March 26th, 2009

Is IE8 really fat and slow?

Posted by Ed Bott @ 5:14 pm

Categories: Internet Explorer

Tags: Mozilla Firefox, Performance, Web Browser, Google Chrome, RAM, Tab, IE8, Tabs, Web Browsers, Internet

Since IE8 shipped last week, I’ve been following reviews and user feedback closely. A lot of the reactions to Microsoft’s new browser come down to personal preference: Some people like the usability-oriented tweaks Microsoft made, others think the browser is too busy or cluttered. It’s hard to argue with opinions.

But two criticisms have come up repeatedly that can be measured empirically, so I thought I would do that here. One is the burning question of whether IE8 is faster or slower than its competitors; the other is whether it makes reasonable use of system resources. In this post, I explain why some people are seeing performance issues (and share an obscure system tweak that might just cure IE8 performance and stability problems). I also take a closer look at why some browsers use more memory than others.

When it comes to browser speed tests, I have yet to find an objective consensus from the published data. Microsoft’s tests, not surprisingly, show that page load times are competitive with (and in many cases, faster than) its rivals on most popular pages.

That conclusion was borne out by a series of independent tests performed by PC World, which concluded that IE8 really is faster than Firefox:

By and large, we found that Internet Explorer 8 performed well, and beat out Firefox 3.0.7 in the majority of our time trials. However, IE 8’s performance advantage is relatively negligible. In most of our testing, IE 8’s advantage was half a second or less.

On the other hand, the Wall Street Journal’s Walt Mossberg reached the opposite conclusion in his review:

in my tests, IE8 wasn’t as fast as Firefox, or two other notable browsers — the Windows version of Apple’s new Safari 4 and Google’s Chrome. IE8 loaded a variety of pages I tested more slowly than any of the other browsers, and it grew sluggish when juggling a large number of Web pages opened simultaneously in tabs

I was baffled by Mossberg’s results. When I tried the same tests on several PCs here with IE8, Firefox 3.0.7, and Google Chrome, I got the same results as PC World. In general, all pages loaded so quickly in all three browsers that detecting any difference with a stopwatch was nearly impossible. If I tried to graph the results, it would look like a picket fence.

Then, I heard from a colleague (let’s call her Mary Jo), who was having problems nearly identical to those that Mossberg reported. Using IE8 on Windows XP, she reported:

It’s running horribly. I am having a ton of performance problems with multiple tabs open. After opening four or five tabs, things slow down and the tab progress indicator spins endlessly if I try to open a new tab.

Sounds familiar, doesn’t it? In fact, the problem was so bad that simply closing IE wasn’t enough, as multiple processes of Iexplore.exe continued running and had to be killed manually.

We did the basic troubleshooting, checking for the current version of popular add-ons like Flash (up to date) and confirming that system resources weren’t a problem (1GB of RAM on XP should be plenty).

So I checked with a few colleagues on some back channels and discovered a tweak that had worked for other people.  From a Command Prompt window, I had her run the following command:

regsvr32 actxprxy.dll

That re-registers the ActiveX Interface Marshaling Library, an obscure DLL that most people (even Microsoft experts) had never heard about. (Update: 27-Mar: Note that if you try this using Windows Vista, you must do this from an elevated Command Prompt window; type cmd in the Start menu Search box, right-click the Cmd.exe shortcut, and then choose Run As Administrator. For detailed instructions with screen shots, see this post.) After restarting her computer, she tried using IE8 again. The results were stunning:

WOW. That really made a difference. It made my performance faster and more stable. Tabs are opening faster and more consistently instead of spinning endlessly.

After several hours, my colleague reported that she was ready to give IE8 a second chance instead of “chucking it and going to Chrome out of frustration.”

Next page: Is IE8 bloated? –>

December 21st, 2008

Which sites will make the IE8 Compatibility Hall of Shame?

Posted by Ed Bott @ 3:01 pm

Categories: Internet Explorer

Tags: Web, Page, Microsoft Internet Explorer, Web Site, Site, Web Site Development, Channel Management, Web Browsers, Web Technology, Internet

According to Microsoft, a release candidate of Internet Explorer 8 is just around the corner, and with it comes an urgent call to web designers to get their act together and tweak their sites so they’ll render properly under the new browser.

Back in August, I began using IE8 Beta 2 full time on the Windows PCs I use for everyday work. Over the last few months, I noticed a shocking number of web sites that displayed incorrectly in IE8. The only way to view those pages as the web designer intended is to click the Compatibility View button (described in great detail here).

Apparently, I wasn’t alone in having to click that button. According to IE8 Program Manager Scott Dickens, that Compatibility View button has been getting a workout this fall:

Despite all the outreach to sites, we saw from the telemetry data that IE8 Beta 2 users still have to use Compatibility View a lot. Looking at our instrumentation, there were high-volume sites like facebook.com, myspace.com, bbc.co.uk, and cnn.com with pages that weren’t working for end-users with IE’s new standards compliant default.  We could also see from our instrumentation that not all IE8 visitors to those sites were clicking the Compatibility View button.  So, large groups of people were having a less than great experience because they weren’t aware of the manual steps required to make certain sites work.

I’ve been running a near-final build of the IE8 release candidate on Windows Vista for the last week or so, and it seems like I’m clicking the Compatibility View button less often since installing the upgrade. But I’m still seeing pages that have cosmetic glitches like overlapping text and graphics or scrambled layouts. In extreme cases, these tweaked pages are practically unreadable. The reason? The designers expect legacy behavior out of any version of Internet Explorer, so CSS style sheets are tweaked accordingly. Ironically, those IE-specific design tweaks actually break layouts on the much more standards-compliant IE8.

It doesn’t have to be this way.

Read the rest of this entry »

December 19th, 2008

That Windows 7 bootleg is a ticking time bomb

Posted by Ed Bott @ 5:17 am

Categories: Internet Explorer, Security, Windows 7

Tags: Beta Release, BitTorrent, Microsoft Windows 7, Microsoft Corp., Microsoft Windows, Security Administration, Patches, Operating Systems, Web Browsers, Security

Bootleggers, beware.

Judging by my inbox, lots of you downloaded a bootleg copy of Windows 7 build 6956 from BitTorrent, and now you have it running. But no matter how hard you try, you can’t update its built-in copy of Internet Explorer 8 with this week’s extremely critical out-of-band security update, which Microsoft turned around in record time.

That’s the downside of running software from unauthorized channels. You see, the build zipping around the BitTorrent tubes right now is a random “daily build,” one of many that was produced during the run-up to the upcoming beta release of Windows 7. Anyone who would have had authorized access to that build (Microsoft employees, OEM partners, a tiny corps of trusted beta testers) already has authorized access to more recent builds (including, rumors say, the final beta release itself) that can be updated with a supported version of this crucial IE8 patch. So, logically enough, Microsoft’s security team doesn’t release an update for that leaked version, just as it didn’t release an update for build 6952 or build 6961. As a result, you’re vulnerable if you visit a compromised website using the unpatched version of IE8.

Do you feel lucky? Maybe you might want to use a different browser (or even a different operating system) for the next few weeks…

August 28th, 2008

An IE8 Beta 2 Q&A

Posted by Ed Bott @ 11:40 am

Categories: Internet Explorer

Tags: Microsoft Windows Server, Microsoft Windows XP, Beta, IE Beta Newsgroup, Microsoft Windows, Operating Systems, Software, Ed Bott

Yesterday I published my first look at the just-released Beta 2 of Internet Explorer 8. I got some great comments in the Talkback thread and via e-mail and thought it would be worth answering them here. If you have any additional questions, post them in the Talkback section and I’ll try get to them in a follow-up.

Is there an official (or unofficial) feature list?

This Microsoft fact sheet seems fairly complete. There are some good descriptions with screen shots here and here and here. And, of course, you can always go look at my screenshot gallery, which has some additional text descriptions for each of a dozen features.

Should I install IE8 Beta 2?

If you have to ask, the answer is probably no. This is beta software. I think it’s pretty well tested, and Microsoft wants lots of people to try it out, but it is not finished, it has known incompatibilities with some software programs and websites, and you run it at your own risk.

Having said that, if you’re comfortable with running beta software and are also comfortable with your ability to deal with problems, then yes, I do recommend it. I especially recommend it for two groups:

• Website developers, who will want to test using it and who will love the developer tools, and
• Firefox users, who already have a working default browser and might be interested in the comparison.

Do I need to do anything special before installing IE8 Beta 2?

Probably. The official caveats and install/uninstall instructions are on this fact sheet. I strongly recommend you read them before blithely beginning the installation. Pay special attention to the required updates. If you’re running Windows XP SP3, read these additional notes. [Update: in the comments, rseiler points out that the official release notes are well worth reading as well. Thanks for the pointer!]

Does IE8 Beta 2 run on my operating system?

According to Microsoft’s announcement, IE8 Beta 2 runs on “32- and 64-bit editions of Windows Vista, Windows XP, Windows Server 2003, and Windows Server 2008.” All versions are currently supported in English, Japanese, Chinese (Simplified), and German. According to Microsoft, support for additional languages “will be available soon.”

There are no versions for non-Microsoft operating systems, nor for any Windows versions prior to Windows XP.

Will it be offered via Windows Update?

The Beta 2 release will be pushed out via Windows Update only to systems that already have IE8 Beta 1 installed. If you are not using that beta, you’ll need to download and install it manually. And even after the final release, it will likely not be available as an Automatic Update for several months, and corporate customers will have a blocking tool.

Does IE8 Beta 2 run alongside IE7?

No, it replaces your current version of IE. You can use the Developer tools and compatibility settings to make IE8 behave very much like IE7, however.

Can I uninstall IE8?

Yes. Go to the Programs option in Control Panel. Remember that IE8 is considered a Windows Update, so you’ll need to select the “Show Updates” check box (in Windows XP) or click View Installed Updates (in the Windows Vista Tasks list, along the left of the Programs window) to see the correct listing.

Where can I download the code?

Here are the official download links.

Windows XP (x86)

Windows Server 2003 SP2 (x86)

Windows Server 2003 SP2 (x64) or Windows XP Professional (x64)

Windows Vista and Windows Server 2008 (x86)

Windows Vista and Windows Server 2008 (x64)

Where can I get technical support?

The IE Beta Newsgroup contains a list of known issues. If your issue isn’t on that list and you get stuck, that’s the proper place to post a request for help. Several Microsoft MVPs and employees are monitoring this newsgroup.

Will my plugins work?

I have successfully used the latest versions of Flash, Silverlight, and RoboForm and several third-party toolbars and browser helper objects. I haven’t heard any widespread complaints about plug-in incompatibilities, but you might want to check out the IE Beta Newsgroup if you’re concerned about a particular add-in.

August 27th, 2008

Internet Explorer 8 gets a massive makeover

Posted by Ed Bott @ 1:07 pm

Categories: Internet Explorer

Tags: Web, Page, Microsoft Internet Explorer 7, Microsoft Internet Explorer, Web Browser, Feature, Internet Explorer 8, IE8, Manage Add-ons Dialog Box, Web Browsers

More than two years ago, when Microsoft was in the final stages of testing Internet Explorer 7, Bill Gates promised more frequent browser updates, as often as every 9 to 12 months. And yet today, nearly two years after IE7’s release, the long-awaited Internet Explorer 8 has just reached the Beta 2 milestone.

I’ve been using a nearly final version of the Beta 2 release for the last 10 days on several test systems here, and after putting the new browser through its paces, I understand why it’s taken so long. This is a top-to-bottom makeover, packed with usability improvements, security enhancements, and a platform for new add-ins that third-party developers are already taking advantage of. My sources at Microsoft tell me this build is feature-complete. Although it’s possible that some dialog boxes and menus will get tweaked between now and its final release date, nothing is scheduled to be added or subtracted.

To show off what’s new, I’ve put together a screen-shot gallery illustrating the most important new changes. In its broad outlines, IE8 is arranged much like IE7. But many features have been tuned, tweaked, and tightened. Even after just a few days with this browser, I can already appreciate the usability improvements in particular, which really concentrate on the activities you’re likely to perform. Here’s a summary of what you can expect.

Read the rest of this entry »

August 22nd, 2008

Is 64-bit Flash support just around the corner?

Posted by Ed Bott @ 1:40 pm

Categories: Firefox, Internet Explorer

Tags: Adobe Systems Inc., Macromedia Flash Player, 64-Bit, Network Technology, Microsoft Windows, Processors, Semiconductors, Hardware, Components, Networking

A few weeks ago, I noted the explosive growth in sales of 64-bit Windows in recent months and wondered aloud when Adobe plans to release a 64-bit Flash player.

A commenter on that post suggested that Adobe was planning to unveil 64-bit support in its upcoming Flash 10 release, but I wasn’t able to confirm that. This morning, a reader pointed me to an eyewitness report that Adobe has publicly demonstrated the Linux and FreeBSD versions of its new 64-bit player at a recent event for Flash developers. Alex Bustin, Senior Engineer of Flash Development for Sony in San Francisco, says, “I just watched Tinic from the Flash Player team demo two 64bit versions of Flash Player 10 here at FlashForward. One on [Ubuntu] Linux and the other running on FreeBSD.” He’s apparently referring to Tinic Uro, whose bio confirms that he works as an engineer on the Flash Player team.

I’ve been keeping tabs on Adobe’s site recently, and there’s still no word on when they plan to release a Windows-compatible 64-bit Flash Player. The current beta downloads of Flash 10 are all 32-bit only. Given the size of the Windows market (and the hockey-stick growth curve for its 64-bit segment), I suspect this is a top priority at Adobe.

Microsoft plans to release Beta 2 of Internet Explorer 8 before the end of this month. It sure would be nice to use that new software in a native version on 64-bit Windows with full support for Flash and Silverlight. If anyone at Adobe or Microsoft wants to add to the discussion, on or off the record, I’d love to hear from you.

August 11th, 2008

Alarmed about Vista security? Black Hat researcher Alexander Sotirov speaks out

Posted by Ed Bott @ 5:57 pm

Categories: Internet Explorer, Security, Windows Vista, Windows XP

Tags: Black Hat, Paper, Microsoft Windows XP, Vulnerability, Microsoft Windows Vista, Microsoft Corp., Web Browser, Exploitation, Microsoft Windows, Microsoft Windows Vista (Longhorn)

Earlier today I published a lengthy blog post questioning some of the sensationalist conclusions raised in press coverage of a paper presented by Alexander Sotirov and Mark Dowd at last week’s Black Hat Conference in Las Vegas. (See Windows security rendered useless? Uh, not exactly…) As I noted in that post:

It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. …Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.

This afternoon, I received the following e-mail from Alex Sotirov and am reprinting it with his permission:

Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.

Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won’t take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed.

I just got off the phone with Alex, who took time out of his busy schedule to answer a few follow-up questions:

What was the atmosphere like at Black Hat? How was your paper received by people in the audience?

Positive. A lot of people in the audience seemed to really like the paper. A lot of them came up and asked more questions afterward. Everybody who talked to me said it was pretty impressive.

Did you get any reaction from Microsoft?

Microsoft had contacted us before Black Hat. We had some conference calls and sent them an early draft a few weeks ago. In fact, they put us in touch with the people who designed the [memory protection] defenses [in Windows Vista] and sent us a few minor corrections. It was a very positive experience working with Microsoft. Our research is helping them learn where they need to focus their resources and where they need to improve. We did not take any of the vendors by surprise. Also through Microsoft, both Adobe and Sun were notified about the paper. We haven’t spoken to them directly, but the Microsoft people have, I believe.

Is there any exploit code or proof of concept code available yet for the techniques you describe?

Well, we only gave the paper last week, so I doubt that anyone is using any of these techniques right now. What we presented is weaknesses in the protection mechanism. It still requires the attacker to have a vulnerability. Without the presence of a vulnerability these techniques don’t really [accomplish] anything. We used the ANI cursor vulnerability that had been patched. We chose this example because it worked on XP and Vista, but the example we used would not work [in the real world] because this issue was patched already.

Do you have any advice for Windows users today? Should they be alarmed?

As long as they follow standard security practices — use antivirus products and other typical things that are good standard policy — they shouldn’t have anything to worry about. Our research is to some extent academic. The articles that describe Vista security as “broken” or “done for,” with “unfixable vulnerabilities” are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we’re bypassing don’t even exist. XP is even less secure than Vista in this respect. [What we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities.

Your research focuses on weaknesses in browsers. Does the movement to doing more in the browser mean the danger is increasing?

Browsers are used more widely than they were five years ago. A lot more businesses rely on browsers now to do [everyday work]. Businesses could have blocked access to the web five years ago, but with widespread use of the web as an interface, the importance of the browser has increased. It’s a lot harder to tell people they cannot use a browser. The possibility of a vulnerability in the browser affects their security.

One last question. Your paper was entitled “How to Impress Girls with Browser Memory Protection Bypasses.” In a blog post, your partner Mark Dowd said you were going to be conducting “ongoing research” on this subject in Las Vegas. Did you really flood your hot tub at Caesars Palace?

Uh… [pause] Yeah.

Thanks for your time.

You’re welcome.

August 11th, 2008

Windows security rendered useless? Uh, not exactly

Posted by Ed Bott @ 7:03 am

Categories: Internet Explorer, Security, Windows Vista, Windows XP

Tags: black hat, attacker, windows security, vulnerability, microsoft windows vista, defense, memory protection, microsoft windows, microsoft windows vista (longhorn), operating systems

Update 11-August, 6:00PM: Don’t miss my exclusive follow-up interview with researcher Alexander Sotirov, who says “The sky is not falling and the flaws are not unfixable.”

Oh dear. The Chicken Little contingent is out in full force. Break out your Kevlar helmets, everyone, because the sky is falling on Windows! At last week’s Black Hat conference in Las Vegas, researchers Alexander Sotirov and Mark Dowd presented a paper that outlined some new attack vectors they had discovered targeting some security features introduced in different versions of Windows XP and Windows Vista. It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code.

Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries, most notably the one provided by SearchSecurity, which was picked up by Slashdot and our own Adrian Kingsley-Hughes. Alas, those stories are wildly inaccurate and hopelessly sensationalized.

Read the rest of this entry »

July 30th, 2008

Dear Adobe, can we please have a 64-bit Flash player?

Posted by Ed Bott @ 9:21 am

Categories: Internet Explorer, Windows Vista

Tags: Adobe Systems Inc., 32-bit, Macromedia Flash Player, Microsoft Internet Explorer, 64-Bit, Network Technology, Processors, Semiconductors, Hardware, Components

In the TalkBack section of my earlier post on the sudden popularity of x64 Vista, a commenter makes a good point:

Flash is not yet 64 bit (at least not the last time I looked). We got a new PC last summer running Vista 64 bit and when you use IE and go to a site that uses Flash it will not work.

That’s true, and it’s the source of one of the minor annoyances in using 64-bit Vista. As I note in my reply, 32-bit IE is the default in Vista x64, presumably for this very reason:

Although there’s a 64-bit IE, you have to go through some special steps to enable it as a default. Virtually everything opens in the 32-bit IE, which you can tell if you look in Task Manager.

You can find the shortcut for IE x64 on the All Programs menu:

But if you use the IE shortcuts on the Start menu or the Quick Launch bar, or if you double-click a link or a URL shortcut, you get the 32-bit version of IE (or Firefox, which doesn’t even offer a 64-bit version for Windows as far as I can tell). All those *32 entries in this snippet from Task Manager provide the proof:

The single biggest blocker to using a 64-bit browser is the absence of a compatible Flash player. If you open the 64-bit version of IE and click Adobe’s Get Flash Player link, you get redirected to this TechNote:

Flash Player support on 64-bit operating systems

Issue: Adobe Flash Player is not supported for playback in a 64-bit browser. However, you can run Flash Player in a 32-bit browser running on a 64-bit operating system.

Reason: Adobe is working on Flash Player support for 64-bit platforms as part of our ongoing commitment to the cross-platform compatibility of Flash Player. We have not yet announced timing or release dates.

Solution: To use Flash Player to view Flash content on a 64-bit operating system, you must run a 32-bit browser.

That article was last updated on February 8, 2008, nearly six months ago. Not even a “we’re still working on it.” With the increased popularity of 64-bit Windows, someone needs to light a fire under the Flash development team.

Update 23-July 1:30PM: A commenter suggests that Flash 10 will eventually offer 64-bit support. Maybe, but that support is certainly not there today. I just downloaded and installed the latest (July 2008) Beta 2 build of Flash 10. It doesn’t work with either IE7 x64 or a compiled 64-bit experimental build of Firefox 3.

July 2nd, 2008

Microsoft to ratchet IE8 security another notch in Beta 2

Posted by Ed Bott @ 10:05 am

Categories: Internet Explorer, Security

Tags: Microsoft Internet Explorer 7, ActiveX Control, Microsoft Corp., Beta, Site, IE8, Microsoft Windows, ActiveX/COM/COM+/DCOM, Phishing, Web Browsers

Sometime in August, Microsoft plans to release Beta 2 of Internet Explorer 8. Yesterday, I spoke with Austin Wilson, Director of Windows Client Product Management at Microsoft, about some of the security-related changes due in this milestone, and got a preview of the changes announced today.

The most noticeable change is the SmartScreen Filter, which replaces the Phishing Filter found in IE7. It uses the same reputation-based filter as its predecessor, but adds a few tweaks to make it easier to spot social engineering attempts. IE8 adds domain highlighting (as shown below) to frustrate phishing attempts that use long, complex URLs to make a link appear to go to a legitimate domain.

Part of the work involves simplifying the interface for displaying potentially dangerous websites. In IE7, for example, the address bar turns yellow when you encounter a suspicious site and red when you attempt to visit a site that is reported as unsafe. In IE8 the yellow bar is gone, replaced by a dialog box. The green address bar for sites that use Extended Validation certificates remains.

When you try to visit a site that is listed in the database of known unsafe sites, the background of the browser window turns blood red and this stern warning appears:

The SmartScreen filter in IE8 also extends protection to download attempts, blocking access to servers that are known to be serving up malware

The concepts behind that work should be familiar to anyone who’s used a competing browser, such as the just-released Firefox 3. Corporate customers and security professionals should be more interested in architectural changes designed to block access to vulnerabilities in ActiveX controls and take advantage of Data Execution Prevention features.

The ActiveX changes (some of which were announced in May) allow controls to be locked to a specific site and to be offered on a per-user basis. The former prevents a hostile website from being able to call an existing ActiveX control (such as one installed by the system builder or with another program, or one downloaded from a different, presumably safe web page). The user (or a system administrator, using group policy) has to opt-in to those controls and can lock them for use only on a specific site.

ActiveX controls can also be offered on a per-user basis, bypassing the need for UAC prompts and lessening the possibility that one user can install a control that compromises the entire system or other user accounts.

In IE7, Data Execution Protection is disabled for the browser process by default, primarily for compatibility reasons. IE8 enables DEP on Windows Vista SP1, Windows XP SP3, and Windows Server 2008. As a result, any page or add-in that tries to use a buffer overflow or other exploit to write executable code to an area of memory that is reserved for data will crash that browser tab (but shouldn’t take down other tabs).

Finally, IE8 is designed to protect from some forms of server-based attacks as well. The most noteworthy change is code that blocks common forms of cross-site scripting exploits. According to Wilson, IE8 will detect Type-1 (reflection) attacks and block script from being injected to web a server via URL.

I’ll have a more detailed look at these changes when the beta code is available next month.