Sunday, February 01, 2009

Internet Explorer 8 RC released: What to expect and a whole lot more…

Yep.  Almost (but not quite) left forgotten by the celebration of Microsoft’s Windows 7 Beta release has been the announcement that Internet Explorer 8 Release Candidate is now available.

What’s New

The team will post more about all changes between Beta 2 and RC. In brief:

  • Platform Complete. The technical community should expect the final IE8 release to behave as the Release Candidate does. The IE8 product is effectively complete and done. We’ll post separately about the thousands of additional test cases we’re contributing to the W3C. We've listened very carefully to feedback from the betas. With the Release Candidate, we’re listening carefully for critical issues.
  • Reliability, Performance, and Compatibility improvements. We’ve studied the telemetry feedback about the browser's underlying quality and addressed many issues.
  • Security. We’ve worked closely with people in the security community to enable consumer-ready clickjacking protection. Sites can now protect themselves and their users from clickjacking attacks “out of the box,” without impacting compatibility or requiring browser add-ons.  We also made some changes to InPrivate based on feedback from customers and partners.

We also made some changes to the user experience based on feedback. For example, based on data about how people use actually it, we made fitting more items on the Favorites bar easier. (Note that the IE8 Release Candidate is for Windows Vista, XP, and Server only; Windows 7 users will get an updated IE8 with the next update of Windows 7. Also, the Release Candidate of the Internet Explorer Administration Kit is available for download now.)

I’ve been using the Beta release for a while in a virtual system and it has performed well.  Next I will need to bump it up to the RC version.

Preliminaries

It doesn’t appear to be as big a deal but you better still read the fine print before embarking.

This post has a bunch of goodies for the intrepid installers.

Let’s rip out the critical bits from that post.

  • If you are on Vista and already have an IE8 Beta version, then this will upgrade in place. No uninstall of the previous version will be needed.
  • There is a new pre-requisite for IE8 RC1 (KB957388). Be on the lookout for it.
  • Windows 7 Beta users already are running a special build of IE8 already. Don’t try to install it on that platform.
  • Release notes for RC1 outline a few scenarios you should watch out for when installing IE8 RC1.
  • Technet Edge interview [the post author] did covers many install topics

XP users (most)

Download the installer file. (Unless you already have a IE8 pre-RC version installed in which case you might be offered it via Automatic Updates or Windows Update.)

Be prepared that the IE8 RC installer will first uninstall (if previously installed) IE8 pre-RC versions from your system.  Then it will reboot, complete the IE8 RC install, then reboot again.

Check the version by going to Help –> About Internet Explorer dialog to see the version number 8.0.6001.18372.

Go and hit your Windows Updates to find the particular update required when running IE8 RC1 on multi-core XP-SP2 x86 computers: KB932823 or KB946501

XP SP3 users (a chosen few): Red pill or Blue pill?

If you happened to first install IE8 pre-RC versions before upgrading to XP-SP3 you’ve got some hard choices to make.  If your option to uninstall the IE8 pre-RC version is “grayed” out, then you can continue to install IE8 RC (and future release versions including the final version) but you will no longer be able to uninstall either IE8 or XP SP3 from here on out.  You will get a nice warning dialog before you proceed. Do so and both your IE8 and XP SP3 tattoos stick permanently.

If this concerns you, then you need to uninstall the XP SP3 service pack, then uninstall your IE8 Beta version, reinstall XP SP3, then go forward to installing IE8 RC.

It’s up to you. Choose wisely.

Vista Users have it Easiest

IE designers, based on user feedback, built IE8 installer to automatically replace IE8 pre-RC builds as part of the RC installation process.  This makes things very simple.

Run the installer (or via the Windows Update process if a previous IE8 Beta version is present), let it do its thing, reboot, done.  You do need to first get KB937287 and KB957388.

After IE8 RC1 installation is wrapped up the final screen of the Install Wizard should tell you that IE8 finished cleanly.

To verify, launch IE, open Help –> About Internet Explorer and find the version number 8.0.6001.18372.

Dwight Silverman has a illustrated guide to the process for Vista at TechBlog: Installing Internet Explorer 8 RC1: A visual tour

Other IE8 Bits

Here is some more IE8 reading on features

IEBlog : IE8 Security Part VII: ClickJacking Defenses – It’s a bit dense with web-code architecture and how it relates to browser design but this seems to be the point IE designers want us to know:

As we designed Internet Explorer 8, we had to be very careful not to increase the browser’s attack surface for CSRF attacks. IE8’s new XDomainRequest object, for instance, allows cross-domain communication upon explicit permission of the server, but contains specific restrictions to ensure that new types of CSRF attacks are not made possible. End-users can mitigate the impact of CSRF attacks by logging out of sensitive websites when not in use, and by browsing in independent InPrivate Browsing sessions. (InPrivate sessions start with an empty cookie jar, so cached cookies cannot be replayed in CSRF attacks.)

Security’s Crux: Real Problems vs Point Solutions – Digital Soapbox blog Rafal Los provides a  very interesting counterpoint to this approach.  He steps back and takes a wider view and analysis of the clickjacking threat.

I keep reading Giorgio's posts on the Internet Explorer 8 BETA1 release and "ClickJacking" protections offered therein (here and here), yes he's the guy who does NoScript, and it's all of the sudden become clear to me. Once again, Microsoft has solved an industry-wide problem by perpetuating their own proprietary technologies and then marketing them as ground-breaking. NoScript addresses the UI Redress attack (more commonly known as ClickJacking), but since IE is so proprietary and closed... they have to re-invent the wheel to self-serve. This perpetuates the need for Microsoft to "save the masses"... since most people that don't know better are hooked on Microsoft's IE technology like crack.

I quickly got lost on Giorgio’s own blog site following those links.  Again, unless you are a security wonk or web-design guru you might get lost, but I still found them very fascinating to read. Especially as they touch on an important topic for browser security.

My advice for all this? Just run the latest version of Firefox and install the awesomely protective NoScript add-on.  What’s that you say?  NoScript protects agains JavaScript threat’s and stuff like that, it doesn’t protect against clickjacking that is code-based?  Let NoScript’s developer clear things up:

Talking about rectifications, Security Watch’s apology of Microsoft’s take on Clickjacking protection, while defending X-FRAME-OPTIONS against the general skepticism from security experts, emphatically warned twice that “NoScript won’t protect you”. Larry Seltzer’s premise, “JavaScript is not required for the attack” was obviously correct, but unfortunately for him (and fortunately for Firefox users), NoScript doesn’t rely on script blocking to defeat the attack. He had apparently never heard about ClearClick, the specific anti-Clickjacking protection provided by NoScript, which is extremely effective even if JavaScript is enabled (or the attack is scriptless). Ironically, ClearClick is also the only available implementation of Michal Zalevski’s “favorite solution”, which his article even tries to explain.

User Experience Changes since Beta 2 - IEBog

  • Search box can display images for instant “visual search results”
  • Smart Address Bar now displays feed results optionally, autocomplete suggestion does not show entire sections, and more results are displayed in the list.
  • The Favorites Bar now allows you to customize the width of item titles so you can cram more on there without having to manually rename (or remove them). This is nice.
  • InPrivate Browsing and InPrivate Blocking have been tweaked so that they may be used separately.

Overview of Platform Improvements in IE8 RC1 – IEBlog – Light post that highlights some page design and standards handling improvements with IE8 along with performance and aspects for developers.

Enjoy.

--Claus V. 

No comments: