News and other tidbits that Chad Cloman finds interesting enough to share
Ars Technica has a review of the new features in the beta version of IE8. The primary change is better adherence to web standards, which really only matters to developers—the other features are pretty minor.
Link: http://arstechnica.com/…
I’m guessing that the web developer community, like me, is excited to hear that IE8 will pass the Acid2 test. But there has been concern expressed about the various “modes” that IE8 will support.
The basic problem is that web developers write their code to work around (or take advantage of) bugs in the various IE versions. When Microsoft fixes these bugs in subsequent releases, the effect may be to break existing sites. And in the case of Internet Explorer, we could be talking about breaking millions of sites. Web browsers, including non-Microsoft ones, have dealt with this via a method known as doctype switching, where the browser will render the page in one of three modes (quirks, standards, and super-standards) depending upon the DOCTYPE value. When developing IE8, however, Microsoft realized that doctype switching was insufficient for their purposes. Assuming that each new browser release would have unique bugs and quirks, they needed some way of informing future releases of IE that the web page had been coded against a specific version. So they came up with a new method that uses a META tag to determine which browser mode to use.
The META tag, which is described in the linked article, will specify the highest browser version against which the web page was coded. Thus if you set it to IE8, for example, when IE9 (or IE10, or IE11) comes out, you can be assured that your page will still be rendered as if the browser were IE8. Each subsequent version of IE will be capable of rendering the older versions with all their bugs, based on the META tag. If the META tag does not exist, then the current IE7 doctype switching method will be used.
Link: http://arstechnica.com/…
Update: After a significant amount of web community uproar, Microsoft has changed its mind and decided to use the latest standards mode by default. Thus IE7’s standard mode is no longer the default.
IE7Pro is a free Internet Explorer 7 extension that adds some nice capabilities. Features include tabbed browsing enhancements, ad blocking, mouse gestures and crash recovery. Basically someone took the best Firefox extensions and implemented them on IE7.
Link: http://www.ie7pro.com/
(via Lifehacker)
Internet Explorer version 7 has officially been released. Major improvements are tabbed browsing and better adherence to standards. That being said, I still prefer Firefox.
UPDATE: And true to form, the first IE7 security vulnerability has already been discovered.
UPDATE #2: According to Microsoft, the problem is with Outlook Express and not Internet Explorer.
Microsoft has released an out-of-cycle security update for Internet Explorer 6. The real problem is that malicious people are hacking legitimate websites and adding pictures that, when viewed, will give them control of your computer. Outlook is also affected, so viewing spam email could do it as well. Run Windows Update.
Given that Microsoft is coming out with version 7 of Internet Explorer, what would you expect to find at www.ie7.com? Think again…
Internet Explorer has a feature where you can open desktop shortcuts from within the browser by typing the shortcut name. Interestingly enough, IE doesn’t differentiate between the various types of shortcuts (internet, executable, directory). So if you have a desktop shortcut named “Word” that runs MS Word, typing “Word” in IE’s address bar will bring up MS Word. This opens up some interesting possibilities.
http://www.infoworld.com/…
(via F-Secure via Digg)
This article gives a good overview of the new features in the upcoming Internet Explorer 7 release. Personally, I use Firefox—and don’t miss IE one bit.
I’ve been seeing a bunch of articles on a new type of spyware: keystroke loggers. A keystroke logging program will keep track of everything you type and then forward it to someone who will look for account numbers and passwords. This can be very bad when the information is for banking, credit cards, and such. A recent study found that 15% of all spyware is of the keystroke logging type.
Most of you reading this are quite tech savvy and know all about not opening attachments on incoming emails and not clicking through to web addresses given in emails (especially those purporting to be from eBay, your bank, or PayPal). But there are other ways to install malicious keystroke logging programs with which you may not be familiar.
Security Holes: Computer systems that don’t have the latest security updates are vulnerable for as long as they are connected to the internet. Malicious programs continuously scan the internet for computers with open ports to unpatched programs. Tests were run with a fresh installation of WinXP SP1, and it took approximately 4 minutes before the computer was compromised. The best way to protect against this type of attack is two-pronged: 1) Apply all patches and updates as soon as they are available, and 2) use a firewall.
Browser Vulnerabilities: Carefully crafted web pages or even web addresses can attain the ability to execute programs on your system. The best way to protect against this type of attack is to not use Internet Explorer. If you must, ensure that all of the latest patches are applied.
DNS Cache Poisoning: This is one of those cases where even if you do everything “right”, you can still be compromised. Essentially, a system that you use for DNS is given false DNS information and stores the data in its DNS cache. So when you type in www.paypal.com, for instance, you are redirected to a spoof site which gets your login/password information (and may also attempt to exploit browser vulnerabilities). The best way to protect against this type of attack is to minimize financial transactions online. In reality, you just have to trust that your ISP and upstream providers don’t let their systems get compromised—it’s really quite simple and comes down to having their DNS system correctly configured.
Internationalized Domain Names (IDN): IDN is a fairly new standard whereby non-Latin (non-English) character sets can be used in domain names. This is of greatest concern for Asian-language domains, but it was expanded to include all languages. It turns out that some languages have characters that are identical to the English language, but which are treated as different under IDN. This only works when you click through to a spoofed web site, via email or a link on another site. The best defense against an IDN attack is to use Internet Explorer 6, as it does not support the IDN standard. Other browsers, such as Firefox, have implemented security procedures to ensure the user is aware of IDN site names, but older versions do not have these measures in place and are vulnerable. More recently, researchers have found another IDN exploit in Mozilla/Firefox, and it seems like the best thing to do for now is to simply disable IDN.
For those unwilling or unable to make the switch, you can now have the advantages of Firefox while still using Internet Explorer. (Tabbed browsing has become an essential part of my web experience—I’ll never go without it again—but adblock and flashblock are a close second.)
Link: http://www.getfoxie.com/
