Microsoft has officially released Internet Explorer 8 (IE8), the latest version of its web browser, adding improved compliance with web standards, greater security features and improved performance.

Available to download now, IE8 includes only minor changes over the release candidate version that was made available to testers in January.

The new browser adheres much more closely to published web standards than previous versions, and has features designed to offer greater user privacy and stronger protection against malicious web pages. It also has user interface improvements designed to make life easier, according to Microsoft.

“It really is the most complete browser currently available for whatever you want to do,” said John Curran, Windows Business Group lead at Microsoft UK.

However, Gartner analyst Ray Valdes maintained that IE8 has no compelling new features from an end-user perspective.

“But Microsoft doesn’t need to have compelling features – it just needs to be in the same ball park as rival browsers. Its advantage is a huge installed base and the supporting infrastructure in enterprise deployments,” he said.

Nevertheless, Valdes stressed that the improved security in IE8 makes it an essential upgrade, especially for businesses still using Microsoft’s browser. ” Enterprises now need to get off IE6 and move to a more modern browser,” he said.

IE8 now displays content in the most standards-compliant way, which should drive greater consistency in web sites and applications. However, some content designed for older IE versions may not display properly, which means that a Compatibility Mode is required to display any problem pages as they would look in IE7.

“The problem is that many corporate apps were designed for IE6, which had flaws, so the apps worked around those flaws. If you try to use them in a modern standards-based browser, they don’t work,” explained Valdes, adding that this is not likely to be a problem in the web at large.

“Legacy support is important,” explained Curran. “If a company standardised on IE, they’ve probably made a significant investment in applications, and we want to ensure they can continue to take advantage of those. Microsoft takes this very seriously.”

Improvements for users focus on ease of use, such as an enhanced ‘find’ bar that starts looking through the page as you type, and a built-in search bar that now shows visual results for web searches.

Also new are Accelerators, which provide shortcuts to functions from web content, such as looking up a selected word, and Web Slices, which provide live links to web-based information such as stock market prices. Reliability has been addressed with improved crash recovery, along with isolation between tabs so that one badly behaved web page does not bring down every open tab.

IE8 also delivers greater privacy through anInPrivate Browsing mode, which retains no information such as cookies or browsing history from web sites visited; and InPrivate Filtering, which offers greater control over third-party content that might be gathering information about the user, such as tracker ads.

Julia Owen, Microsoft UK’s product manager for IE8, claimed that greater security was a “foundational aspect” of the new browser during development.

As well as IE7’s phishing filter technology, IE8 can now identify and block cross-site scripting attacks used to steal information such as passwords from compromised web sites.

“It blocks cross-site scripts without the need to disable JavaScript, which is immensely helpful because you don’t have to think about it,” said Owen.

Valdes agreed that all these features are worth having. “Users need all the security help they can get, and Microsoft is now trying to fill this need,” he said.

IE8 is easier to deploy and manage for enterprise customers, according to Curran, with new Group Policy settings that allow administrators to control browser settings through Active Directory.

Settings that can be managed include whether specific sites are viewed in standards mode or compatibility mode, enabling or disabling security filters, policies for security zones, and whether users can change key settings.

IE8 is available for Windows XP, and the 32-bit and 64-bit versions of Windows Vista and Windows Server 2003.

Users testing the beta release of Windows 7 should not install IE8 over the version that is included with that platform, Microsoft warned, as there are some differences in the code. (Source:Vnunet.com)

Engineers in Microsoft’s Internet Explorer group continue to refine a new security feature designed to block malicious scripts that can be injected into trusted websites to steal email and account credentials. Judging from the magnitude of the problem, their task may never be completed.

Among the multitude of revisions introduced in last week’s release of Internet Explorer 8 were tweaks intended to make the browser’s cross-site scripting (XSS) filter better withstand tricks for concealing malicious characters in web addresses. Some of the world’s foremost web application security experts helped, an indication of the difficulty of containing the threat.

One fix enables input to be treated as a stream of individual bytes rather than characters, a change that prevents attackers from evading the filter using Chinese characters in web addresses. Because of the way certain characters, including “<” are rendered in Chinese, bad guys were able to sneak them into malicious URLs that weren’t detected by versions of the Microsoft beta browser.

A similar technique that uses a PHP function known as “stripslashes,” which removes backslashes from strings, had also been used to bypass the IE XSS filter. The protection now generates additional signatures that offer alternate interpretations of the input.

Other fixes involve scenarios that use extremely long UTF-8 sequences or injections of FORM and ISINDEX elements. Nulls in HTTP responses and Object tags using the CODETYPE attribute have also received attention.

Over the past few years, XSS vulnerabilities have emerged as an Achilles Heel for some of the biggest and most sensitive websites. In December, researchers found several XSS flaws on the site of American Express that potentially could have allowed attackers to steal users’ authentication cookies. Other sites that have been bitten by the bugs include Google Mail, Yahoo, MySpace, and Facebook.

XSS attacks allow attackers to inject hostile code into a targeted domain by taking advantage of a common practice among web developers who allow one website to link to images and scripts hosted from a second site. When Microsoft’s XSS filter encounters code that’s hosted on a different site, a heuristics engine inspects the URL and POST data and uses regular expressions to identify possible XSS vulnerabilities.

This is an extremely tall order for any browser. The ability of one site to link to code hosted on another site is a key architectural design at the heart of today’s website, so filtering carries the risk of breaking many websites if not executed carefully. And the list of techniques for evading such filters is long and only getting longer.

Several top-flight researchers helped Microsoft pinpoint the weaknesses. They include Yosuke Hasegawa, 80sec, Ronald van den Heetkamp, Amit Klein, and Gareth Heyes.

Microsoft’s goal seems to be to protect users against the most dangerous XSS threats without degrading the performance of legitimate websites. Contrast that with the NoScript extension for the competing Firefox browser, which does a great job of blocking many XSS attacks but also has the potential to confuse many less-sophisticated users.

The constantly expanding number of ways for bad guys to evade the Microsoft filter means its design is likely to remain an iterative, ongoing process with plenty of additional tweaks to come.

Microsoft has restated that its next milestone release for Windows 7 will be the Release Candidate test of the OS and not a second beta.

The software giant’s Windows development boss Steve Sinofsky said in an official blog post on Saturday that there will only be one beta of Windows 7.

Many will see that reaffirmation as a clear sign that the Vista successor may land at some time in 2009. Some have predicted that Windows 7 could arrive as early as the third quarter of this year.

However, Microsoft is sticking characteristically to its guns about when it will let the operating system loose by remaining silent on when it expects to ship Windows 7.

“The obvious question is that we know the pre-beta was October 28, 2008, and the beta was January 7th, so when is the Release Candidate and RTM? The answer is forthcoming,” said Sinofsky.

“We are currently evaluating the feedback and telemetry and working to develop a robust schedule that gets us the right level of quality in a predictable manner.

“Believe me, we know many people want to know more specifics. We’re on a good path and we’re making progress. We are taking a quality-based approach to completing the product and won’t be driven by imposed deadlines.”

Partners are continuing to receive builds from MS, said Sinofsky, who also insisted that making the operating system a successful release involved collaboration industry-wide.

Microsoft first announced its decision to only release one beta of the OS at the Professional Developers Conference in October last year, when it dished out a pre-beta version of Windows 7 to attendees at the event.

Sinofsky reiterated the firm’s delivery plan: First to provide a public beta – which arrived on 7 January – followed by a release candidate build, after which the product should RTM. But it’s unclear at this stage whether the RC build will be made available to public or private testers.

Microsoft’s bringing Silverlight to cell phones, partnering with Nokia to bring the rich Internet app browser plug-in to devices that use Nokia’s popular S60 software platform.Nokia will also make Silverlight available on its Series 40 devices and its Internet Tablet devices, the companies are expected to announce Tuesday.

The strategy to get Silverlight on mobile devices — and particularly on the Symbian OS — is part of Microsoft’s effort to make the browser plug-in a cross-platform, cross-browser product in order to get as much penetration as possible on the Web. The company is also working on a version of Silverlight for Windows Mobile, a beta version of which is due out soon.

Microsoft is coming from behind. Adobe has had a strong mobile presence for Flash for years. It has distribution agreements with 18 of the top 20 device manufacturers worldwide including Nokia, and according to Adobe, 450 million devices have been shipped so far with Flash Lite, which is a trimmed down version of Flash. That, of course, compares to zero for Microsoft. According to Adobe, Flash Lite has seen a 150% growth in the past year.

While Microsoft’s early Silverlight mobile strategy will focus on Symbian and Windows Mobile, Adobe also supports BREW and a few other proprietary operating systems.

Though most of Adobe’s strategy has thus far revolved around Flash Lite, some devices also ship with the full version of Flash, including a few from LG like the LG Chocolate and Voyager. Adobe also offers a service called Flash Cast that includes channels of content, a home screen called Flash Home, and tools that show software developers how their Flash apps would look on specific mobile devices.

Still, Nokia gives Microsoft a good footprint. Nokia’s S60 platform is the most popular smart phone software platform worldwide, with more than 53% market share in the fourth quarter of 2007, according to analyst firm Canalys.

“We can’t pretend to be a really ubiquitous play without being a partner with Nokia and Symbian,” John Case, GM of Microsoft’s developer division, said in an interview.

Nokia licenses its S60 platform, which uses the Symbian mobile operating system, to other major mobile device manufacturers, including LG Electronics and Samsung, though only Nokia uses S60 in the United States, according to Nokia’s own Web site.

Much of Microsoft’s strategy for Silverlight thus far has revolved around creating content partnerships rather than relationships with hardware manufacturers. Though Microsoft says there are around 8,000 Silverlight apps today and the company is announcing more on Wednesday at its MIX conference for Web developers, the deal with Nokia could be a sign that there’s enough Microsoft dedication to Silverlight that Nokia is convinced the content will come, as it wouldn’t make sense to include a multi-megabyte application on a hardware-limited mobile device if it isn’t going to be used.  [informationweek]

Microsoft is preparing $50 billion takeover bid for Yahoo! to counter Google’s acquisition of online advertising giant DoubleClick.

Microsoft and Yahoo! have held informal merger talks in the past, but Microsoft has intensified efforts in light of the Google-DoubleClick deal, reports the New York Post.

Analysts value Yahoo! at $50 billion and estimate the deal would give Microsoft just over a quarter of the search advertising market, with Google-DoubleClick controlling two thirds.

Acquiring Yahoo! would significantly boost Microsoft’s capabilities to tackle the growing mobile market, but integration of operations could potentially present thorny cultural and technological challenges, says Datamonitor analyst Ri Pierce-Grove.

“Both Microsoft and Yahoo are strongly motivated to find ways to dethrone Google, the current market leader, and the combined mass of the two companies’ client and consumer bases could generate a viable competitor to Google on both the desktop and the mobile device,” Pierce-Grove says.

“Microsoft, which has not historically emphasised acquisition as a growth strategy, made headlines with a recent acquisition of TellMe which made the company’s intentions clear with regard to mobile search. In this context, acquiring Yahoo would significantly build out Microsoft’s capacities, and allow it to move more aggressively into an expanding new market.”

Both Adobe and Microsoft are launching products that step right on each others’ turf today. Microsoft is launching Silverlight, a direct competitor to Adobe’s Flash. Meanwhile, Adobe is launching Adobe Media Player, a rival to Windows Media Player. This could be the hardest fought battle in the rich media space…well, ever.

Silverlight vs Flash
WINNER: Flash
Silverlight has been under development for more than two years. It’s a browser plugin for playing media files and interactive Web apps that works on Windows PCs and Macs with Firefox, IE and Safari. Partners include Brightcove, Limelight Networks, Netflix and Akamai. Silverlight provides DRM and the window can be resized thanks to the use of vectors. A pre-release version is available for download. Flash has a large installed base, and lots of traction after YouTube and other video sites made use of it. Microsoft, however, could reverse that trend by including Silverlight in automatic updates, pre-installing it on PCs and so on.
Adobe Media Player vs Windows Media Player
WINNER: Windows Media Player
The Adobe Media Player, meanwhile, is a free desktop media player designed to take on Windows Media Player. Adobe is going in the other direction to Microsoft: trying to leverage its dominance of online video and interactive apps to kickstart uptake of the desktop app. Adobe Media Player lets you subscribe to content via RSS, and it’s the only major desktop media player that will support Flash. This too is cross platform (Windows and Mac), and features Flash DRM, a feature that the independent company Widevine announced last week. Providers will also be able to attach ads to content.
It seems to me that the ultimate winner in this battle will be the one to push the greatest number of users from one platform to another: from Windows to Silverlight, and from Flash to Adobe Media Player. Both companies seem to have a good shot at doing that, meaning that the ultimate victor is just too hard to call.