So that leaves what, 5 Opera users?

In everyday English, they're going to guess.

Sadly, they'll probably guess wrong, early and often; Microsoft has an unenviable track record in such matters.

Stay tuned for the chorus of complaints.

if they weren't they would be algorithms.

5 Opera users???, PLEASE, no gross over-exaggerations!!!!

Paris, cos she screams like an Opera singer when I give it to her (in my dreams :-( ).

"Having the capability to identify and neuter the replayed markup/script allows the filter to avoid overbearing mitigations such as querying the user, modifying outgoing requests, or blocking entire pages."

Since when did Microsoft consider "querying the user" to be an "overbearing mitigation"? I had thought that was their newest "security feature", but apparently it's not good enough for their web browser. Looks like ol' Bill has truly left the building ...

And it would be good of them to provide a "Run it Anyway" option until they get the filter absolutely perfect ... y'know ... just in case ...

STD

mine's the one that's ribbed for her pleasure...

Well if microsoft says it's so, it must be true

</sarcasm>

As with an other product microsoft releases, it's stability and security will be measured in minutes. After that...well no one here needs a history lesson on Microsoft and their track record

NoScript blocks iFrames. IE is still vulnerable to those. IE sucks...

Sounds like an oncoming flop to me.

If you're lumbered with IE, as alas I so often am, there's the option to turn JavaScript off for everything except links in the Security options. That should prevent the effects of JavaScript injection. Trust no-one. Who wants JavaScript when CSS is more often used for layout stuff nowadays anyway? Can't think of (m)any legitimate uses for it that aren't better served by less lazy webmasters.

Cheers,

Sabahattin

Didn't bother reading the article as I know what the conclusion is. The articles starts with

"Engineers in Microsoft's Internet Explorer group are devising a new means to stamp out one of the web's biggest security banes: attacks that steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites."

Surely the conclusion is they are going to get rid of Internet Explorer, assign it to the dustbin. Am I wrong? The malicious code is MS-HTML and the pathetic broken rendering of CSS.

/Mine's the coat with the big Open Source security hole in the back patched within hours.

I am a web developer with 10 years experience and I use IE as my primary browser.

Shock horror!!!

"Heuristics are inherently flawed if they weren't they would be algorithms."

Actually many algorithms work by applying a heuristic. For instance, gradient following algorithms apply a heuristic (always move in the direction of maximum gradient) to solve a problem (find a local maximum). These algorithms provably work. There is nothing "inherently flawed" about this.

The heuristics Microsoft are using in this case undoubtedly *are* inherently flawed, but that's because they are almost certainly badly designed, not because there is something inherently wrong with the idea of using a heuristic to solve a problem.

Wooo Im still on IE 6.

Why? Because I do a lot of FTP based work and IE7's handling of FTP sucks. Plus I have decent spyware and anti virus protection so im happy with IE6. I use Firefox when I want funky features and tabbed browsing. IE8 can go blow Opera, I wont be downloading it.

So far IE6 doesnt mis handle this Web 2.0 B.S.

> "popular" - i.e the most populous. i.e. the most used.

Not necessarily... 'popular' has a number of (very similar) meanings - including one of which corresponds to 'widespread' (as you're trying to portray) and one which infers approval (which you seem to be trying to deny is intended).

When it comes down to it, only the author would know what the inference was meant to be (if he thought about it much at all) - the rest is guesswork on your, and others, part.

Also to be *really* f picky, popular does not mean 'the most populous'.

Google define: popular

- regarded with great favor, approval, or affection especially by the general public; "a popular tourist attraction"; "a popular girl"; "cabbage ...

Yes, I know, Google, shock horror.

Every comment thus far has been slagging off IE, you fanboi's are persistent aren't you :)

Whilst i will agree that more than likely this won't stop all XSS attacks at least it provides some protection and that at least should be encouraged not discouraged for any piece of software no matter the OS or in this case browser.

Whilst I am not a major advocate for any single software product from any company, (I actually feel that each product has it good points and bad, how in the world can some people get so vehement about code does escape me a little), I do respect MS for fighting a battle on so many fronts in the software arena. They have in the last 10 years released products that have shaped IT* and that is something to respect.

*Whether that shaping has been beneficial or negative is not an argument that i would be eager to debate but you can't escape the truth they have shaped it..

...you're talking about the same 'engineers' (allegedly engineers) that came up with the amazing built in IE popup blocker, which, wait a minute, lets popups through all the time.

Also the wonderful phishing filter, which didn't actually reduce phishing attacks.

M'kay.

.

Just so long as IE8 brings back the semi-decent favorites/history UI from IE6 I think it was, I'll be happy. We can all dream.

I guess that only leaves 4 others to identify!

If I use it for testing does that count?

Another Web Dev here, fav browser = Firefox, though I will admit Opera is pleasant enough, the Web Dev tools in Firefox make it much more useful for the first 90% of the development! Quick check in Opera to ensure standards compliance, then the horrible task of checking in IE6 & 7 to see how naffed it decides to render margins/paddings and a lot of fiddling later it looks virtually the same in all of them. Last check in Safari to check I don't upset the fanboys an away we go!

Yes, you've been using it for years, along with 4 other people!

As a web developer i use Firefox 2, 3, Opera, Safari & M$ IE. For once could IE concentrate on becoming W3C standards compliant. IE's CSS handling is pathetic, breaks. My work renders perfectly in FF, Opera and Safari but IE and there attempt of there own standards is pathetic. Peeps you gotta remember how Bill got his piece of Rubbish Explorer onto our computers. But still a billion Euros fine still doesn't change the fact that IE is an integrated part of the windows system (GASH). For those who use IE Good luck and don't forget your anti virus, anti malware, active x bull droppings. Roll on the day (not too far away) when m$ get out of the software industry, shouldn't be too long now, early look at windoze 7 is laughable.

The penguin coz he knows how to produce good working software.

There are valid reasons for using scripts that aren't on the same host as the page being browsed. For example, OpenLayers is an excellent Javascript map browser providing compatibility with all the relevant standards (note that GoogleMaps doesn't!). However, OpenLayers is a) a large library and b) actively being developed. So, I have two choices: I can copy the whole lot to my web page repository and check frequently for updates, or I can link directly to the scripts on the OpenLayers web site. I'll do either depending on the exact circumstances; both have advantages and disadvantages.

"The filter also gives a green light to code that's found to originate from the site the user is visiting."

"Elegantly defeating the purpose then - XSS is effective largely because the scripts, from the browser's point of view, do originate at the site the user is visiting. ..."

From the browsers point of view, the XSS DON'T appear on the same site, its the humans point of view that is the problem.

Obviously by definition the XSS must be external (which is not actually true with an in-line script in the URL), and the browsers are fully away of this! The problem currently is that it is OK to use scripts elsewhere, now combine that with piss poor input validation and you have XSS.

Basically XSS is fine, I personally don't see a problem. However, its the unintended XSS thats the problem, which boils down to poor validation - a very basic computer skill.

Like hulllo, the VALIDATION is most basic *anything* you should always do as a computer programmer with input data - anybody who has ever been formally trained knows this is like lesson one, the problem is that most webmuppets (very similar to webmasters) are not trained except by uncle Bert from the Dummies guides and alike - thus another webmuppet is born.

My feeling is that this M$ suggestion is needed for most users of Browsers (the non techies), purely because so many website designers don't have a clue what they are doing. Or we execute the web designers?

But does JIM THE BOSS work for MS? It would explain why he's prone to "Ballmerisms" if I may be allowed to abuse the language somewhat.

From AC @ 21:56

"no-one who uses another browser ever goes back by choice."

I prefer using IE7 under XP to Firefox under Ubuntu. <shrug>

Tux because I spend most of my time in Ubuntu.

Pure PR, no real info. This sucks.

http://www.microsoft.com/windows/products/winfamily/ie/features.mspx

Cross-domain barriers:

Internet Explorer 7 helps to prevent the script on webpages from interacting with content from other domains or windows. This enhanced safeguard gives you additional protection against malware by helping to prevent malicious websites from manipulating flaws in other websites or causing you to download undesired content or software.

Why would anyone be needing to worry about finding your 50 favorite plug-ins, IE's sad design choices, XSS vulnerabilities, and other annoyances?

http://www.secunia.com/product/10615/?

If you aren't using Opera, try it. It's super-fast, the most secure, and very innovative.

Excellent use of misspellings and screaming, but a tad excessive. I give it 3/10 because of obviousness.

Does the Opera UI still look like something that came out of a cat's ass, or have the developers hired a design team?

which I might very well be. I'm a Firefox user primarily, but Firefox does none of this. It is the use of extensions in Firefox that provides with the ability to safeguard against these attacks. While Firefox's more open development allows for this as opposed to Microsoft's it is still not built-in. I think in Microsoft's eyes and in mine as well the average home user does not want to take the time to try and configure a tool like Noscripts. At least they are trying, which is a start. Make it easy and automated so the average user doesn't have to worry about it. We all know how the UAC played out in Vista.

Mine's the one with "kick me" on the back

I noticed your very clever writing:

"... IE, which remains far and away the most popular browser. That all will change with IE 8..."

This means to me that IE8 is the version that will kill IE's popularity, and it doesn't matter what meaning 'popular' has.