|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
01:10 EST/06:10 GMT | News Source:
Microsoft Press Release |
Posted By: Andre Da Costa |
Today Microsoft Corp. announced the availability of Windows Internet Explorer 8, the new Web browser that offers the best solution for how people use the Web today. It can be downloaded in 25 languages at http://www.microsoft.com/ie8 starting at noon EDT on March 19. Internet Explorer 8 is easier to use, faster and offers leading-edge security features in direct response to people’s increasing concerns about online safety. A new study commissioned by Microsoft and the National Cyber Security Alliance and conducted by Harris Interactive Inc. shows that 91 percent of adults in the U.S. are concerned about online threats in the current economic climate, and 78 percent are more likely to choose a Web browser with built-in security than they were two years ago.
|
|
#1 By
25030 (12.159.165.115)
at
3/19/2009 7:55:24 AM
|
XP, Vista, Server 2003 or later....
Guess Windows 7 users will have to wait 'til the Win7 RC...
|
#2 By
2201 (82.45.132.196)
at
3/19/2009 10:24:43 AM
|
Well obviously. It comes with the OS and Microsoft generally don't give out installers for beta versions of Windows.
|
#3 By
146195 (66.245.156.190)
at
3/19/2009 1:14:17 PM
|
So is this something we need to re-download if we were using a beta version before? Any difference?
|
#4 By
23275 (24.196.4.141)
at
3/19/2009 2:24:23 PM
|
#3, Yes - and there is a tremendous difference. The release is very solid and fixes all the items on my short list from RC1.
Uninstall any previous version first.
|
#5 By
8556 (12.210.39.82)
at
3/19/2009 3:42:43 PM
|
#4: I uninstalled the betas shortly after installing them. So my previous versions are long gone. Some web pages, made with Dreamweaver, rendered horribly in the past, but now look normal. The problems I experienced, and the Favorites Bar taking toolbar real estate without asking, are now gone. I believe I'll leave it in place and start installing it on customer machines ASAP. It is a step up from IE7.
|
#6 By
23275 (24.196.4.141)
at
3/19/2009 3:56:12 PM
|
#5, Agreed - we will as well and as part of all new machine builds. They've done a nice job.
|
#7 By
15406 (99.240.65.32)
at
3/19/2009 9:30:17 PM
|
As an aside, IE8 under Windows 7 was owned at Pwn2own 2009 yesterday despite DEP, ASLR and every other acronym Ketchum can think of. Firefox and Safari were also quickly compromised. Still waiting to see what happens with Chrome.
|
#8 By
54556 (68.35.10.96)
at
3/20/2009 8:25:27 AM
|
Good job Nils! Enjoy the $15K and the SV.
|
#9 By
92283 (70.67.3.196)
at
3/20/2009 9:33:12 AM
|
"NSS, a third party security firm, has been examining IE8 and reckons it's around two to four times better at identifying and blocking malware sites than any other browser. It rated IE8's overall malware-intercept effectiveness at 69%, versus 30% for Firefox v3.07, 24% for Safari v3.0 and a seemingly shocking 4% for IE7. As well as being impressed by the stability of the browser, the NSS survey notes that "Microsoft IE8 was by far the best at protecting against socially engineered malware and adds an excellent layer of protection on top of other endpoint protection solutions."
|
#10 By
23275 (24.196.4.141)
at
3/20/2009 10:34:50 AM
|
#8 is right. Nils and the others are performing a great service and responsibly so.
Latch, as long as we're deflecting, consider what Charlie Miller had to say when asked why he went after the Mac: It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it. With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have. It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X. He added later: "With Firefox on Mac OS X, you can do whatever you want."
Deflections aside, it's great to see this cooperative and responsible work. I am sure all the companies involved will continue to do so and patch accordingly. Mr. Miller concluded: "Bugs will always be there so it’s a smart move to work on mitigations and (anti-exploit) roadblocks." This is consistent with Microsoft's layered approach and my observations regarding the many layers of security the company continues to improve.
|
#11 By
15406 (216.191.227.68)
at
3/20/2009 11:29:24 AM
|
#10: Deflection? A deflection is what you do when your point of view is being questioned and you have no valid response, so you deflect to another facet of the topic or another topic altogether. I don't see that in my post since I'm not advocating any particular position, but whatever.
Interesting how Miller could hack FF on Mac but not on Windows, whereas he had no problem hacking IE8 on Windows.
|
#12 By
23275 (24.196.4.141)
at
3/20/2009 12:34:54 PM
|
Latch, you don't know that he couldn't and most probably, he accessed an element of COM available in IE that is not supported on FF at all, and which had access to the system at a level with elevated permissions, or via a path in a third party plug-in (FLASH for example) that runs around Protected Mode. We just don't know yet. All we do know is that his attack method used a capability present in IE that is not in FF. We'll know more and can assess it once it is patched and fully disclosed.
And yes, you absolutely deflected (successfully) the topic around the availability of IE8 to matters of security - inaccurately... around the non-release version of IE on a BETA OS. You left those details out. No matter. IE8 is a solid release, and a good browser. Few people have been entirely critical of it. It's a huge step forward and it offers a great deal for end users and devs.
|
#13 By
15406 (216.191.227.68)
at
3/20/2009 12:57:46 PM
|
#12: How do you know it was the non-RTM build? Considering there were MS people there watching (IIRC), and it was the day before the official release, I would guess it was the RTM version. Granted, we're all working with limited information.
IE8 is a solid release, and a good browser.
Yes, you were saying that yesterday less than an hour after public release. I wouldn't consider that anywhere near enough time to properly evaluate a browser, but you're either very fast or very optimistic. Give it a week or two and then make your pronouncements.
Although I have no plans to install it anywhere I use a computer for real work, I did check it out on one of my test blades here. The UI is mostly unchanged and that's good. The process for selecting an alternate default search engine is still clumsy at best, no doubt designed that way on purpose to provide as much friction as possible for the user who might think about not using Live Search, and that's bad.
|
#14 By
2960 (72.196.201.130)
at
3/20/2009 1:15:05 PM
|
I installed it. It's ok. Gets the job done.
I still think the interface is way to set in stone. I want to put stuff where _I_ want to put it, not where a software engineer thinks it should go.
Like I said. It's ok, but I see nothing to pull me away from Firefox.
TL
|
#15 By
11888 (64.230.115.113)
at
3/20/2009 3:13:57 PM
|
This Pwn2own stuff makes me think I should be running Chrome on Vista instead of Safari (or Firefox) on OS X.
|
#16 By
1896 (74.166.235.69)
at
3/21/2009 5:22:18 AM
|
#15: Yes, the comments about Chrome were very interesting although here were ignored.
I briefly tried it as soon as it was released and it was fast, very fast; I will give it another try and see how it goes with W7.
|
#17 By
17996 (24.16.47.66)
at
3/21/2009 1:51:47 PM
|
#13 -- it was IE8 running on Windows 7. I don't think it's known what build of Windows 7 this was (7000 or 7057 probably). If 7000 we know that the included version of IE8 predates RC1. We don't know how and when the downlevel RTM bits of IE8 have gotten (or will get) into the Windows 7 code, but it's most likely that the build Nils used did not have the equivalent of the RTM IE8 build. 7057 has build dates of March 5, while the final IE8 bits have a build date of March 8.
All that said, it's highly unlikely that they separately just happened to have fixed the underlying bug in the timeframe between 7000/57 and downlevel RTM. And who knows, maybe the exploit is Win7 specific?
|
#18 By
3746 (72.12.161.38)
at
3/21/2009 4:03:22 PM
|
I don't get why they would make the windows machine a beta release when all the others were shipping OSes. I mean why not just have Vista with IE7 if they wanted and apples to apples comparison of what is out in normal use?
|
#19 By
15406 (99.240.65.32)
at
3/21/2009 9:08:39 PM
|
#17: You're probably right. I had forgotten that you can't install IE8 RTM on Windows 7.
#18: Because it was a pure cracking challenge, not a comparison of the relative hackability between various platforms.
|
#20 By
23275 (24.196.4.141)
at
3/24/2009 11:46:18 AM
|
for those that think that google is doing anything unique from IE7/8 on Vista, or Windows 7,
think again, http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html They're getting a bucket load of credit that should go to Microsoft.
See also items 9 and 10 of my favorite things about Vista written when it released in 06.
http://blog.libertech.net/blogs/lketchum/archive/2007/05/23/top-ten-things-i-love-about-windows-vista.aspx
Specifically,
10 - Windows Vista's Integrity Mechanism Windows Vista includes an addition to the access control security mechanism of Windows that labels processes and other securable objects with an integrity level. Internet-facing programs are at higher risk for exploits than other programs because they download untrustworthy content from unknown sources. Running these programs with fewer permissions, or at a lower integrity level, than other programs reduces the ability of an exploit to modify the system or harm user data files. Internet Explorer 7 in Windows Vista uses the Integrity Mechanism and it is what is behind IE 7's Protected Mode. But That is only the beginning - ANY developer has access to the tools that make this possible and it gets better, any single process may be executed in this space, or any grouping of them - so the parts of an application that face the Internet should use them. Think of these as objects, or securable objects in MS speak - see, http://msdn2.microsoft.com/en-us/library/aa379557.aspx also see, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
9 - User Interface Privilege Isolation (UIPI) prevents processes from sending selected window messages and other USER APIs to processes running with higher integrity. If UAC and Protected Mode are straight rights in Vista's security arsenal, the UIPI is one of Vista's stiff jabs. UIPI continually counters attempts to escalate processes and it keeps bad-guy-code off balance. At the same time, it provides developers with an easy way to check process escalation without burning the user experience. Go here to learn how to use it, http://msdn2.microsoft.com/en-us/library/ms644950.aspx
Take special note of Google's own admissions: How does the sandbox work?
The sandbox uses the security features of Windows extensively; it does not reinvent any security model.
To understand how it works, one needs a basic understanding of the Windows security model. With this model all processes have an access token. This access token is like an ID card, it contains information about the owner of the process, the list of groups that it belongs to and a list of privileges. Each process has its own token, and the system uses it to deny or grant access to resources.
These resources are called securable objects. They are securable because they are associated with an access control list, or security descriptor. It contains the security settings of the object. The list of all the users and groups having access to the resource, and what kind of access they have (read, write, execute, etc) can be found there. Files, registry keys, mutexes, pipes, events, semaphores are examples of securable objects.
|
#21 By
23275 (24.196.4.141)
at
3/24/2009 11:52:06 AM
|
google's chrome did not fall, because no one tried. They got a pass and credit for security that is not their own and it is simply sad.
|
|
|
|
|