NewsBot

In my latest Xbox 360 game review, I take a look at the hilarious and excellent Battlefield: Bad Company. This one's a must-have for shooter fans! More...

We all know Bill Gates is no longer working full-time for Microsoft almost a week ago and for quite sometime, he has been looking straight at Steve Ballmer to do the job. I believe in Steve and so has Bill. Good luck Bill. Image found via Flickr. Share This More...

InfoWorld has FedEx’d their final and probably desperation plea to Steve Ballmer on saving Windows XP in the form of a USB containing more than 210,000 users who want to extend the life of the operating system. In an excerpt of the letter: Dear Steve, On January 2, 2008, InfoWorld launched the Save Windows XP campaign. [...] More...

<img alt="" height="1" width="1"> Dell Finds a Way to Continue ... InternetNews.com - 15 minutes ago The feature, amusingly enough, is called "Genuine Windows Vista Business Bonus" or "Genuine Windows Vista Ultimate Bonus." This may well be the first time ... More...

<img alt="" height="1" width="1"> Tech Bytes: Vista haters sign petition to keep XP Winston-Salem Journal, NC - 3 hours ago By Tim Clodfelter | Journal Reporter Microsoft pulled the plug on the Windows XP operating system this week to make room for the newer Windows Vista system. ... More...

<img alt="" height="1" width="1"> Dell Finds a way to Continue XP Sales InternetNews.com - 54 minutes ago The feature, amusingly enough, is called "Genuine Windows Vista Business Bonus" or "Genuine Windows Vista Ultimate Bonus." This may well be the first time ... Windows XP will be sold to some OEMs after all, says Microsoft BetaNews all 4 news articles More...

<img alt="" height="1" width="1"> Windows XP: Only 'mostly dead'? InfoWorld, CA - 11 hours ago Vista is such a dog it qualifies for the Iditarod." Still, it seems there's a lot of revisionist history going around these days. When Windows XP came out, ... More...

<img alt="" height="1" width="1"> Dell Windows Vista Bonus is a PC with Windows XP instead iTWire, Australia - Jul 1, 2008 According to Dell, new buyers can have a Windows Vista Bonus: a copy of Windows XP instead... In what has to go down as one of the most bizarre bits of ... More...

<img alt="" height="1" width="1"> Vista failed on compatibility issues? CIO Weblog, CA - 12 hours ago That seems to be the implication in Senior VP Bill Veghte's letter to Microsoft customers announcing the ship date for Windows 7 (around about January ... Windows 7 is coming. Will your PC be ready? InfoWorld all 4 news articles More...

<img src=http://news.google.com/news?imgefp=N7k47WQQY-8J&imgurl=mos.techradar.com//images/windows-vista-start-button-218-85.jpg width=80 height=60 alt="" border=1> TechRadar.com <img alt="" height="1" width="1"> Dell offers 'Windows Vista Bonus' to frightened customers Register, UK - Jun 30, 2008 The Dell channel blog is pointing resellers to the loophole in the Windows Vista license that enables business customers to downgrade from the unwanted ... Digital Home TechRadar.com Dell offers "Vista bonus" discs PC Pro XP: The end is nigh IT Week TechRadar.com all 13 news articles More...

<img alt="" height="1" width="1"> Is this the end of Windows XP as we know it? Well, not quite guardian.co.uk, UK - 21 minutes ago Bill Veghte, head of Windows, posted a letter online (at microsoft.com/windows/letter.html) acknowledging that at Vista's launch "some key applications and ... More...

<img src=http://news.google.com/news?imgefp=-WdZGrljnfAJ&imgurl=lifehacker.com/assets/resources/2008/07/speech_macro.jpg width=80 height=33 alt="" border=1> Lifehacker Australia <img alt="" height="1" width="1"> Install Speech Macros in Vista Lifehacker Australia, Australia - 26 minutes ago Good thing, too, because his own blog has lots of geekily awesome macros available for free copying: a Windows Media Player controller that lets you say ... More...

As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs, I get a lot of spam. Of the spam I receive, a significant number of messages represent phishing attacks. Most of these lures aren’t very clever or convincing, but phishing has become a simple numbers game—hosting phishing sites is cheap, and even if only a few users fall for any given phishing attack, attackers will profit by increasing the volume of phishing campaigns. In Internet Explorer 7, we introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites, and worked with partners to introduce Extended Validation certificates that light up the address bar when users visit sites with verified identity information. Beyond the Phishing Filter, Microsoft has also published educational materials on identifying phishing scams, and developed a strategy to attack phishing at multiple levels. For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks over a million phishing attacks weekly) to develop the SmartScreen® Filter, a replacement that improves upon the Phishing Filter in a number of important ways: Improved user interface Faster performance New heuristics & enhanced telemetry Anti-Malware support Improved Group Policy support I’ll describe each of these in the sections that follow. Improved User Interface First, we’ve simplified the opt-in experience for the SmartScreen Filter, integrating the option into the IE first-run experience. After first-run, you can later change your preferences easily by using the option on the classic Tools menu. Next, the bold new SmartScreen blocking page offers clear language and guidance to help you avoid known-unsafe websites. Here’s a screenshot from a recent phishing site I encountered: http://ieblog.members.winisp.net/images/SSBlockingPage.png The “Go to my homepage” link enables you easily to navigate away from the unsafe website to start browsing from a trusted location. If you instead choose to ignore the SmartScreen warning by clicking the “Disregard and continue” link, the address bar remains red as a persistent warning as long as you are on the unsafe site. If you uncover a new phishing site, you can submit it for analysis using the “Report Unsafe Website” option on the Tools menu. In the unlikely event of a false-positive, you can provide feedback using the “Report that this is not an unsafe website” link on the blocking page or by clicking the “Unsafe Website” flyout in the address bar. Improved Performance As a part of our overall investment in improving performance across Internet Explorer, we’ve made several performance tweaks to the SmartScreen Filter to improve its speed and lower its impact on browser performance. Detection of unsafe sites happens in parallel with navigation, so you can confidently surf the web without being forced to make a tradeoff between speed and safety. New heuristics & telemetry As attackers have evolved their phishing sites in an attempt to avoid being recognized and blocked, the SmartScreen Filter has also evolved to catch more phish than ever before. New heuristics, developed with help from security research teams across Microsoft, are able to evaluate more aspects of web pages to detect suspicious behavior. These new heuristics, combined with enhanced telemetry, allow the URL Reputation Service to identify and block phishing sites faster than ever. In rare cases, SmartScreen will request feedback on sites of unknown reputation, as shown in this screenshot: http://ieblog.members.winisp.net/images/FeedbackRequest.png User feedback about unknown sites is collected by the SmartScreen web service and quickly evaluated to block new phish as they are discovered in the wild. Anti-Malware Support The SmartScreen Filter goes beyond anti-phishing to help block sites that are known to distribute malware, malicious software that attempts to attack your computer or steal your personal information. There are many types of malware, but most types can impact your privacy and security. The SmartScreen anti-malware feature is URL-reputation-based, which means that it evaluates the servers hosting downloads to determine if those servers are known to distribute unsafe content. SmartScreen’s reputation-based analysis works in concert with other signature-based anti-malware technologies like the Malicious Software Removal Tool, Windows Defender, and Windows Live OneCare, in order to provide comprehensive protection against malicious software. If you are lured to a site known to distribute malware, the SmartScreen blocking page is displayed and indicates that the server is known to distribute unsafe software: http://ieblog.members.winisp.net/images/KnownBadWebsite.png On the other hand, if you click on a direct link to a download (from an instant message, for instance) hosted by a known-malicious site, the Internet Explorer download dialog will interrupt the download to warn you of the threat: http://ieblog.members.winisp.net/images/UnsafeDownload.png SmartScreen’s anti-malware feature complemented by the IE8 features that combat malicious repurposing or exploit of browser add-ons, helps to protect you from a full range of malicious websites. Group Policy Support Group Policy can be used to enable or disable the SmartScreen Filter for Internet Explorer users across an entire Windows domain. A new Group Policy option is available that allows domain administrators to block users from overriding SmartScreen Filter warnings. When Group Policy restrictions are enabled, the option to override the SmartScreen warning screen is removed from the blocking pages and download dialog. http://ieblog.members.winisp.net/images/SSWarningRemoved.png Privacy As outlined in Dean’s post last week, Privacy is a core component of trustworthy browsing. As with IE7, Microsoft remains committed to helping ensure users’ privacy while providing protection from unsafe websites. URL data submitted to the SmartScreen web service for evaluation is transmitted in encrypted format over HTTPS. The data is not stored with a user's IP address or other personally identifiable information. Because user privacy is important in all Microsoft's products and technologies, Microsoft has taken steps to help ensure that no personally identifiable information is retained or used for purposes other than improving online safety; data will not be used to identify, contact, or provide advertising to users. You can read more in our privacy statement. Conclusion Web criminals are increasingly relying on social engineering attacks to engage in their criminal enterprises, but we’re working hard to deliver the tools to help keep you safe on the web. The IE8 SmartScreen Filter is designed to combat both phishing and malware sites while protecting your privacy and enabling high-performance browsing. I strongly recommend you enable the SmartScreen Filter and give it a spin in IE8 Beta 2, due in August. Please stay tuned to the IEBlog for further posts on IE8 Security improvements! Eric Lawrence Program Manager Internet Explorer Security http://blogs.msdn.com/aggbug.aspx?PostID=8680209 More...

Hi, I'm David Ross, Security Software Engineer on the SWI team. I’m proud to be doing this guest post on the IE blog today to show off some of the collaborative work SWI is doing with the Internet Explorer team. Today we are releasing some details on a new IE8 feature that makes reflected / “Type-1” Cross-Site Scripting (XSS) vulnerabilities much more difficult to exploit from within Internet Explorer 8. Type-1 XSS flaws represent a growing portion of overall reported vulnerabilities and are increasingly being exploited “for fun and profit.” The number of reported XSS flaws in popular web sites has skyrocketed recently – MITRE has reported that XSS vulnerabilities are now the most frequently reported class of vulnerability. More recently, sites such as XSSed.com have begun to collect and publish tens of thousands of Type-1 XSS vulnerabilities present in sites across the web. XSS vulnerabilities enable an attacker to control the relationship between a user and a web site or web application that they trust. Cross-site scripting can enable attacks such as: Cookie theft, including the theft of sessions cookies that can lead to account hijacking Monitoring keystrokes input to the victim web site / application Performing actions on the victim web site on behalf of the victim user. For example, an XSS attack on Windows Live Mail might enable an attacker to read and forward e-mail messages, set new calendar appointments, etc. While many great tools exist for developers to mitigate XSS in their sites / applications, these tools do not satisfy the need for average users to protect themselves from XSS attacks as they browse the web. XSS Filter -- How it Works The XSS Filter operates as an IE8 component with visibility into all requests / responses flowing through the browser. When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing. With the new XSS Filter, IE8 Beta 2 users encountering a Type-1 XSS attack will see a notification like the following: http://ieblog.members.winisp.net/images/XSS.Notification.png The page has been modified and the XSS attack is blocked. In this case the XSS Filter has identified a cross-site scripting attack in the URL. It has neutered this attack as the identified script was replayed back into the response page. In this way the filter is effective without modifying an initial request to the server or blocking an entire response. As you may imagine, there are a number of interesting and subtle scenarios that the filter must handle appropriately. Here are some examples: The filter must be effective even if the attack is adjusted to leverage artifacts of common web application frameworks. Ex: Will an attack still be detected if certain characters in a request are dropped or translated when replayed in the response? In performing filtering our code must not introduce new attack scenarios that would not otherwise exist. Ex: Imagine the filter can be forced to neuter a closing SCRIPT tag. In that case, untrusted content on the page might then execute as script. And of course in addition to all of this we need to effectively counter all the XSS attack vectors not already addressed by other XSS-Focused Attack Surface Reduction measures. Compatibility is critical. This feature was developed with the understanding that if it were to “break the web,” we could not enable the feature by default. Or if we did, people would turn it off and get no benefit. We really want to provide as much value as possible to the maximum number of users. If Internet Explorer’s Application Compatibility Logging is enabled, all XSS Filter activity can be viewed using the Microsoft Application Compatibility Toolkit. Web developers may wish to disable the filter for their content. They can do so by setting a HTTP header: X-XSS-Protection: 0 Ultimately we have taken a very pragmatic approach – we choose to not to build the filter in such a way that we compromise site compatibility. Thus, the XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea. This is similar to the pragmatic approach taken by ASP.Net request validation, although the XSS Filter is able to be more aggressive than the ASP.Net feature. Assuming negligible site compatibility and performance impact, the fact that our filter effectively blocks the common “>… pattern we see most frequently in Type-1 XSS attacks is inherently a step forward. Pushing that further and blocking other common cases of reflected XSS where possible, as the XSS Filter does, is extra goodness. Caveats aside, it will be great to see the tens of thousands of publicly disclosed Type-1 XSS vulnerabilities indexed on sites like XSSed.com simply stop working in IE8. (Not to mention the IFRAME SEO Poisoning attacks we protect against as well!) I will go into more details on how the filter works, its history, its limitations, and some lessons learned during the development process over on my blog in the coming weeks. David Ross Security Software Engineer http://blogs.msdn.com/aggbug.aspx?PostID=8679502 More...

Hi! I’m Eric Lawrence, Security Program Manager for Internet Explorer. Last Tuesday, Dean wrote about our principles for delivering a trustworthy browser; today, I’m excited to share with you details on the significant investments we’ve made in Security for Internet Explorer 8. As you might guess from the length of this post, we’ve done a lot of security work for this release. As an end-user, simply upgrade to IE8 to benefit from these security improvements. As a domain administrator, you can use Group Policy and the IEAK to set secure defaults for your network. As web-developer, you can build upon some of these new features to help protect your users and web applications. As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits. Web Application Defense Cross-Site-Scripting Defenses Over the past few years, cross-site scripting (XSS) attacks have surpassed buffer overflows to become the most common class of software vulnerability. XSS attacks exploit vulnerabilities in web applications in order to steal cookies or other data, deface pages, steal credentials, or launch more exotic attacks. IE8 helps to mitigate the threat of XSS attacks by blocking the most common form of XSS attack (called “reflection” attacks). The IE8 XSS Filter is a heuristic-based mitigation that sanitizes injected scripts, preventing execution. Learn more about this defense in David’s blog post: IE8 Security Part IV - The XSS Filter. XSS Filter provides good protection against exploits, but because this feature is only available in IE8, it’s important that web developers provide additional defense-in-depth and work to eliminate XSS vulnerabilities in their sites. Preventing XSS on the server-side is much easier that catching it at the browser; simply never trust user input! Most web platform technologies offer one or more sanitization technologies-- developers using ASP.NET should consider using the Microsoft Anti-Cross Site Scripting Library. To further mitigate the threat of XSS cookie theft, sensitive cookies (especially those used for authentication) should be protected with the HttpOnly attribute. Safer Mashups While the XSS Filter helps mitigate reflected scripting attacks when navigating between two servers, in the Web 2.0 world, web applications are increasingly built using clientside mashup techniques. Many mashups are built unsafely, relying SCRIPT SRC techniques that simply merge scripting from a third-party directly into the mashup page, providing the third-party full access to the DOM and non-HttpOnly cookies. To help developers build more secure mashups, for Internet Explorer 8, we’ve introduced support for the HTML5 cross-document messaging feature that enables IFRAMEs to communicate more securely while maintaining DOM isolation. We’ve also introduced the XDomainRequest object to permit secure network retrieval of “public” data across domains. While Cross-Document-Messaging and XDomainRequest both help to secure mashups, a critical threat remains. Using either object, the string data retrieved from the third-party frame or server could contain script; if the caller blindly injects the string into its own DOM, a script injection attack will occur. For that reason, we’re happy to announce two new technologies that can be used in concert with these cross-domain communication mechanisms to mitigate script-injection attacks. Safer Mashups: HTML Sanitization IE8 exposes a new method on the window object named toStaticHTML. When a string of HTML is passed to this function, any potentially executable script constructs are removed before the string is returned. Internally, this function is based on the same technologies as the server-side Microsoft Anti-Cross Site Scripting Library mentioned previously. So, for example, you can use toStaticHTML to help ensure that HTML received from a postMessage call cannot execute script, but can take advantage of basic formatting: document.attachEvent('onmessage',function(e) { if (e.domain == 'weather.example.com') { spnWeather.innerHTML = window.toStaticHTML(e.data); } } Calling: window.toStaticHTML("This is some HTML with embedded script following... !"); will return: This is some HTML with embedded script following... ! Safer Mashups: JSON Sanitization JavaScript Object Notation (JSON) is a lightweight string-serialization of a JavaScript object that is often used to pass data between components of a mashup. Unfortunately, many mashups use JSON insecurely, relying on the JavaScript eval method to “revive” JSON strings back into JavaScript objects, potentially executing script functions in the process. Security-conscious developers instead use a JSON-parser to ensure that the JSON object does not contain executable script, but there’s a performance penalty for this. Internet Explorer 8 implements the ECMAScript 3.1 proposal for native JSON-handling functions (which uses Douglas Crockford’s json2.js API). The JSON.stringify method accepts a script object and returns a JSON string, while the JSON.parse method accepts a string and safely revives it into a JavaScript object. The new native JSON methods are based on the same code used by the script engine itself, and thus have significantly improved performance over non-native implementations. If the resulting object contains strings bound for injection into the DOM, the previously described toStaticHTML function can be used to prevent script injection. The following example uses both JSON and HTML sanitization to prevent script injection: XDR+JSON Test Page …even if the weather service returns a malicious response: HTTP/1.1 200 OK Content-Type: application/json XDomainRequestAllowed: 1 {"Weather": { "City": "Seattle", "Zip": 98052, "Forecast": { "Today": "Sunny", "Tonight": "Dark", "Tomorrow": "Sunny" } }} MIME-Handling Changes Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content (e.g. image, text, application, etc). For compatibility reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, Internet Explorer reports a MIME type different than the type specified by the web server. For instance, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, IE determines that the content should be rendered as HTML. Because of the number of legacy servers on the web (e.g. those that serve all files as text/plain) MIME-sniffing is an important compatibility feature. Unfortunately, MIME-sniffing also can lead to security problems for servers hosting untrusted content. Consider, for instance, the case of a picture-sharing web service which hosts pictures uploaded by anonymous users. An attacker could upload a specially crafted JPEG file that contained script content, and then send a link to the file to unsuspecting victims. When the victims visited the server, the malicious file would be downloaded, the script would be detected, and it would run in the context of the picture-sharing site. This script could then steal the victim’s cookies, generate a phony page, etc. To combat this problem, we’ve made a number of changes to Internet Explorer 8’s MIME-type determination code. MIME-Handling: Restrict Upsniff First, IE8 prevents “upsniff” of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script. This change mitigates the picture-sharing attack vector-- with no code changes on the part of the server. We were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type. MIME-Handling: Sniffing Opt-Out Next, we’ve provided web-applications with the ability to opt-out of MIME-sniffing. Sending the new authoritative=true attribute on the Content-Type HTTP response header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. For example, consider the following HTTP-response: HTTP/1.1 200 OK Content-Length: 108 Date: Thu, 26 Jun 2008 22:06:28 GMT Content-Type: text/plain; authoritative=true; This page renders as HTML source code (text) in IE8. In IE7, the text is interpreted as HTML: http://ieblog.members.winisp.net/images/IE7.HTML.png In IE8, the page is rendered in plaintext: http://ieblog.members.winisp.net/images/IE8.PlainText.png Sites hosting untrusted content can use the authoritative attribute to ensure that text/plain files are not sniffed to anything else. MIME-Handling: Force Save Lastly, for web applications that need to serve untrusted HTML files, we have introduced a mechanism to help prevent the untrusted content from compromising your site’s security. When the new X-Download-Options header is present with the value noopen, the user is prevented from opening a file download directly; instead, they must first save the file locally. When the locally saved file is later opened, it no longer executes in the security context of your site, helping to prevent script injection. HTTP/1.1 200 OK Content-Length: 238 Content-Type: text/html X-Download-Options: noopenContent-Disposition: attachment; filename=untrustedfile.html http://ieblog.members.winisp.net/images/Savefile.png Taken together, these new Web Application Defenses enable the construction of much more secure web applications. Local Browser Defenses While Web Application attacks are becoming more common, attackers are always interested in compromising ordinary users’ local computers. In order to allow the browser to effectively enforce security policy to protect web applications, personal information, and local resources, attacks against the browser must be prevented. Internet Explorer 7 made major investments in this space, including Protected Mode, ActiveX Opt-in, and Zone Lockdowns. In response to the hardening of the browser itself, attackers are increasingly focusing on compromising vulnerable browser add-ons. For Internet Explorer 8, we’ve made a number of investments to improve add-on security, reduce attack surface, and improve developer and user experience. Add-on Security We kicked off this security blog series with discussion of DEP/NX Memory Protection, enabled by default for IE8 when running on Windows Server 2008, Windows Vista SP1 and Windows XP SP3. DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable. DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. You can read more about this defense in the original blog post: IE8 Security Part I: DEP/NX Memory Protection. In a follow-up post, Matt Crowley described the ActiveX improvements in IE8 and summarized the existing ActiveX-related security features carried over from earlier browser versions. The key improvement we made for IE8 is “Per-Site ActiveX,” a defense mechanism to help prevent malicious repurposing of controls. IE8 also supports non-Administrator installation of ActiveX controls, enabling domain administrators to configure most users without administrative permissions. You can get the full details about these improvements by reading: IE8 Security Part II: ActiveX Improvements. If you develop ActiveX controls, you can help protect users by following the Best Practices for ActiveX controls . Protected Mode Introduced in IE7 on Windows Vista, Protected Mode helps reduce the severity of threats to both Internet Explorer and extensions running in Internet Explorer by helping to prevent silent installation of malicious code even in the face of software vulnerabilities. For Internet Explorer 8, we’ve made a number of API improvements to Protected Mode to make it easier for add-on developers to control and interact with Protected Mode browser instances. You can read about these improvements in the Improved Protected Mode API Whitepaper. For improved performance and application compatibility, by default IE8 disables Protected Mode in the Intranet Zone. Protected Mode was originally enabled in the Intranet Zone for user-experience reasons: when entering or leaving Protected Mode, Internet Explorer 7 was forced to create a new process and hence a new window. http://ieblog.members.winisp.net/images/NewWindow.png Internet Explorer 8’s Loosely Coupled architecture enables us to host both Protected Mode and non-Protected Mode tabs within the same browser window, eliminating this user-experience annoyance. Of course, IE8 users and domain administrators have the option to enable Protected Mode for Intranet Zone if desired. Application Protocol Prompt Application Protocol handlers enable third-party applications (such as streaming media players and internet telephony applications) to directly launch from within the browser or other programs in Windows. Unfortunately, while this functionality is quite powerful, it presents a significant amount of attack surface, because some applications registered as protocol handlers may contain vulnerabilities that could be triggered from untrusted content from the Internet. To help ensure that the user remains in control of their browsing experience, Internet Explorer 8 will now prompt before launching application protocols. http://ieblog.members.winisp.net/images/IE8Prompt1.png To provide defense-in-depth, Application Protocol developers should ensure that they follow the Best Practices described on MSDN. File Upload Control Historically, the HTML File Upload Control () has been the source of a significant number of information disclosure vulnerabilities. To resolve these issues, two changes were made to the behavior of the control. To block attacks that rely on “stealing” keystrokes to surreptitiously trick the user into typing a local file path into the control, the File Path edit box is now read-only. The user must explicitly select a file for upload using the File Browse dialog. http://ieblog.members.winisp.net/images/filebrowsedialog.png Additionally, the “Include local directory path when uploading files” URLAction has been set to "Disable" for the Internet Zone. This change prevents leakage of potentially sensitive local file-system information to the Internet. For instance, rather than submitting the full path C:\users\ericlaw\documents\secret\image.png, Internet Explorer 8 will now submit only the filename image.png. Social Engineering Defenses As browser defenses have been improved over the last few years, web criminals are increasingly relying on social engineering attacks to victimize users. Rather than attacking the ever-stronger castle walls, attackers increasingly visit the front gate and simply request that the user trust them. For Internet Explorer 8, we’ve invested in features that help the user make safe trust decisions based on clearly-presented information gathered from the site and trustworthy authorities. Address Bar Improvements Domain Highlighting is a new feature introduced in IE8 Beta 1 to help users more easily interpret web addresses (URLs). Because the domain name is the most security-relevant identifier in a URL, it is shown in black text, while site-controlled URL text like the query string and path are shown in grey text. When coupled with other technologies like Extended Validation SSL certificates, Internet Explorer 8’s improved address bar helps users more easily ensure that they provide personal information only to sites they trust. http://ieblog.members.winisp.net/images/domainhighlight1.png http://ieblog.members.winisp.net/images/SScreen.png SmartScreen® Filter Internet Explorer 7 introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites. For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks millions of phishing attacks per week) and developed the SmartScreen® Filter. The SmartScreen Filter goes beyond anti-phishing to help block sites that are known to distribute malware, malicious software which attempts to attack your computer or steal your personal information. SmartScreen works in concert with other technologies like Windows Defender and Windows Live OneCare to provide comprehensive protection against malicious software. You can read more about the new SmartScreen Filter in my earlier post: IE8 Security Part III - The SmartScreen Filter. Summary Security is a core characteristic of trustworthy browsing, and Internet Explorer 8 includes major improvements to address the evolving web security landscape. While the bad guys are unlikely to ever just “throw in the towel,” the IE team is working tirelessly to help protect users and provide new ways to enhance web application security. Please stay tuned to the IEBlog for more information on the work we’re doing in Privacy, Reliability, and Business Practices to build a trustworthy browser. Onward to Beta-2 in August! Eric Lawrence Program Manager Internet Explorer Security http://blogs.msdn.com/aggbug.aspx?PostID=8679480 More...

<img alt="" height="1" width="1"> Steve Johnson: Hypertext | Tribune Internet critic Chicago Tribune, United States - 18 minutes ago This raises the intriguing possibility that its successor, Windows Vista, was just a plot to make people finally find something to love about XP. ... More...

With just a month to go before the Beta 2 release, Microsoft starts talking up the security features in Internet Explorer 8! More...

<img alt="" height="1" width="1"> Dell offers "Vista bonus" discs PC Pro, UK - Jul 1, 2008 Dell has issued a subtle dig at Windows Vista, describing the operating system as a "bonus" that comes with Windows XP. The PC manufacturer is urging ... More...

<img alt="" height="1" width="1"> Windows XP will be sold to some OEMs after all, says Microsoft BetaNews - 13 minutes ago Then, on June 30, Dell leveraged its channel blog to tell systems integrators and other resellers about the loophole in the Vista license that lets business ... More...

<img alt="" height="1" width="1"> Windows XP: Only 'mostly dead'? InfoWorld, CA - 41 minutes ago Vista is such a dog it qualifies for the Iditarod." Still, it seems there's a lot of revisionist history going around these days. When Windows XP came out, ... More...

<img alt="" height="1" width="1"> Windows XP: Dead or just resting? InfoWorld, CA - 2 hours ago When Windows XP came out, it was panned for being slow and incompatible, just as Vista has been (in InfoWorld, no less). It was also woefully, ... Vista failed on compatibility issues? CIO Weblog Windows 7 is coming. Will your PC be ready? InfoWorld all 5 news articles More...

<img src=http://news.google.com/news?imgefp=N7k47WQQY-8J&imgurl=mos.techradar.com//images/windows-vista-start-button-218-85.jpg width=80 height=60 alt="" border=1> TechRadar.com <img alt="" height="1" width="1"> Digital Home TechRadar.com, UK - 23 minutes ago By Ian Dixon It’s fair to say that over a year after its launch, Windows Vista has not been the giant success story that Microsoft probably hoped it would ... More...

<img alt="" height="1" width="1"> Vista failed on compatibility issues? CIO Weblog, CA - 21 minutes ago That seems to be the implication in Senior VP Bill Veghte's letter to Microsoft customers announcing the ship date for Windows 7 (around about January ... More...

I am comfortable developing and architecting SharePoint solutions using my Virtual PC or connecting to a SharePoint server within our company network that I never thought of using my Vista laptop for SharePoint development. I just came across this post from BambooSolutions, webpart maker, about their “SharePoint on Vista” tool. I might try this out in [...] More...

<img alt="" height="1" width="1"> Dell Windows Vista Bonus is a PC with Windows XP instead iTWire, Australia - 20 hours ago According to Dell, new buyers can have a Windows Vista Bonus: a copy of Windows XP instead... In what has to go down as one of the most bizarre bits of ... Goodnight XP, Goodnight Vista, hello Midori TECH.BLORGE.com The end of Windows XP SmartCompany.com.au Windows Vista is built on a framework that can’t support it TECH.BLORGE.com all 4 news articles More...