installed Adobe Reader because the Microsoft Metro reader is a piece of junk – why won't Microsoft Reader remove itself as the default?!

    There isn't even any proper settings for apps in Metro – so I can't even adjust it as the non-default.

    Windows 8 is NOT impressing me at all – it is worse than Vista was!

  80. TS says:


    Control Panel => Programs => Default Programs =>Set associations

  81. George says:

    @Steve – Well, I have the RTM version of Windows 8 and guess what? sphotos-h.ak.fbcdn.net/…/303848_496464200363848_322531970_n.jpg

    Please elaborate. 🙂

  82. Larry says:

    How do you get the favorited they don't appear for me!

  83. George says:

    @Larry – Either:

    1. You must have at least one favorite site (you can add one).

    2. You might have to scroll to the right if you have lots of Frequent sites or a small screen.

  84. Epic Fail says:

    So in order to save a favorite in metro IE10 you already have to have one?! What kind of sick catch 22 is this?!

    So I have to go into the desktop… Open IE… Navigate to a site I want bookmark it… And then if I go back to Metro I'll be able to save and use bookmarks?!?!

    OMG Windows 8 is such a cluster fudge I can't believe you guys think this OS is anywhere near ready for production! I would be ashamed of this OS release if I worked for Microsoft.  I seriously hope that the developers and testers voiced their opinions that this OS was not ready to ship… I know there is no way my dev teams would have signed off on this if we'd built it.

    Microsoft must be so worried about losing the entire tablet market to Apple, RIM, and Android if they are rushing this OS out the door in such a panic with so many things broken in the design.

    And we thought Vista was a dead release… Windows 8 is taking the cake for horrible releases.


  85. @Epic Fail says:

    @Epic Fail:

    If you don't see Favorites, I'm guessing you don't have the RTM build of Windows8. You are probably using an older build.

  86. linux guy :: open-minded sect says:

    @Epic Fail, time to change your glasses..

    Changes in IE10 RTM since Release Preview (for favorites):

    IE10 Metro RTM "HAS" favorites in Quick Start Access screen. That is, when you click on address bar, it shows "Favorites" next to eight Frequent tiles. Also, the list will filter as-you-type (text or url). The suggestions with star indicates favorites.

    There will be one long horizontal list in case you have tons of favorites. BUT they have made the access pretty nifty by putting filter. As you type text or URL in the address bar, the favorites list gets short-listed.

    For example, I had saved http://blogs.msdn.com/ie with the name "IE blog" among 80+ favorites in Win7. I ported all my favorites to Win8 (overwrite YourWinUsernameFavorites folder). Now, as I begin to type "IE.." or "blog.." in Metro IE address bar, the suggestion shows the first entry from Favorites (with a small star left to it), then from the frequently visited sites and then suggestions from Bing..

    Also, in IE10 Metro, click on pin at bottom it will show two options: "Pin to Start" and "Add to favorites". You can also use Ctrl+D keyboard shortcut to add the current website to favorites. The favorites will save at common location and can be accessed from both Metro and Desktop versions.

    The roaming feature is also supported for Favorites which makes them shared between devices, given you are using Hotmail.com, Live.com or the new Outlook.com  Microsoft account in Windows.

  87. George says:

    Guys, stop listening to Epic Fail's BS. Obviously he's just copy-pasting from Anti-MS sites. Not constructive.