Tag: internet

Posted on
by

SANS is reporting that some of the leaked copies of IE7 beta 1 floating around may be bugged with spyware. Now, seriously, is anyone surprised by this? That’s always a risk with warez. I’m reluctant to grab any program, even one that allows free redistribution like Firefox, via P2P, unless there’s a way to verify it. (BitTorrent handles this internally—assuming you trust the torrent site.)

If you’re not getting a program directly from the supplier or a distributor that you trust, you should always check it before installing. Even if you are getting it from a trusted source, it’s worth checking, since servers do occasionally get hacked. Most open-source programs distribute either a PGP/GPG signature or a checksum using an MD5 or SHA1 hash along with their downloads. Assuming you get the checksum from a trusted source, you can verify that the package hasn’t been altered.

For IE7, if you have to try out beta 1, go through proper channels (MSDN or the beta program) or get it from someone you trust…who went through channels. Otherwise, you’re better off waiting for beta 2.

Posted on
by

Well, I didn’t get around to downloading IE7 beta 1 yesterday, so I won’t be able to check it out over the weekend. But it’s become clear that, from a web developer’s point of view, all the action is slated for beta 2. Yesterday the IE team posted on Standards and CSS in IE, listing a number of CSS bugs they’ve fixed and a number of new features they’ve already implemented. It reads like a wish list:

  • HTML 4.01 ABBR tag
  • Improved (though not yet perfect) <object> fallback
  • CSS 2.1 Selector support (child, adjacent, attribute, first-child etc.)
  • CSS 2.1 Fixed positioning
  • Alpha channel in PNG images
  • Fix :hover on all elements
  • Background-attachment: fixed on all elements not just body

Fixed positioning! Child and Attribute selectors! Full PNG transparency (though we knew about that one already)!

Now if they’ll just implement min-width/max-width and fix the behavior of width, and add generated content via :before and :after, I think my wish list will be complete. (Assuming, of course, a low enough bug level.)

Posted on
by

IE6There’s timing. Microsoft has released the first IE7 beta, and Opera has released a security update. (The latest Firefox update was last week.)

Reaction to the IE7 beta has been… less than enthusiastic. I can’t install it at work since we’re standardized on Windows 2000 (IE7 requires Windows XP or newer), and I can’t download it at home since this version is only available through MSDN. Anne van Kesteren is not impressed. Neither is CNET. Asa Dotzler is trying to start a new round of Firefox marketing. Dean Edwards (author of the may-need-a-new-name IE7 standards compatibility script) is eagerly awaiting his copy. KuraFire has compared several reviews and summed up the response:

I guess that, yes, this was a disappointing first step for IE7, but even so, we should’ve expected no more than that. As much as we may all want IE7 to be a sign of great improvements in the Microsoft camp, reality once again points out that time and patience is necessary in dealing with this dinosaur of browser.

With any luck the next beta will show more improvement.

Edit: More reactions from Mezzoblue, mainly on trying to install it and what’s changed in CSS, and from WaSP‘s Molly Holzschlag, focused on what comes next.

Posted on
by

I had to reboot one of the Windows servers on Thursday, at which point the GDI+ checker installed by Tuesday’s security fix popped up a message explaining that there was still some software with the JPEG vulnerability. OK, fine, I’ll run it again and see what’s missing. So I clicked on, well, OK, and it pulled up Internet Explorer.

More to the point, it pulled up Internet Explorer 2.0.

You see, that machine has some leftover files from a previous OS, and somehow the GDI+ utility picked up on that copy of iexplore.exe. Of course, it could barely handle the vulnerability info page — no ActiveX of course, and it even displayed raw JavaScript code at the top of the page because it wasn’t hidden inside a comment! (Even Lynx can handle that now!)

But once I fired up IE6 to actually run the test, I figured as long as I had the old one running, why not check a few site layouts? Or some browser sniffers, and see what it claimed and what it could handle?

Almost nothing, as it turns out. It couldn’t even find any of the sites I tried. And from the way it couldn’t find them, I realized exactly what was missing: it couldn’t handle virtual hosts. Continue reading

Posted on
by

When I worked at a computer lab in college, the main security focus was preventing lab visitors from screwing around too much with the computers. We just ran Windows NT and locked it down as hard as possible. The worst network-based threat I remember facing was WinNuke, and that was just as likely to be another lab tech. Some of the early email viruses started circulating while I was there, but since it was a public lab, we didn’t provide any email programs; people would telnet into the mail server and use Pine. (This was pre-Hotmail, too.)

In my wired-for-ethernet campus housing, however, all bets were off. I watched people remotely controlling each others’ computers as pranks, or discovering hackers had gotten onto their systems from halfway across the planet, and figured it was safer to use Linux most of the time. This actually got me in trouble with the network admin at one point, who decided I must be running a server and shut off my port. It did at least teach me to disable services that were turned on by default, though I saw no indication that anything on there was actually being abused.*

Firewalled

Then there were firewalled environments. Still back in college, we rigged up my parents’ house for a home network. My brother put together a Linux box to dial into the Internet and act as a gateway, and effectively everything inside the network was safe from direct attacks. No point in internal firewalls, and since everyone was savvy enough to avoid the really nasty stuff (which was easier at the time), virus scanners were only a precaution, rather than a necessity.

For the past few years I’ve mainly worked with Continue reading