Microsoft has begun a campaign to actively urge users of its 8-year-old Internet Explorer 6 browser to upgrade.
After launching IE 8 in March, Micosoft has concurred with critics that IE 6 is outdated. Many people have dropped the older browser, but the remaining users are often the tough cases--those who don't have a choice because of corporate computing policy or who aren't tech-savvy enough to realize there's a reason to move on.
This eBay 'Web slice'--basically a live bookmark in Internet Explorer 8--is part of Microsoft's effort to get people to upgrade from IE 6.
(Credit: Screenshot by Stephen Shankland/CNET)It's this latter population Microsoft is targeting with a campaign that runs through June 2010 that touts its own IE 8 as a better alternative. The campaign's first visible elements are a video aimed at online holiday shoppers and a Web slice to promote daily deals at eBay. Web slices are basically live bookmarks that can show miniature Web pages in the browser.
"What we're doing with the outreach is help users understand how to protect themselves against social engineering threats that exist and to help people understand how Internet Explorer 8 puts people in control of their own privacy online," said Ryan Servatius, senior product manager for Internet Explorer. Security was one of the big problems with IE 6, and Microsoft now boasts that security features in IE 8 block 2 million malware sites a day.
According to Net Applications' statistics, Internet Explorer 6 is still the most widely used browser, with 23.3 percent share of usage in October, followed by IE 7 at 18.2 percent and IE 8 at 18.1 percent. The newer browsers are gaining on IE 6, but so are rivals including Mozilla's Firefox, Apple's Safari, and Google's Chrome.
Web developers often gripe about having to support IE 6, which doesn't support many modern features for more sophisticated Web sites and even applications. Microsoft acknowledges that it's holding back development of the Internet, too.
"The best thing a user can do to advance the Web is to help move people off IE 6," Servatius said.
Of course, many will upgrade to IE 8 by buying Windows 7. IE 6 was the browser that shipped with Windows XP, which remains entrenched, but there are signs Windows 7 is a more compelling successor than Windows Vista. That could help the corporate customers move away from IE 6, Servatius said.
"As enterprises migrate from whatever operating system they're using today to Windows 7, that's going to help deprecate IE 6," he said. "What we're doing is working both with consumers worldwide and IT professionals to help them understand what the benefits of a modern browser are."
Earlier in November, Firefox surpassed 25 percent usage share of Web browsers, according to Net Applications.
(Credit: Net Applications)Mozilla released a third beta of Firefox 3.6 on Wednesday, adding stability and performance features, and said it hopes to lock down the code soon for its first release candidate.
The new beta, for Windows, Mac, and Linux, includes a component directory lockdown that makes it harder for other software to meddle with the open-source browser's state by preventing that software from sidling into the same folder as the browser's own components. The result should be fewer crashes, said Mozilla's Johnathan Nightingale in a blog post, and Firefox still is open to third-party extensions via its official add-on mechanism.
The change should improve security, too, added another Mozilla programmer, Vladimir Vukecevic, who wrote in his own blog post that Mozilla is considering bringing the change to Firefox 3.5, too.
"Creating binary components to interface with the operating system or with other applications is fairly straightforward, though ultimately dangerous. Binary components have full access to the application and OS, and so can impact stability, security, and performance," Vukecevic said.
Also in the latest beta of 3.6 is a feature that lets the browser run some Web-based JavaScript programs asynchronously, which is to say without being so picky about the order the scripts run. This can improve the speed that Web pages load, Mozilla said.
The biggest Firefox 3.6 feature most folks will notice is Personas, the reskinning add-on that's now being built in. More than 10 million Personas have been downloaded so far, Suneel Gupta and Myk Melez of the Personas team said Wednesday.
Mozilla is working to release a final version of Firefox 3.6 before the end of the year, and one sign the project is wrapping up is that the developers are locking down the features and changes that can be added into the release candidate 1. Code freeze for RC1 is scheduled for Wednesday but might be at risk, a Mozilla planning site said this week.
Firefox is steadily gaining in use. Last week, Web traffic monitoring firm Net Applications announced Firefox cleared 25 percent share of those using browsers worldwide--not dethroning Internet Explorer by any means but still winning over new users. Mozilla estimates there are more than 300 million Firefox users total, and this week said there are more than 300,000 testers using the Firefox 3.6 beta
Google's Chrome, meanwhile, is appealing to some of the same browser enthusiasts who were Firefox's first users. One of its big selling points is speed, and Google is working on other ways to make the Web faster, too. Chrome gives it a vehicle to test such ideas out in the real world, a strategy that Apple, Opera, and Firefox have employed to advance the Web state of the art.
One Mozilla programmer, Alexander Limi, revealed a speedup technology called Resource Package for Mozilla, too, on Tuesday. His proposal calls for bundling many Web page elements up into a single compressed file that can be retrieved in a single Web-page request action. Browsers are limited in the number of such actions they can take in parallel, so consolidating the interactions can make pages load faster. The approach is backwards compatible with existing browsers that don't support the feature, he added.
"If the feedback is good we're likely to try and get this implemented for Firefox 3.7," said Mozilla evangelist Christopher Blizzard in a blog post Tuesday.
Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.
Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver said. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."
This warning sign greeted Firefox users after Mozilla blocked use of a Microsoft add-on.
(Credit: Screenshot by Stephen Shankland/CNET)The .Net Framework Assistant add-on lets Firefox use Microsoft's ClickOnce technology for installing applications that run on its .Net programming foundation. The add-on already was something of a thorn in the sides of some Firefox users: it was automatically installed via Windows Update with the .Net Framework 3.5 Service Pack 1 without telling the user the add-on was being installed or giving an option. More hackles were raised because it wasn't compatible with Firefox 3.5, Shaver said, and because removing it initially required people to edit their Windows Registry--a technically onerous task for most people.
Firefox checks a Mozilla server periodically for a list of add-ons to avoid. Although Mozilla's blocking move was intended to protect users, it caused other problems. Shaver indicated that Firefox's changed behavior irked some system administrators.
That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff."
One issue was that Mozilla's add-on blocking technology couldn't tell if people had patched their software and so weren't vulnerable anymore. "We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver twittered. Over the weekend, Mozilla worked to remedy the situation.
"Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched," Shaver tweeted Sunday. But a few hours later, he added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"
Update 6:47 p.m. PDT: Crisis partially averted, apparently. At about 6:10 p.m., Shaver tweeted, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"
Update 8:34 p.m. PDT: There's still another blocked Microsoft add-on that's vulnerable, one that concerns the Windows Presentation Foundation (WPF), which also is installed with the .Net service pack. Shaver said it was more serious.
"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in a Sunday night blog post that announced the other plug-in had been removed from the Firefox blocked add-on list.
Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.
Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.
Google Wave is one site that suggests IE users install Google Chrome Frame.
(Credit: Google)Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.
"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.
Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.
"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.
Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.
"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."
Mozilla on Wednesday released two new versions of its browser, Firefox 3.5.3 and 3.0.14, that patch three critical security holes and fix assorted other bugs.
The updates can be fetched through the Help menu's Check for Updates option, or can be downloaded directly.
Although Mozilla still supports the 3.0 version, it's pushing people to the 3.5 version, and support for the 3.0 series will end in a few months. Version 3.5, released in June, supports a variety of new Web page technologies and includes a faster JavaScript engine for running Web-based programs.
Interested folks can read the release notes.
Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.
With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox.
Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser.
Google won't release details of the vulnerabilities until "a majority of users are up to date with the fix," Engineering Program Manager Jonathan Conradt said in the blog post.
Mozilla on Monday released two new versions of Firefox, 3.5.2 and 3.0.13, to patch two critical security holes. You can download the Windows and Mac versions of 3.5.2 from CNET Download.com, or go to Mozilla for the Linux build and Firefox 3.0.13.
"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting about the security issue.
The first vulnerability could let an attacker run arbitrary code on a person's computer by sending specially crafted authentication information called certificate.
The second vulnerability, disclosed last week, involves a flaw in certificate authentication technology that could potentially let an attacker gain access to encrypted information or issue a bogus update to Firefox.
(Credit:
Google)
The techniques Google uses to protect Chrome users from browser-based attacks have taken on new importance with the company's plan to make the software the centerpiece of a Netbook operating system.
Two weeks ago, Google announced plans for the open-source Chrome OS designed for people who spend most of their time on the Web. The Google Chrome operating system is a "natural extension" of the Chrome browser, Sundar Pichai, vice president of product management, and Linus Upson, engineering director, said in a blog post, with the browser running atop a Linux foundation.
Like the Chrome browser, the Chrome operating system will be built from the ground up with development focused on three key areas: speed, stability, and security. "We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware, and security updates," the post said.
Google representatives declined to elaborate on plans for the operating system, but it's highly likely it will align closely with what they have done with the browser, particularly given the fact that attacks on the browser now outnumber those targeting the underlying operating system. The number of new browser vulnerabilities has increased rapidly every year since 2003, and the number discovered in Web browser plug-ins has more than quadrupled, according to the National Vulnerability Database.
It's also notable that Google put features in its browser that are typically associated with operating systems.
"Google Chrome from day 1 had its own task manager, just like Windows did, showing memory consumption and CPU utilization. I said that's what an operating system has. It's a fairly clean translation," said Billy Hoffman, manager of Web Security Research Group at HP Software and Solutions.
Chrome OS, whose source code is due to be released publicly later this year as Google tries to enlist open-source programming allies, is likely to change the operating system landscape just like Chrome the browser did, prompting rivals to try to match or beat its features.
"The innovation (coming out) of the browser wars is bringing more and better security," Hoffman said. "The Chrome browser itself is fairly hardened, and we hope they move into more user protections like IE 8 and Firefox."
Chrome has several design features that optimize security: sandboxing, which restricts privileges of key parts of the browser so it's harder to coopt them for mounting an attack, and multiprocess architecture, which stores Web sites and Web applications in separate areas of browser memory areas and isolates them from the rest of the computer.
Overall, security experts say Chrome shows that Google takes security seriously and its developers are willing to try new approaches to achieve it.
"Google has done a lot of innovation in terms of security in Chrome," said Matt Wood, a senior researcher in Hoffman's department at Hewlett-Packard.
Google added a Task Manager to its Chrome browser, spotlighting a design decision that parallels operating systems.
(Credit: Screenshot by Stephen Shankland/CNET)
Starting from scratch
Being new to the browser game helped.
"By starting fresh, we had the option to do very innovative things we wouldn't have been able to do otherwise," said Ian Fette, the Chrome product manager specializing in security features.
What set Chrome apart when it launched in beta last September was that it splits the browser up into multiple parts. The browser kernel interacts with the operating system and handles only trusted code, storing things like bookmarks and cookies on the computer. Other main components, the rendering and JavaScript engines that figure out how to display Web pages and execute Web-based JavaScript programs, run with restricted privileges in a sandbox that limits access to the underlying system.
Chrome's initial line of defense is to check a site being visited against several anti-malware and anti-phishing blacklists that comprise Google's Safe Browsing service.
If some malware evades the safe browsing screen it's likely to be blocked by Chrome's sandboxing technology. The sandbox runs an application in a restricted environment, isolating HTML rendering and JavaScript execution to prevent them from writing to the hard drive or registry or accessing files.
"The goal is to make it impossible for malware to install itself and access your data on your local computer," Fette said.
Chrome also restricts each the browser tab to its own computing process. That further prevents malware from being downloaded or interacting with other Web pages that are open in other tabs.
Automatic updates
Another aspect of Chrome that security experts praise is the so-called "silent" auto update feature. New versions of the browser are automatically updated on computers in the background without the user taking any action.
Chrome checks for updates every five hours using the open-sourced Google Update software code-named Omaha that polls for updates even when the browser is not running. When a new update is available on the Google server, the client automatically downloads and installs it in the background without prompting the user. The new version of the software gets applied when the browser is restarted.
Given that more than 45 percent of Internet users don't use the latest Web browser version, according to Google research, it would seem that there is a huge need for this.
"Our philosophy is users shouldn't have to care," Fette said. "Everything should keep working for them."
When Chrome first launched in September it had two vulnerabilities that were exploitable. Google released patches for them within 24 hours, he said.
"End users don't know whether to refuse or accept software updates. Chrome just forces them on people," Hoffman said. "It's a good example of not letting users make poor security choices."
Nevertheless, some want the choice. For IT administrators who want to control software updates themselves, Google recently added options to let enterprises customize when and how they get Chrome updates, Fette said.
Chrome, which released its latest security patch this week, had 14 exploits last year based on statistics on the Milmw0rm site, Wood said. However, any comparisons to the number of exploits or patches on Chrome compared to Internet Explorer or Firefox are difficult because Chrome has far fewer users and thus is less targeted by attackers, he said.
Tricking the user
Chrome does a great job of protecting against exploits of vulnerabilities in which attackers sneak code through a hole in the browser to install malware or run code on the computer, experts said. However, it's not so good when it comes to protecting them against Web-based attacks like cross-site scripting, cross-site forgery, SQL injections, and phishing, in which an attacker tricks users into doing something they didn't intend via the browser, they said.
"One thing Google needs to work on where they haven't really focused is on stuff like user security," said Wood.
Chrome lacks the plug-in support Firefox has to protect against malicious scripts hiding on Web sites. For instance, there is no Chrome equivalent to the NoScript Firefox plug-in that lets users choose which scripts on a site they want to run or block. But that is likely to change.
"We are in the middle of building out our own browser extension system so that something like NoScript could be done," Fette said. "For many people it's a noisy option. It asks a lot of questions and if you're not focused on security it could be hard to make it work."
Internet Explorer 8 offers a cross-site scripting defense mechanism that protects users against those type of attacks, Wood said.
Google is evaluating cross-site scripting protections, but, Fette said, "You have to make sure it's based on standards and won't break sites."
IE also lets users turn off JavaScript. Chrome doesn't, but it does sandbox JavaScript.
"If you turn off JavaScript you may turn off navigation on a bank site" or otherwise render a site unusable, Fette said. "It's not an option we feel is viable, so we don't offer it."
Two other popular exploit targets, Adobe Flash and Adobe Reader, are not sandboxed in Chrome because doing so caused problems with auto update or other features, he said. "Sandbox is not a panacea," Fette said.
The two-browser prescription
Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security, suggests that people use two different browsers for the safest experience: Chrome for "promiscuous Web surfing" and Firefox with the NoScript plug-in for important activities such as checking e-mail or online banking.
Asked to comment on that suggestion, Fette said that because each Chrome tab is a separate process the system has the same protection as using two different browsers.
Finally, Chrome should do a better job at password management, according to Wood. None of the other browsers does better, but Google should raise the bar, he said.
"There is no real security with password management. You can open it up and see all the passwords in clear text," he said. "A browser needs a good password manager. People can't remember all the passwords for all the sites on the Internet."
In response, Fette said someone with access to the computer already can do plenty of damage--for example installing a key logger to monitor what the user types.
"Chrome came out and lit a fire under Firefox and IE. It's driven a lot of innovation and a lot of that has been in security and general usability," said Wood. "We're moving toward a more secure browser. A lot of that has to do with getting people to understand about the threats that exist on the Web."
Mozilla on Tuesday released Firefox 3.0.12, an update to the open-source browser that fixes five critical security vulnerabilities and fixes a handful of other bugs.
"We strongly recommend that all Firefox 3.0.x users upgrade to this latest release," Mozilla said on its developer blog. "If you already have Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates...' from the Help menu."
Version 3.0.12 fixes five critical problems and one high-level security problem, according to the Mozilla security advisory site.
Mozilla is trying to move people to the newer Firefox 3.5, which offers faster JavaScript program execution, new privacy features, and a handful of technologies geared for more powerful Web applications.
And Mozilla is pushing the new browser hard. Security and stability fixes for the 3.0.x series will end in January 2010.
Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director Mike Beltzner said in a blog post Thursday.
Firefox 3.5 embodies Mozilla's hope to build a better foundation for Web applications, but about two weeks after its debut, a vulnerability in the browser's JavaScript engine came to light. Mozilla rated it "critical" because an attacker could create a Web site that would run malicious code on the computer.
The new version can be installed from Mozilla's download site or by selecting "Check for Updates" in the Help menu. Unfortunately, when I did so, the Firefox warned me that the newly updated Gears 0.5.29.0 plug-in from Google becomes incompatible again.
Update July 17 1 p.m. PDT: A patch to fix the Gears compatibility issue is under way.
