Critical zero-day exploit in IE 6, 7, and 8 allows complete takeover

Internet Explorer 8

Internet Explorer 8

Update your browser! On Saturday, Microsoft posted a security advisory that warns that Internet Explorer 6, 7, and 8 are vulnerable to a remote code execution bug. It even notes that an attempt to exploit this bug in IE 8 has already been found in the wild. Luckily, IE 9 and 10 are not affected. If you can update, do so immediately.

Microsoft explains that in its default state, Internet Explorer running on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 isn’t vulnerable. Microsoft Outlook, Microsoft Outlook Express, and Windows Mail also don’t appear to be affected, thanks to their increased restriction of JavaScript and ActiveX. If you can’t update to IE 9 or 10 for technical or business reasons, switching to Firefox or Chrome for general surfing will keep you safe from this specific vulnerability.

IE LogoIf updating IE and running a third-party browser aren’t options, there are workarounds. Running and properly configuring Microsoft’s Enhanced Mitigation Experience Toolkit will make the vulnerability more difficult for malicious websites to exploit. Using IE’s Security Zone feature, you can block ActiveX controls and JavaScript from running in the first place by cranking up “internet” and “local intranet” to the high setting. Alternately, you can configure IE to ask before running any scripts. It might be a pain in the neck to surf the web in this mode, but it’s better than being vulnerable to arbitrary code execution.

Microsoft does plan on issuing a patch, but it has yet to set a timeframe for the release. If need be, it will release the patch out of cycle, so that’s at least a little bit of good news for those of us affected by this bug. Internet Explorer is a huge target for black hats, and it’s only a matter of time before the next big vulnerability is found. Microsoft is working hard at making their browser as hardened as possible, but the onus remains on the user to keep out of the line of fire.

Using basic security tools like using Sandboxie while keeping your OS and anti-virus up-to-date will drastically decrease your risk of attack. That’s not enough, though. Clicking links in email and IM as well as browsing untrusted websites is still dangerous despite all of the strides in security we’ve made. Your gut is the first line of defense against security vulnerabilities. Don’t let your guard down just because security software is getting better. There is no magic bullet in security.

Safari and Chrome aren’t the new IE6 — chill out!

IE6 and WebKit

Internet Explorer 6 was a plague. Not only was it extremely dominant in the web browser market, but it also highlighted a very dark time for Microsoft as a company. IE6 accomplished Microsoft’s infamous embrace, extend, and extinguish strategy, but it also allowed Microsoft to become stagnant. Since Gecko- (Firefox) and WebKit-based (Chrome, Safari) web browsers have really taken off, Microsoft has quickly moved to rectify the problem. IE9 and IE10 are much faster and more standards-compliant than previous efforts, but Microsoft’s corporate culture taints the way it views the current browser market.

It’s clear that Microsoft sees WebKit as a threat — specifically in the mobile space. Due to its almost complete domination of the smartphone (Android and iPhone) and tablet (Android and iPad) markets, this has even caused some people to accuse WebKit-based browsers of becoming the entrenched, stagnant stalwart that IE6 once was. The reality is that WebKit is not, will not be, and can not be the same problem that IE6 once was. Internet Explorer 6 was part of Microsoft’s plan for dominating the market. Safari and Chrome, despite their importance, don’t serve the same purpose for either Apple or Google.

The reason Apple forked KHTML to start the WebKit project was so that it would no longer be beholden to Microsoft. As stagnant as IE was on Windows, it was even worse on the Mac. Safari, and the underlying rending engine, exist only so that Apple will have a reliable web browser for its customers regardless of which third-party companies are developing for its platforms. Google makes the vast majority of its money from advertising. Its goal is for as many people as possible to use its web apps and services. Chrome exists as clear and stable way for Google to offer a clean and fast experience for its users. In both cases, it doesn’t actually matter if the end user is using a WebKit-based browser. As long as you’re buying Apple’s hardware or using Google’s web apps, neither company cares which browser you use. At least in the days of IE6, Microsoft desperately wanted Internet Explorer to be the only browser anyone ever wanted to use. Google and Apple don’t share that idea for their browsers.

WebKit Browsers

WebKit is completely open source, and anyone can leverage it (or fork it) to create their own browser. Google did it for Chrome, and it turned out fantastically. Microsoft’s Trident engine is closed source. Nobody can fork it or even submit improvements for Microsoft to use itself. This alone means that WebKit cannot really be used as a tool for embrace-extend-extinguish. Extinguishing doesn’t work so well when your competitors have access to the core of your application, and can use it themselves.

The only argument left for WebKit-based browsers being at all like IE6 is that WebKit has features that aren’t yet available in other browsers or in any spec. If web developers want to take advantage of a WebKit-exclusive feature, or if they want to target the vast majority of mobile browsers, they have to write WebKit-specific code. Now, with Firefox and Internet Explorer finally making headway in the mobile market, many developers don’t have the resources to re-write their sites using either new standards or more browser-specific code. This is not by any means a failing of WebKit — it is a failing of the competition and standards body.

Apple and Google both want to implement cutting-edge technology, and the World Wide Web Consortium (W3C) is very slow in adopting standards. That doesn’t mean that WebKit isn’t standards-compliant. In fact, WebKit-based browsers are even more standards compliant than IE10. In reality, this is more of a problem with the W3C. It’s hard to blame developers for wanting to take advantage of the latest technology in WebKit, but they know the risks of using non-standard code. Microsoft shouldn’t be worried about Safari and Chrome playing the role of IE6. Instead, it should double-down on standards compliance, and keep pace with new features in WebKit. If developers can write standards-compliant code that works in every major browser, they’ll do it happily. Don’t drag your feet, Microsoft, and you won’t have to worry about developer support.

Now read: The death of Firefox

Safari and Chrome aren’t the new IE6 — chill out!

IE6 and WebKit

Internet Explorer 6 was a plague. Not only was it extremely dominant in the web browser market, but it also highlighted a very dark time for Microsoft as a company. IE6 accomplished Microsoft’s infamous embrace, extend, and extinguish strategy, but it also allowed Microsoft to become stagnant. Since Gecko- (Firefox) and WebKit-based (Chrome, Safari) web browsers have really taken off, Microsoft has quickly moved to rectify the problem. IE9 and IE10 are much faster and more standards-compliant than previous efforts, but Microsoft’s corporate culture taints the way it views the current browser market.

It’s clear that Microsoft sees WebKit as a threat — specifically in the mobile space. Due to its almost complete domination of the smartphone (Android and iPhone) and tablet (Android and iPad) markets, this has even caused some people to accuse WebKit-based browsers of becoming the entrenched, stagnant stalwart that IE6 once was. The reality is that WebKit is not, will not be, and can not be the same problem that IE6 once was. Internet Explorer 6 was part of Microsoft’s plan for dominating the market. Safari and Chrome, despite their importance, don’t serve the same purpose for either Apple or Google.

The reason Apple forked KHTML to start the WebKit project was so that it would no longer be beholden to Microsoft. As stagnant as IE was on Windows, it was even worse on the Mac. Safari, and the underlying rending engine, exist only so that Apple will have a reliable web browser for its customers regardless of which third-party companies are developing for its platforms. Google makes the vast majority of its money from advertising. Its goal is for as many people as possible to use its web apps and services. Chrome exists as clear and stable way for Google to offer a clean and fast experience for its users. In both cases, it doesn’t actually matter if the end user is using a WebKit-based browser. As long as you’re buying Apple’s hardware or using Google’s web apps, neither company cares which browser you use. At least in the days of IE6, Microsoft desperately wanted Internet Explorer to be the only browser anyone ever wanted to use. Google and Apple don’t share that idea for their browsers.

WebKit Browsers

WebKit is completely open source, and anyone can leverage it (or fork it) to create their own browser. Google did it for Chrome, and it turned out fantastically. Microsoft’s Trident engine is closed source. Nobody can fork it or even submit improvements for Microsoft to use itself. This alone means that WebKit cannot really be used as a tool for embrace-extend-extinguish. Extinguishing doesn’t work so well when your competitors have access to the core of your application, and can use it themselves.

The only argument left for WebKit-based browsers being at all like IE6 is that WebKit has features that aren’t yet available in other browsers or in any spec. If web developers want to take advantage of a WebKit-exclusive feature, or if they want to target the vast majority of mobile browsers, they have to write WebKit-specific code. Now, with Firefox and Internet Explorer finally making headway in the mobile market, many developers don’t have the resources to re-write their sites using either new standards or more browser-specific code. This is not by any means a failing of WebKit — it is a failing of the competition and standards body.

Apple and Google both want to implement cutting-edge technology, and the World Wide Web Consortium (W3C) is very slow in adopting standards. That doesn’t mean that WebKit isn’t standards-compliant. In fact, WebKit-based browsers are even more standards compliant than IE10. In reality, this is more of a problem with the W3C. It’s hard to blame developers for wanting to take advantage of the latest technology in WebKit, but they know the risks of using non-standard code. Microsoft shouldn’t be worried about Safari and Chrome playing the role of IE6. Instead, it should double-down on standards compliance, and keep pace with new features in WebKit. If developers can write standards-compliant code that works in every major browser, they’ll do it happily. Don’t drag your feet, Microsoft, and you won’t have to worry about developer support.

Now read: The death of Firefox

Safari and Chrome aren’t the new IE6 — chill out!

IE6 and WebKit

IE6 and WebKit

Internet Explorer 6 was a plague. Not only was it extremely dominant in the web browser market, but it also highlighted a very dark time for Microsoft as a company. IE6 accomplished Microsoft’s infamous embrace, extend, and extinguish strategy, but it also allowed Microsoft to become stagnant. Since Gecko- (Firefox) and WebKit-based (Chrome, Safari) web browsers have really taken off, Microsoft has quickly moved to rectify the problem. IE9 and IE10 are much faster and more standards-compliant than previous efforts, but Microsoft’s corporate culture taints the way it views the current browser market.

It’s clear that Microsoft sees WebKit as a threat — specifically in the mobile space. Due to its almost complete domination of the smartphone (Android and iPhone) and tablet (Android and iPad) markets, this has even caused some people to accuse WebKit-based browsers of becoming the entrenched, stagnant stalwart that IE6 once was. The reality is that WebKit is not, will not be, and can not be the same problem that IE6 once was. Internet Explorer 6 was part of Microsoft’s plan for dominating the market. Safari and Chrome, despite their importance, don’t serve the same purpose for either Apple or Google.

The reason Apple forked KHTML to start the WebKit project was so that it would no longer be beholden to Microsoft. As stagnant as IE was on Windows, it was even worse on the Mac. Safari, and the underlying rending engine, exist only so that Apple will have a reliable web browser for its customers regardless of which third-party companies are developing for its platforms. Google makes the vast majority of its money from advertising. Its goal is for as many people as possible to use its web apps and services. Chrome exists as clear and stable way for Google to offer a clean and fast experience for its users. In both cases, it doesn’t actually matter if the end user is using a WebKit-based browser. As long as you’re buying Apple’s hardware or using Google’s web apps, neither company cares which browser you use. At least in the days of IE6, Microsoft desperately wanted Internet Explorer to be the only browser anyone ever wanted to use. Google and Apple don’t share that idea for their browsers.

WebKit Browsers

WebKit is completely open source, and anyone can leverage it (or fork it) to create their own browser. Google did it for Chrome, and it turned out fantastically. Microsoft’s Trident engine is closed source. Nobody can fork it or even submit improvements for Microsoft to use itself. This alone means that WebKit cannot really be used as a tool for embrace-extend-extinguish. Extinguishing doesn’t work so well when your competitors have access to the core of your application, and can use it themselves.

The only argument left for WebKit-based browsers being at all like IE6 is that WebKit has features that aren’t yet available in other browsers or in any spec. If web developers want to take advantage of a WebKit-exclusive feature, or if they want to target the vast majority of mobile browsers, they have to write WebKit-specific code. Now, with Firefox and Internet Explorer finally making headway in the mobile market, many developers don’t have the resources to re-write their sites using either new standards or more browser-specific code. This is not by any means a failing of WebKit — it is a failing of the competition and standards body.

Apple and Google both want to implement cutting-edge technology, and the World Wide Web Consortium (W3C) is very slow in adopting standards. That doesn’t mean that WebKit isn’t standards-compliant. In fact, WebKit-based browsers are even more standards compliant than IE10. In reality, this is more of a problem with the W3C. It’s hard to blame developers for wanting to take advantage of the latest technology in WebKit, but they know the risks of using non-standard code. Microsoft shouldn’t be worried about Safari and Chrome playing the role of IE6. Instead, it should double-down on standards compliance, and keep pace with new features in WebKit. If developers can write standards-compliant code that works in every major browser, they’ll do it happily. Don’t drag your feet, Microsoft, and you won’t have to worry about developer support.

Now read: The death of Firefox

Chrome on iOS is sluggish, but at least it syncs

Chrome for iOS - icon

Chrome for iOS - icon

During day two of the Google I/O conference the company moved away from the topics of Google Glass and Android to talk about its Chrome web browser and related web technologies. The Chrome web browser stole the show with the announcement that an iOS version would be available for the iPhone and iPad. There were also smaller reveals, such as the fact that Chromebooks would be sold at Best Buy, but those released much less fanfare than the notion of the speedy Chrome browser on Apple’s mobile hardware.

Chrome on landing in the App Store is a big deal. Unfortunately, Apple has instituted some restrictions that handily prevent mobile Safari from being dethroned

With that said, Chrome on iOS is an interesting development and it does bring several neat features to Apple’s mobile users. The most noticeable benefit is gaining access to Google’s Chrome interface. The user interface features a single text input bar for URL and search entries, and tabs listed above the URL bar (with gesture support for tab switching). The Google browser also includes a private browsing mode — called Incognito — that is much easier to find (and use) versus Safari which hides the feature in the Settings application.

Google's Chrome web browser running on an Apple iPhone.Being Chrome, it is able to access and sync browser bookmarks and saved passwords from Chrome browsers on other systems when logged in with your Google ID. Another new feature allows you to see the websites open on your other Chrome instances — on desktop or other mobile platforms — and open them in the Chrome browser on your iPhone or iPad (or the other way around). Users are also reporting that Chrome is able to open more tabs at a time than Safari, which limits you to 8 open browser tabs.

Although Chrome on iOS has several useful features, in the end it is mostly mobile Safari with a new skin. The back-end and underlying web page rendering code is the same WebKit libraries that Safari uses. You will not find Google’s customized “V8” rendering engine — which the desktop version of the browser uses to improve JavaScript performance. To make matters worse, while Safari is allowed to use Apple’s “Nitro” JavaScript engine to speed up page load times and web application performance, Chrome is prohibited from accessing the Nitro libraries (as are all third party browsers).

This means that Apple’s Safari browser will have a large advantage when it comes to performance. Initial benchmarks comparing performance (JavaScript and page load times) between the two browsers do seem to support that statement — with Safari displaying significantly better benchmark results and, in some cases, slightly decreased page load times. Taking away the tweaked V8 JavaScript engine and Google’s other WebKit touchups is a big disadvantage. Granted, this may be somewhat mitigated by Chrome’s ability to pre-fetch web pages, but it is still not good news for the iOS version.

The other major barrier to Chrome overtaking Safari on iOS is that Apple does not allow the competition to be set as the default browser. Any web links given to you in email, messaging, or other applications will continue to open with the native Safari browser.

Chrome on iOS does start to seem like a fruitless venture (pun intended) when presented with the disadvantages (and once the glamor and allure of a new browser wears off). At the same time, Chrome does have an edge in usability — especially if you use Chrome exclusively on your other systems — and it is a foothold into the Apple customer base. It may not win any performance awards (yet), but it does get the Google Chrome name out there in front of potentially millions of people as an alternative to Safari. It will likely be downloaded by quite a few people (at least 2,980 people have rated it so far), who might then check out Chrome on the desktop, on their MacBook, and so on.

Is Chrome on iOS a “Safari Killer?” Probably not, but it will be a successful product all the same.

Chrome for iOS (App Store)