Is Internet Explorer 8 Ready for You?

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Bad timing underscores vulnerability in the gold release of IE 8.

By Chris Smith

Microsoft released Internet Explorer 8 to the Web last week, prompting a rousing debate about which product is leading the pack in the browser wars.


But system administrators have questions they want answered: is it safe, and is it stable? Our considered reply: compared to what? They're all a bit soggy.


Being a bachelor has its advantages, but having good-quality, hot food available at a minimum of one refueling session a day is not one of them. I approach the refrigerator with the knowledge of too many stories written as a newspaper reporter about entire families being wiped out by food poisoning. I have been accused of relentlessly picking through my food with a fork, a habit acquired from eating at a potpourri of low-priced restaurants where finding foreign matter is not a fear; it's a duty.


I open my refrigerator door with one question in mind: is it fresh? Then the subordinate question floats up in my brain: compared to what? It's all relative. Do I discard the eggs that are two weeks out of date in favor of those only a week past their sell date? Or do I just assume they're all stale so I might as well consume the oldest ones first? It's a dicey game, and there are no winners. In fact, you could wind up a very big loser.


Having the bachelor experience surely is a prerequisite for being a sage IT administrator. Give it to Mikey; he'll eat anything. In short, go test your new browser on some poor department that is used to getting the worst products and service--like your own IT department! Microsoft drank its own Kool-Aid and has been using IE 8 internally for some time. They've survived, so go for it!


But wait...perhaps not yet. It's your job at stake, remember? I wrote about how to manage the Automatic Update release of IE 8 in "Ready or Not, Internet Explorer Is Headed Your Way" in the January 30, 2009, issue of MC Tips 'n Techniques. The question of when Microsoft will release IE 8 to AU depends on who you are. There are a series of dates for different sets of users. Microsoft's March 19 RTW was the first step in what one writer called, "a complex availability ballet for the browser that will stretch well into mid-2009." The first release wave (Wave 0) includes, in addition to English, a number of localized versions focused on Western and Eastern Europe.


During the week of April 20, Microsoft intends to release Wave 1 with localized versions for users in other Eastern European and several Far Eastern countries. For a complete listing, visit TechARP. Automatic Updates are slated for April 27, May 5, and June 24.


Currently, IE 8 is available for manual download and integration with 32-bit and 64-bit versions of Windows XP, including SP2 and SP3, Windows Vista RTM/SP1, Windows Server 2003, and Windows Server 2008.


The problem is, no sooner did Microsoft release the final version of IE 8 with its advanced security technology called Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) than someone hacked through them during a competition in Vancouver, B.C. I kid you not. The CanSecWest conference hosted its annual Pwn2Own contest where they pitted the major browsers--IE 8, Firefox, Safari, and Chrome (but not Opera)--against each other. According to Terri Forslof, manager of Security Response for TippingPoint, as reported in her blog, last year's winner, Charlie Miller, and a contestant known only as Nils knocked off three of the four browsers in a matter of minutes. Safari appeared to be the easiest to hack into, with IE 8 taking a little longer. Zero-day vulnerabilities were their Achilles heel, according to Forslof. The only browser that survived intrusion attempts all day was Google's Chrome.


As reported by Marius Oiaga in Softpedia, Microsoft later confirmed the zero-day vulnerability in IE 8. According to Forslof, a former security program manager at the company, the Microsoft Security Response Center (MSRC) had been able to reproduce and validate the vulnerability.


So far, no patch for IE 8, so I don't know if I'd want to consume that pizza quite yet. But then, who's really worried about a little dirt in their food anyway?