All web browsers have bugs, but when simply viewing a web page can infect your computer with malicious software, the speed with which bugs are found and fixed is critical. It may be the most important yardstick by which to measure any web browser.
For Windows users, the choice between Firefox and Internet Explorer isn't a contest at all. Microsoft is slow in fixing IE bugs, being locked into a once a month cycle. Not Firefox.
Mozilla released version 3.02 of Firefox on Tuesday. It had a bug. Happens all the time. What doesn't happen all the time is that the bug was fixed quickly and version 3.03 of Firefox was released on Friday.
Anyone interested in Defensive Computing doesn't want their bug fixes idling at the gate waiting for the one day a month when they are set free.
See a summary of all my Defensive Computing postings.
What are they thinking at Mozilla? How could they devote time and effort to eye candy like new icons and drastically reworking the address bar when Firefox so often fails at printing.
How did printing get pushed to the bottom of the priority list?
I read lots of Web pages in hard copy and from the get-go (version 0.8 or so) Firefox has underperformed when it comes to printing Web pages. That issue and the slow start-up time are two constant annoyances endured by devoted Firefox users. It's been quite awhile now, and I think it's time that Mozilla get around to making Firefox the equal of Internet Explorer in terms of printing Web pages.
This page deserves special mention: SSLVPN Vulnerabilities - Client Certificates offer a superior defense over OTP devices.
In Firefox 2, not one word of the article prints. Not a single word. Print preview shows one mostly blank page.
In Firefox 3, the first page is the same as Firefox 2, page 2 has the article and page 3 has some links from the page footer. But, the article is about 7 or so pages and page 2 has only the first page. In other words, Firefox 3 can't print the vast majority of the article.
Firefox is Lucy Ricardo. For those of you who recall I Love Lucy, I'm Ricky. I love my wife, Lucy, but sometimes she just does the craziest things.
Maybe it's time for Ricky to go to the Opera. Version 9.5 of the Opera browser, running on Windows XP, prints the entire article, although it also feels the need to start with an appetizer of an empty first page. Internet Explorer 7 prints the entire article perfectly, no blank first page.
Update August 20, 2008: A commenter below noted that Safari can print the article in question, I haven't tried this. The person didn't say however if it was Safari on the Mac or on Windows. I only tried Firefox on Windows XP, another commenter below said that Firefox 3 on a Mac printed this page fine. Firefox version 2 had an optional toolbar button to report web sites that didn't display well in the browser (the button looked like a spider web). Version 3 of Firefox eliminated this button, so problems like this can no longer be reported to Mozilla.
See a summary of all my Defensive Computing postings.
In his Open Road blog, Matt Asay was skeptical about some browser market share data because the sample audience was heavy on techies. The July 2008 stats for the site in question, W3Schools.com, were:
| W3Schools.com | |
| BROWSER | USAGE |
| Internet Explorer | 52% |
| Firefox | 43% |
| Safari | 2% |
| Opera | 2% |
Into this discussion, I'd like to add my own numbers.
My JavaTester.org website also leans a bit towards a technical audience. To seek out the site, you have to know what Java is and that there are different versions of it. In July 2008 the site averaged 8,050 page views a day, according to awstats. Interestingly, the July usage stats also showed Internet Explorer at 52 percent, the same as W3Schools.
| javatester.org | |
| BROWSER | USAGE |
| Internet Explorer | 52% |
| Firefox | 32% |
| Netscape | 4% |
| Mozilla | 4% |
| Safari | 2% |
| Opera | 2% |
The most popular site that I manage belongs to a client whose audience has no interest in technology. The site averaged 12,477 page views per day in July, also according to awstats. The market share there shows Internet Explorer did better, as did Safari.
| Non-techies | |
| BROWSER | USAGE |
| Internet Explorer | 62% |
| Firefox | 26% |
| Safari | 6% |
| Mozilla | 2% |
In short, among techies, IE was used 52 percent of the time and Firefox either 32 percent or 43 percent. The higher percentage was at W3Schools.com and chances are that their users are more technically inclined than those at Javatester.org. Among a more general audience of web users, IE scored 62 percent and Firefox 26 percent.
It seems that as the technical awareness of the the audience decreases, the use of Internet Explorer increases.
Does this remind you of Windows? Businesses, with techies making the decisions, are, for the most part, sticking with XP while consumers find nothing but Vista on retail shelves.
See a summary of all my Defensive Computing postings.
A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.
On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.
The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.
Bringing up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).
Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?
Old Versions of Software
Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.
A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." That's just asking for trouble at a time when simply viewing a web page can infect a computer.
Many computer users are non-techies and the self-updating system for software needs to take them into consideration in choosing defaults, error messages and status messages.
Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.
Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.
One of the many problems with the Microsoft update environment is the schedule. Firefox has no schedule, Internet Explorer does. Or rather, Microsoft does. Big companies need a schedule. Microsoft has argued many times that having a schedule for releasing bug fixes is a good thing.
Perhaps it is a good thing for the big companies that Microsoft caters to - but it's not a good thing for you and me. The net result is that Microsoft releases Internet Explorer bug fixes once a month. Mozilla releases Firefox bug fixes when they're ready.
Which do you prefer?
Update. July 6, 2008: Tuesday July 8th is Patch Tuesday and according to Ryan Naraine at ZDNet there will be no fixes to Internet Explorer, which currently suffers from several known bugs. Quoting:
"These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat. There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!"
Update. July 7, 2008: Yet another IE related bug was reported today - Microsoft probing ActiveX attacks targeting Access feature. Firefox doesn't do ActiveX, one of many reasons it's safer. But, perhaps the most telling point of all is this quote "Eventually, Microsoft may provide a security update for the vulnerability...". May provide? What does that say about Microsoft?
Update. July 7, 2008: A commenter made a good point, Windows 2000 users have access to the latest version of Firefox, but are restricted by Microsoft to IE version 6. And speaking of operating systems, anyone needing to use both Macs and Windows can find a comfortable home with Firefox.
See a summary of all my Defensive Computing postings.
Are one or more web sites not doing what they're supposed to be doing?
My knee-jerk reaction would be try another web browser. Internet Explorer users should install Firefox if for no other reason than this. Rather than debug a problem, it's easier to work around it when possible. If you've never used Firefox before, I suggest starting with the portable version. It's less intrusive.
Windows XP users with a mis-behaving instance of Internet Explorer, should read Microsoft's Knowledge Base article How to reinstall or repair Internet Explorer in Windows XP.
One of the suggestions for dealing with a broken copy of Internet Explorer version 6, is to upgrade to version 7. I agree with this. For a long time I avoided IE7 (not that I use IE much anyway) but at this point IE7 is mature enough to have had the most obvious bugs and design mistakes fixed.
If IE7 is problematic, the article suggests starting it (perhaps a big assumption), then navigating as such: Tools -> Internet Options -> Advanced tab -> Reset button. This opens a new "Reset Internet Explorer Settings" window, shown below. Click the Reset button.
IE6 diehards can re-install the browser with: Start button -> Run -> "%systemroot%\inf" (without the quotes). This will most likely take you to the C:\WINDOWS\inf folder. Right click on the Ie.inf file in this folder, select "Install" and restart Windows after the re-install has finished.
No matter what browser you use, Windows XP users should run it under the control of DropMyRights, a program I devoted three postings to back in August. To get started see Every Windows XP user should drop their rights.
Update. April 5, 2008: Today I tried using this on a broken copy of IE7 which crashed trying to display the default home page, every time it started up. I got IE7 running by changing the default home page to a blank page using the Internet Options in the Windows XP Control Panel. Then I ran the "reset" as described above. The next time IE7 started, it tried to display a "runonce" page at msn.com and crashed. Since the runonce page never finishes, it gets invoked every time IE7 starts, and crashes. Thus I took a copy of IE7 that could at least start up and broke it so that it no longer even does that.
See a summary of all my Defensive Computing postings.
Yet again, a bug fix created a new problem. This time it occurred with Internet Explorer 6 and 7 on Windows XP and Vista.
The problem is that Internet Explorer crashes after viewing a web page. Not all web pages though, I was able to successfully view about half of those I tested with IE6. One site that crashes it pretty quickly is Microsoft's own msn.com (they offered it as an example).
It wasn't hard to find information online about this problem which was introduced in the December 11th round of bug fixes to Windows.
According to Computerworld, reports came in immediately after the release of the December 11th patches, about problems with Internet Explorer. I was just hit with this because I always wait a bit before installing new bug fixes. This wasn't the first time that a poorly tested fix created a new problem.
To document the problem Microsoft created Knowledge Base article 946627.
On December 18th, Microsoft offered a work-around in the form of a registry zap. Not your most user-friendly undertaking.
On December 20th, however, they incorporated the registry zap into a downloadable EXE file, and updated the Knowledge Base article with a link to the file.
Uninstalling
Rather than fix the fix with a registry zap that seems to target the symptom rather than the underlying problem*, my first reaction was to un-install the buggy bug fix.
Windows XP users can do this using the "Add or Remove Programs" applet in the Control Panel (see above). At the top of the window, turn on the checkbox for Show updates and sort by date last used. Then, scroll to the bottom and look for KB942615.
When I did this however, I was scared off by the warning message shown above. Even if I was willing to risk breaking two other bug fixes, I want no more to do with the Adobe Flash player. If you try this, please leave a comment below about the patches and applications, if any, that you get warned about.
Installing
You can download the automated registry zap here . The file is WindowsXP-KB946627-x86-ENU.exe, and running it starts up a Wizard (below) that walks you through a simple, standard installation process.
I suggest making a restore point before installing anything. Can't hurt. In my case, the fix was immediate, there was no need to restart Windows.
According to this Microsoft Security Response Center blog posting the newly automated fix has been incorporated into windows update.
<sarcasm>
Considering how so few people use Internet Explorer and even fewer use Windows XP and Vista, combined with the limited resources of the company that produced both products, it's no surprise that quality assurance for the original bug fix might be lacking.
</sarcasm>
* According to Heise Security, "the update does not really fix the problem..."
See a summary of all my Defensive Computing postings.
Internet Explorer 7 was missing on a brand new Dell Latitude D630 running Windows XP SP2. I tried to find out why, which resulted in the saga below. Consider this a tip for anyone purchasing a new XP based computer and a heads up on how Microsoft and Dell treat their customers.
The machine arrived a few days ago, and one of the first things I dutifully did was run Windows Update from Internet Explorer (Tools -> Windows Update). I was surprised to find the machine came with Internet Explorer 6 considering that IE7 has been available for a year now.
After the usual round of updates to the Windows Update software, it found over 40 missing bug fixes and correctly installed all of them except for one. No big deal, I've seen this many times with one of the patches for .NET. Still, Windows seems pretty stale. It's hard for me to judge the age of 40 some odd bug fixes, but it could be that Windows hadn't been updated for over a year.
After rebooting, Windows Update finds the missing bug fix and installs it. Only then I notice that I'm still running Internet Explorer version 6. What gives? Hundred of times I've seen Windows Update try to install IE7.
Back to the Windows Update website. IE7 is not in the list of optional patches. A review of the update history shows only the one error I already knew about. Nowhere in the history is IE7. I try to restore the hidden updates, but there aren't any. I decide to investigate. Is it a bug in Windows Update?
Microsoft
At the home page for Internet Explorer (microsoft.com/ie) the lead story is "Internet Explorer 7 now available to all users running Windows." This, of course, is not true. IE7 does not run on Windows 2000 or any of the earlier versions of Windows.
I follow the link to "Find help get answers" which leads to the Internet Explorer 7 Support page. Here too, Microsoft makes a statement for which truth is not an appropriate attribute. The page says "Support for Internet Explorer 7 is available via the phone based on your locale."
I call the Support number and answer the phone menu questions. In the end, Microsoft says it's not their problem. Because Windows XP came pre-installed on the computer, the instructions say to contact the hardware manufacturer.
I called Microsoft again and this time chose the option for Windows Update returning an error. In response, the telephone system sent me to the Windows Update website with instructions to click on "Get help and support". Speaking to a person was not an option, even though I was calling during the hours of operation. The linked-to web page didn't provide anything useful.
In a third go-round with Microsoft's telephone system, I chose the security and virus problem option figuring that IE7 is supposed to be more secure than IE6. The telephone system told me go to onecare.live.com/scan and run a full service scan. At this point I could take the hint, so I tried Dell.
Dell
At the home page for Dell support (support.dell.com) there is a "Live Chat" link at the very top. I clicked it, opted to chat with technical support and entered my service tag. This starts a hardware chat. My problem is software, but there isn't a software chat.
After entering my name and email address, IE issues two different warnings about problems with digital certificates.
The text in the chat window at the bottom of the resulting page is small, click I click on a link in the top part of the page for large text. This changes the text size in the top, but not in the chat window. Looks like Dell hasn't put much effort into this chat thing.
Fairly quickly, someone starts chatting with me and they confirm that the chat is only for hardware problems. So I ask where the software chat is. Rather than answer the question, the person asks what the software problem is. After explaining it, I'm told "... what I can do is give you the number to Microsoft and they will be able to assist you with this issue." I'm told to call (800) MICROSOFT. Thanks Dell.
I call this new Microsoft number and end up with the same phone menu options as before. Again, when I tell Microsoft's telephone system that Windows XP came pre-installed, they tell me to call Dell (in so many words).
I soldier on to Dells' technical support web page where it correctly auto-detects that I'm running a Latitude D630. I click the Contact us link and end up here where I opt to call Technical Support on the phone.
Calling requires an Express Service Code, a different number from the Service Tag. There is a link to display your Express Service Code but it only works in Internet Explorer. Still, it wasn't hard to find.
The instructions offer different phone numbers to call depending on who or what you are. I don't' know who I am. The computer belongs to a client of mine and I don't know if it was purchased as an individual, small business or perhaps higher education. The phone number for each differs and I'm too pessimistic to call any of them.
Back to Microsoft
But I decide to spend a few more minutes searching Microsoft's site. As Jerry Pournelle often says, I do this stuff so you won't have to.
Somehow I end up at the Internet Explorer Solutions Center. There is search box for searching the tech support Knowledge Base. I enter "windows update", click the arrow and find nothing that answers my question in the search results.
At the top of the list is a link to the Windows Update Solution Center. The initial page has nothing about IE7 disappearing from Windows Update, so I try Other Issues. From the list of products, I select Windows Update, say I'm in the United States and end up at a page where I can submit a problem report. Looks like there is free technical support for Windows Update. Yippee.
But before submitting a problem you're presented with a long "Agreement for Microsoft Services". This is the end of the line for me, I resent being bound by this agreement just to get help with Windows update. Also, there is a section in the agreement on confidentiality that starts with "The terms and conditions of this agreement are confidential..." I want to write this posting so confidentiality is out of the question. It does however, beg the question of why Microsoft needs confidentiality for tech support.
Get the Memo?
Maybe I didn't get the memo. Maybe everyone but me knows IE7 is no longer available from Windows Update. I do a web search for "internet explorer 7 windows update".
IE7 has been in the news lately. Microsoft dropped the requirement for WGA validation. This means that people running illegal pirated copies of Windows can now get IE7 (see Microsoft disables Internet Explorer 7 validation process by Tom Espiner) . The article doesn't mention Windows Update.
Installing
At this point, I download and install IE7 without incident. It's available from microsoft.com/ie and microsoft.com/downloads (where it heads both the popular and new lists).
After the required reboot, I run the Secunia Software Inspector (a future blog topic) for an unrelated reason only to have it point out that I'm missing a bug fix to IE7. Windows Update confirms this, as shown below.
Thanks Microsoft, for letting me download a known buggy version of IE7 and not warning me to run Windows Update afterwards. Or was the bug left there for those running pirated versions of Windows?
P.S. You're still better off with XP as opposed to Vista.
Update: October 14, 2007. According to the Automatic Updates Distribution Process page at Microsoft's website, IE7 is being distributed by Windows Update. Either this page is wrong or there is a bug in Windows Update.
On October 4th, Steve Reynolds, Program Manager for IE at Microsoft, wrote:
"If you are not already running IE7, you can get it now from ... or, if you haven?t already received it via Automatic Updates, this version will be delivered to you as we described previously."
I confirmed on another Windows XP machine that IE7 is not offered via Windows Update.
Update: October 15, 2007. I tried a third XP computer running IE6 and this time IE7 did appear in the list of missing updates. I tried a fourth machine and it too, was offered IE7. The best guess is that it was a temporary problem with Windows Update.
Update: October 16, 2007. Rather than a bug, this was probably a temporary takedown of IE7 having something to do with the recent removal of the WGA requirement. As with so many computer gripes, it boils down to bad documentation.
Update: October 18, 2007. Finally, closure. Susan Bradley, writing for Windows Secrets, covered the disappearance of IE7 in an article today Internet Explorer 7: missing in action or not?. Susan says "We honestly don't know why IE 7 was gone for nearly a week." It re-appeared Sunday October 14th. As noted above, this is yet another case of bad documentation.
- prev
- 1
- next
