Hagerman & Company, Inc. Technology Bulletin

Ebul 78 - April 2009

by John Boline,
Service Manager,
MCSE, CNE, USE

 

Internet Explorer 8:
Should You Switch?

On Thursday, March 19, 2009 Microsoft released the latest version of Internet Explorer. Not since the release of Internet Explorer 5 has the browser from Redmond held such promise, at least from the perspective of Microsoft. Internet Explorer 8 adds increased standards support and more feature, but will it be enough to fend off an increasingly crowded field of browsers, including Firefox, Opera, Chrome and others?

What’s Different?
 With the release of Internet Explorer 8, users of Microsoft’s latest browser will see a number of new user-friendly features, increased standards support and improved security. Since the beta testing started on IE8, it has been downloaded millions of times, making this one of the largest beta tests ever for Microsoft. One of the things the Redmond giant wanted to do with IE8 was improve the security issues they were constantly getting beat over the head with, especially by the emerging competitors. NSS Labs released an independent study that showed IE8 with significantly better security than Mozilla Firefox, Apple Safari, Google Chrome, and Opera in catching and blocking malware (Internet Explorer 8 using SmartScreen filtering). With release candidate 1, IE8 caught, blocked and stopped 69 percent of malware, while Firefox 3.07 caught only 30 percent.

Is Malware a Big Deal when Browsing?

In information gathered during the beta process from testers, Microsoft said they found malware to be a common occurrence. Certainly this comes as no surprise to anyone that has ever had to clean the after effects of infection on PCs at work or at home. In the release touting the benefits of Internet Explorer 8, Microsoft cited one IE8 user that had forty (40) malware infections from web pages blocked by SmartScreen. An additional million users every month of the beta test were prevented from browsing to phishing sites. This alone makes this release something that IT departments will be looking at very carefully.

InPrivate Browsing, Scripts Attacks and More

While it was known by many names during the beta process, Internet Explorer 8 includes InPrivate Browsing mode that keeps no trail of browsing history. Many see this as a victory for privacy advocates who said that previous browsers tracked too much information on browsing activities and that combined with the security holes the browsers had allowed attackers to extract all kinds of information. In addition to InPrivate browsing, there are other new features that prevent certain types of cross-site scripting attacks, click-jacking, and the installation of malicious ActiveX controls.

Is This The Perfect Browser?
No, it isn’t, but there is no such animal, as proven by the results of the PWN2OWN contest. The day before the official release, a hacker successfully hijacked a machine running the IE8 release candidate and Windows 7 beta at the tenth annual CanSecWest conference held March 16-20 2009, at the Sheraton Wall Centre hotel in downtown Vancouver, British Columbia. Identified only as a security researcher named "Nils" (he declined to provide his full name), we was able to perform a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7. Details of the flaw are being kept under wraps and it was acknowledged that several members of Microsoft’s security response team were on hand to witness the successful exploit. So IE 8 is not the way to go, choose one of the other browsers, right? No, not so fast! "Nils" also compromised Apple’s Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the security hole trifecta. The first to hack Safari was Charlie Miller. For the second consecutive year, he hacked into a fully patched MacBook computer by exploiting security vulnerability in Apple’s Safari browser. Charlie said after doing this, "It took a couple of seconds. They clicked on the link and I took control of the machine."

What Are The New Features
 IE8 has an overhauled user interface. It includes new features like color-coded browser tabs to group recently opened tabs together, the ability to recommend sites, a new visual search feature that allows users to see pictures of things such as eBay and Amazon results, auto-completion of searches and URLs, and a toolbar like Mozilla Firefox's for searching within a page. Whew! The new tabs also provide the user with a view of commonly visited Web sites as links, and tabs work in isolation so that if one tab crashes, the entire browser doesn't. Microsoft claims that IE8 is fast or even faster as its main competitors. Microsoft released a high-speed video that showed high traffic Web sites loading side-by-side in multiple browsers with IE8 loading ahead more often than not of other browsers, but even Microsoft isn't overplaying the speed card. Dean Hachamovitch, Microsoft's general manager of Internet Explorer said in an interview about the product, "These differences come down to milliseconds."

Controversy
There is one more new feature in IE8 that is both significant and controversial. With IE8, Microsoft has adopted standards support. Developers and standards advocates have complained for a long time that that Microsoft’s browser didn't support Web standards well enough. IE9 does, but that support of standards comes at a cost, namely compatibility. In IE8, Microsoft includes both a legacy browsing mode and a standards browsing mode so that non-standard sites still load. While Developers can add a tag to their sites letting IE know if the site should be opened in standards mode or compatibility mode, Microsoft also maintains a blacklist of standards-mode incompatible sites.

Is it for Everyone?
IE8 is available as of launch time in 25 languages, for Windows XP, Windows Vista and Windows Server in both 32-bit and 64-bit editions. However, IE8 won't be available for the Mac. As with all topics discussed here, we to stay up to date and provide you with the latest information available on technical subjects that are gaining momentum. As always, feel free to contact me with questions or comments and make sure you know if IE8 is compatible with your underlying applications before you deploy it at large!

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE, a member of the Network Professional Association and the Microsoft Partner Research Panel. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents © 2009 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.