Interview with IE Lead Program Manager 289
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
Christopher Vaughan ... (Score:5, Funny)
Need a /. interview with this guy (Score:5, Insightful)
Re:Need a /. interview with this guy (Score:5, Insightful)
Do tell, I personally thought the interview wasn't too bad, although it could have pressed on a few issues rather than swiftly moving onto a new question.
Re:Need a /. interview with this guy (Score:5, Interesting)
Re:Need a /. interview with this guy (Score:2, Insightful)
4) Who would win? (Score:5, Funny) - by Call Me Black Cloud
In a fight between you and William Gibson, who would win?
Re:Need a /. interview with this guy (Score:3, Funny)
GoogleFight [googlefight.com]. Question answered.
Re:Need a /. interview with this guy (Score:3, Funny)
Well, yeah, but that's because a Slashdot interview would focus primarily on a software engineering decision made a decade ago and whether or not IE7 will support PNG transparency...
Re:Need a /. interview with this guy (Score:4, Interesting)
How about asking him what they are going to do about standards support in the future? Will they use open standards (if they exist) rather than defining their own? Will they open up any new standards they define?
They should also ask him about extensibility for the browser and what they are doing to encourage developers to write extensions for the browser. The single best feature of Firefox is that there are so many good extensions.
Re:Need a /. interview with this guy (Score:5, Interesting)
Re:Need a /. interview with this guy (Score:2, Informative)
Also, it's possible to change the default click action. In that case, having open in the list makes more sense.
default action is Open (Score:5, Informative)
You can change the default action to something else instead of open.
Left-click is just a shorthand way of right-clicking and selecting the default.
The reason its done this way is that's much better (a more OO way) of associating commands with a file type. You can add a new command, change the default to that, and then left-click the file performs the new command! I do this for
If you want to know more, read about Shell Extensions in MSDN.
Re:Need a /. interview with this guy (Score:3, Interesting)
I suspect that may have something to do with the way asp.net handles (or did handle) state. Possibly another "innovation" to make their browser work better with THEIR software.
-Eric
Re:Need a /. interview with this guy (Score:4, Insightful)
Re:Need a /. interview with this guy (Score:5, Funny)
Oh oh oh oh. I know this! To go to msn.com!
Re:Need a /. interview with this guy (Score:4, Insightful)
These days? Probably to search (from your homepage or the search bar) or use a bookmark.
Re:Need a /. interview with this guy (Score:3, Funny)
Probably the same as everybody that opens up a new IE browser window.
Stare at the ads on the MSN and get mentally prepared to buy everything in sight.
Re:Need a /. interview with this guy (Score:5, Funny)
Porn?
Re:Need a /. interview with this guy (Score:3, Insightful)
When I open a browser, it's pretty unlikely the first thing I'm going to do is type in an address. Sometimes I'm going to pick a bookmark, but most of the time, I'm going to type into the first input on my home page (a Google Search), which is where IE lands my cursor.
Do you really type in entire addresses from memory most of the time? Not that there is anything wrong with that, but it seems odd to then be concerned about one additional keystroke on top of the 10-20 you're making already.
Re:Need a /. interview with this guy (Score:3, Interesting)
I use autocomplete. I mostly have to enter one or two letters before the site I want
Well IE sorts web addresses in some useless order. It's alphabetical, which would be useful if I was a computer and could binary search it or something.
Firefox (and opera I believe) sorts the autocomp
Re:Need a /. interview with this guy (Score:3, Informative)
Re:Need a /. interview with this guy (Score:3, Insightful)
No no, for a SAFER IE experience, hit Alt+F4.
Seriously, this interview was an example of "title inflation". The guy's not the "Lead Project Manager" - (how can you even have more than one lead) he's :
In other words, he's not
Re:Need a /. interview with this guy (Score:3, Funny)
So what you do is you take the specifications from the customers and you bring them down to the software engineers?
I deal with the goddamn customers so the engineers don'
Strangely enough.. (Score:5, Funny)
Re:Strangely enough.. (Score:5, Funny)
You forgot one question... (Score:5, Insightful)
Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)
http://psychicfreaks.com/ [psychicfreaks.com]
Re:You forgot one question... (Score:5, Funny)
Not using .net? (Score:5, Interesting)
Re:Not using .net? (Score:5, Insightful)
Yes. That the time and effort required to rewrite a large, complex codebase in a new language/platform for arguably little benefit is better spent elsewhere
Re:You forgot one question... (Score:2, Insightful)
Lack of motivation. They waited for some competition.
If only I could take Balmer's job... (Score:5, Interesting)
I would...
Better question for the interview... (Score:5, Insightful)
Re:Better question for the interview... (Score:5, Insightful)
Apparently they think they have a better way of doing CSS than the people who set the CSS standards. That's unfortunate, because it seems like a simple thing to comply to some web standards and then, if you think you can do better, create your own standard to compete with it and get all the other browsers to support it, too.
Better yet, get involved in the development of the standard and put your ideas on the table along with everyone else's.
The business argument (Score:5, Insightful)
As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.
If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.
Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.
Re:The business argument (Score:5, Insightful)
It doesn't matter what the browser market share is in terms of installed base. That's entirely irrelevant to this discussion.
The real market share is the number of pages on the net that are coded to some IE standard rather than the open standard. That's the real market share here.
Developers have adopted the open standards and valid code at a fast rate lately. It's extremely rare to find a page that only works in IE these days. Most of those pages are holdovers from 1997 or something.
And more and more pages are W3C valid. Even slashdot is valid now!
So really IE can hang themselves if they want, it's not up to their idiots users, it's up to the web developers. And the web developers are telling MS to fuck off.
Re:The business argument (Score:3, Insightful)
Do you honestly believe that there is no connection between those two ideas?
Actually, for the most part on
Re:The business argument (Score:4, Insightful)
It's faster than developing for IE, because Firefox has better web developer tools, and the standards are better documented than IE's behavior.
Re:The business argument (Score:3, Funny)
Open a web page with Explorer. There's your answer...
Re:The business argument (Score:4, Informative)
It's an amalgamated mess of about half of CSS 2.1, some proprietary stuff, and a sprinkling of JavaScript expressions. It doesn't have a name, but Microsoft tend to refer to it as "CSS", despite being clearly different to CSS. cf. Embrace, extend & extinguish.
Re:The business argument (Score:3, Informative)
It's a shame that web developers have LET IE define the standard.
Re:The business argument (Score:4, Insightful)
It's all well and good to be smug and practical about this kind of thing. "Well Microsoft dominates so just live with it." But some of us are, you know, interested in making things better than how they are, not waiting for our Benevolent Microsoft Gods to give us their blessings.
Re:Better question for the interview... (Score:5, Interesting)
Try again. Microsoft had employees on the CSS working group at the W3C, while at the same time they were busy coding the proprietary stuff instead. All the finished CSS specifications, right from the first one published in 1996, have an acknowledgements section listing, among others, Microsoft employees.
The fact is, if they thought they had a better way of doing things, they could easily have brought it up when CSS was being designed, because they are some of the people who made CSS in the first place.
responsible for handling...security requests. (Score:5, Funny)
> responsible for handling all of the incoming customer & security requests.
Q: Can you make it secure please?
A: Sadly, no - as I've been asleep for the last 5 years! Why else do you think nothings happened on the IE project since 2001?
Twice Daily Status Meetings? (Score:5, Funny)
"We met while working on Windows Server 2003 at the twice daily status meeting."
Morning meeting: "I'm planning on writing some code today"
Afternoon meeting: "I had planned on writing some code, but I was busy preparing my presentation for this meeting"
This explains a lot...
Re:Twice Daily Status Meetings? (Score:5, Interesting)
Re:Twice Daily Status Meetings? (Score:3, Funny)
Re:Twice Daily Status Meetings? (Score:3, Funny)
Re:Twice Daily Status Meetings? (Score:4, Interesting)
Sadly, though, the guy who is on every committee and is constantly in meetings is probably most likely to get a promotion (since he's doing such a great job of making it LOOK like he's working hard). He's also the guy on every committee who is mysteriously absent when any actual committee WORK assignments are being handed out.
-Eric
That long eh? (Score:5, Funny)
And he's kept his job?!?
Re:That long eh? (Score:3, Insightful)
If the product you were responsible for had a 97% market share (apparantly "only" in the high 90's now though) your job would probably be somewhat safe too.
Re:That long eh? (Score:4, Informative)
I don't believe 97 percent was ever achieved by IE, but I could be wrong.
Re:That long eh? (Score:3, Informative)
It's pretty close, from what I've read.
Just googled this:
http://en.wikipedia.org/wiki/Usage_share_of_web_b
it's in that ball park (frequently around 90-95%).
My point remains - it could only be 50% and it's doing well (on paper!)
Re:That long eh? (Score:3, Insightful)
Re:That long eh? (Score:3, Informative)
Re:That long eh? (Score:2)
Re:That long eh? (Score:5, Insightful)
I can imagine the IT discussions there:
CFO: "Hey, let's get online banking done. What do your guys need from us?"
CIO: "Okay, we have internet explorer, frontpage, and dev studio here. Check. We'll get right on it."
(weeks/months later)
CFO: "Hey it doesn't work in Netscape 4.0"
IT: "Nothing works in Netscape 4.0. It's a steaming cowpie."
CFO: "OK, good show then, let's just display a message for folks running other browsers, and recommend that people use MSIE instead. Can you do that?"
CIO: "Yeah, all we need to do is check for something called the user agent."
(a couple of years later, conduct online banking using Safari, Konqueror, Mozilla, Firefox, Opera, etc. by spoofing user agent)
CFO: "Hey Chuck, I just got a call from the chairmain of the board. He said the directors think our website is outdated and also we need to get all of our services online. What will it take?"
CIO: "Oh we have MSIE, Frontpage, Visual Studio.Net, and IIS, I don't think it will be any problem."
CFO: "By the way one board member remarked his mac doesn't work with our site. In fact he said that he had to buy a PC just to do online banking. Do you think we should fix this?"
CIO: "Let's check the web logs, shall we? OK, it looks like 99.999% of visitors use MSIE. I don't think we have to worry about it."
CFO: "Great, so we can reallocate the budget we had slated and send executives to Hawaii for er, team building instead."
CIO: "Sounds great to me."
Re:That long eh? (Score:3, Funny)
Hmmm, since your url is: http://nerds.palmdrive.net/ [palmdrive.net], I'm not surprised you have fewer IE users.
Re:That long eh? (Score:5, Insightful)
Re:That long eh? (Score:2, Insightful)
That wouldn't be correct, as most people DON'T use WordPad for their word processing. So actually your example proves that just because something is included in Windows doesn't automatically make it popular.
'Trending'? (Score:5, Funny)
Did he mean 'tending', or is this some horrible fusion of trend and tend that I was previously unaware of?
A brief search [google.co.uk] reveals that I am out of touch. But everyone else is wrong, I should add.
Re:'Trending'? (Score:4, Insightful)
Re:'Trending'? (Score:5, Funny)
Re:'Trending'? (Score:2)
Two quotes: (Score:4, Insightful)
Glad he's paying attention
The first lesson was that the Internet isn't an innocent place any more. When IE6 was under development 6 years ago, viruses were inconveniences and true Internet crime wasn't a concern.
Oh, really? Let's hear it for forward thinking...
Re:Two quotes: (Score:5, Insightful)
Oh, but not for Microsoft. That's hardly the users fault.
Comment removed (Score:5, Interesting)
Re:Why not start a "marklar project?" (Score:5, Informative)
Re:Why not start a "marklar project?" (Score:5, Informative)
Stop making up stuff. The full list of .NET 2.0 breaking changes is available here [microsoft.com]; at least cite examples from those if you're going to make claims that .NET 2.0 is completely incompatible with 1.0/1.1.
C# 2.0 maintains full source compatibility regarding keywords. The new keywords (where, yield, partial) work only under certain contexts, and can still be used as variable names. For example, where and partial work only in class definitions, i.e. public partial class Blah where T : class, and yield can only exist as yield return 4. There is no legal 1.0/1.1 code like that.
Types you define in your assembly take precedence over those in other assemblies, so there's no compilation issue. If you want to use new classes that clash with yours, you can add a using SubstituteClassName = ClashingClassName and use the new substitute name.
Look at the breaking changes page and tell me which one of those impacts you severely. All the changes I see are to fix bugs or security issues, or remove extraneous functionality. New signatures are simply added as overloads and the old signature made obsolete where necessary. See next for why obsolete doesn't mean a break change.
You can find a list of obsolete APIs here [microsoft.com]. And before you respond with "see!!! all those obsolete APIs break my code!!!", they're all either obscure or unsafe parts of the API, or have been updated to take advantage of new .NET 2.0 constructs. Furthermore, they're merely marked obsolete and will only generate a warning; you can still use them if you choose.
That is likely a failing on your part. Visual Studio 2002/2003/2005 all generate solutions that reference projects with relative paths. None of that is stored in the registry; hell, I've been uploading my projects to a Subversion repository and working on them from a variety of locations for years without any path problems.
All the wizards/tools generate .NET code; you can code everything manually if you'd like, including Winforms and ASP.NET. Even the project files are XML, and in .NET 2.0, you can compile everything without even the IDE installed. What examples do you have of stuff that requires a wizard to work?
Re:Why not start a "marklar project?" (Score:3, Informative)
Microsoft shouldn't have any problems starting a second Internet Explorer project to rewrite the entire codebase in C#.
The "Javagator" project - a parallel project at Netscape to completely rewrite Netscape Navigator in Java - is one commonly cited reason why Netscape failed.
There's some notes about that on this page [jwz.org].
Rich.
Re:Why not start a "marklar project?" (Score:4, Informative)
Ok, a lot of people keep saying this, and I think there is some big misconception here.
IE taps into the HTML rendering DLLs of Windows. However EVERY application that runs on Windows taps into the FONT rending DLLs or the BITMAP rendering DLLs, but no one makes this claim about them. Nor other applications that use features from the HTML rendeing functions of Windows.
So to keep asserting that IE is somehow 'hooked' into Windows on a level above a NORMAL application is not entirely correct. It would be like saying FireFox also has deep hooks into Windows because it uses the Windows DLLs for FONTS and IMAGES...
What is this... (Score:2, Interesting)
Active code (Score:5, Insightful)
I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)
I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.
Re:Active code (Score:4, Funny)
"This website wants to take advantage of an unpatched buffer overflow in the browser itself, an Active-X component, or an underlying DLL. Is that OK?"
About CSS2... (Score:5, Interesting)
In light of yesterday's request for interview questions for the creator of CSS [slashdot.org], I was dissapointed that interviewers aren't grilling Microsoft for standards compatibility. For that matter, why aren't we (as a community) grilling Firefox for their lack of standards compatibility? What would it take for them to 'get the picture' [webstandards.org]
How about a Firefox plugin that e-mails the Firefox foundation everytime you start Firefox? Or an ActiveX control in IE that does the same? I think it would send a clear message that these things are important to consumers and ought to be a priority for updates.
Re:About CSS2... (Score:5, Interesting)
I think this answers your question: http://flickr.com/photos/dbaron/126886608/ [flickr.com]
Re:About CSS2... (Score:3, Informative)
CSS3 is still a working draft, there is no point in implementing everything, as it might come changes or that behavoirs for properties change. Currently Gecko supports several CSS3 properties, especially they have implemented support for several css3 selectors [l-c-n.com].
As CSS3 is still under development mozilla use vendor-specific extentions [w3.org] to those properties. This is not a bad thing, it is also the correct way to implement things according to w3. You can see it is a reminder that you use those propties of your
Re:About CSS2... (Score:2)
And *I* think it would very quickly get filtered to
Seriously, there are ways to get your point across; email bombing people isn't one of them.
Re:About CSS2... (Score:3, Insightful)
Or how about being grateful for the free use of the software they are giving you? Or how about gettinmg involved in the solution rather than coming up with newer ways to spam the programmers who volunteer their time to make you a better browser?
I get your frustration. I'm a web developer, and deviation from standards causes me a great deal of pain and trouble, but when it's all said and done, I haven't contributed o
Spyware (Score:3, Interesting)
From TFA
Well in one respect, I don't really care where spyware & malware is going - I just want it eliminated. Whether it's key loggers or rootkits or adware, our job is simple: keep unauthorized software off of the users' machines. We've attacked this problem at multiple levels
And this from the company that won't let you install security fixes unless you install their spyware, sorry WMA. Or is it that their spyware is OK, others is not because 'they're the good guys'
Re:Spyware (Score:3, Insightful)
This epitomizes MS culture and why they constantly fail. By making themselves the gatekeepers of "authorized" software, MS realizes anew way to take money away from developers. It completely ignores what users want. User's don't want to be restricted to a subset of software that is "authorized." They want to run any damn thing they please, but they want the OS to stop it from doing anything malicious.
I've said it before... new s
Re:Spyware (Score:4, Interesting)
These two goals are fundamentally in conflict, since "malicious" cannot be objectively and programmatically defined.
I've said it before... new software on Windows should be running in a jail or sandbox or VM or something and by default should not be allowed to touch anything without the user being informed in real English and given the option to granularly deny the software, without stopping that software from running in most cases. This would solve the vast majority of Window's and IE's security problems.
No, it wouldn't. You have proposed the standard "dialog box storm" solution to security, and it doesn't work. Primarily because users are lazy, but also because they're ignorant and simply uninterested in acquiring sufficient knowledge to make educated decisions.
Asking the user "are you sure" three times is not more secure than asking them "are you sure" twice.
As long as lazy, ignorant and downright stupid end users are able to execute arbitrary code on their computers, the malware problem will not - and can not - be solved.
Re:Spyware (Score:3, Insightful)
Microsoft are just being
If Windows was perfect, they would never be able to sell a new version. But Microsoft have to sell new versions of Windows; it's the basis of their business. Therefore, Windows has to be defective in order for there to be something to put into a "better" version in future.
There's a similar line of reasoning which explains why governments haven't solved the major social problems of the day. There's good work for a government in a fuc
It's sad - but... (Score:3, Insightful)
.NET not good enough for MS? (Score:3, Insightful)
Credit where credit's due (Score:5, Funny)
Microsoft gets a bad rap here on Slashdot, but for the record I'd like to publicly thank them for one of the best, most altruistic decisions in tech history.
I'm talking about the decision to discontinue Internet Explorer for Mac. As a web developer this has made my life far easier. God knows how many man-decades of work this has saved the world's html coders.
The cloud to this silver lining is that I still spend a good proportion of my working life abusing my code so that it'll work on IE without breaking on real browsers. Multiply that up by the number of web designers / developers in the world and that's got to cost a few lives.
So, Microsoft dude, when, oh when, can the world's developers expect a joyous, fully IE-free existence?
Re:Credit where credit's due (Score:3, Insightful)
That's a bit of an odd thing to say. Microsoft essentially pulled the rug out from under the Mac Internet Explorer developers. What would have been the rendering engine for v6.0 was instead used for Mac MSN, and it turned out to be a great engine with great standards support. Killing Mac Internet Explorer just meant that the people who stayed with Mac Internet Explorer stayed with the old and buggy version you despise instead of having up to date support for the standards.
IE Free Existence? (Score:3, Interesting)
I'll answer for him. Somewhere around, oh, 2020. Unless Firefox stops being an annoying, memory-leaking POS that hangs on me every half hour, or Opera actually gains some momentum, or Linux captures more than 50% of the market.... none of which I'm anticipating.
I say 2020 only because I think the browser concept will probably last about that long.
Managed Code (Score:2, Interesting)
Not a good sign (Score:3, Interesting)
Spyglass (Score:2, Informative)
IE7 = Vista, therefore IE7=good? (Score:3, Interesting)
So that's a good thing, right?
Some folks may think otherwise [theinquirer.net]
Microsoft Has Improved (Score:3, Interesting)
At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.
Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.
What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/ [secunia.com] [secunia.com]) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.
I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.
IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.
Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.
Re:Security! Don't make me laugh (Score:5, Insightful)
IE6 has just been around too long; the hackers have had too long to play with it and find every possible exploit there is. If Opera were still sitting at version 5 (and controlled a larger market share) it would probably have just as many security holes discovered. It's the frequent updates and relative obscurity that make other browsers apparently more secure today.
Just don't make me laugh (Score:5, Insightful)
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
Re:Just don't make me laugh (Score:5, Interesting)
I won't argue there. MS picked convenience over security, and it's plagued them (and us) ever since.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7.
Firefox has had a few problems, and they were quickly and effectively patched. FF has the advantage of being OSS, which means that the less malicious hackers will find the bug and report it rather than abuse it, simply because they are sympathetic to OSS projects.
Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
Bear in mind that there are a lot of anti-MS types out there just waiting for a new version of IE so they can bang out the first exploit for it to show that MS is weak. And, of course, there's the fact that IE7 is going to be the dominant browser in a few years, whoever gets a head start on cracking it now will have the advantage later when they're making grabs for zombie PCs or burying adware on your system.
I'm not saying any of that makes up for all the difference, but it's definitely something we need to consider. Firefox simply doesn't attract the vitriol that anything made by MS does.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
OpenBSD has gone through some pretty serious revisions over the years. IE6 has been patched, but it's still IE6.
Re: (Score:2)
Re:Security! Don't make me laugh (Score:2)
Sure it does. Have you heard of any exploits for the SoObscureItDoesntExist Browser?
Re:Security! Don't make me laugh (Score:5, Interesting)
Some, yes. Some of the hooks existed already as part of Microsoft's great failure: placing "user-friendly" over security. That is ultimately what has made their software so vulnerable: in the interest of maintaining their hold on the market, they made their OS as easy to use as possible. That means minimizing security challenges and that sort of thing...which means opening it up to exploitation. Add in the fact that their two biggest products besides Windows--IE and Office--both hook deep into the OS and provide the same sort of vulnerabilities, and you get a recipe for disaster.
Re:Security! Don't make me laugh (Score:2)
It's only a great failure if you consider completely dominating your market for several years a failure.
Microsoft are a business, and for whatever reason, they have decided to compete for the web browser market. Whatever we may think of the ethics of their decisions, it is undeniable that they deliver what the market wants better than anyone else, even if that means a technologically inferior
Re:Security! Don't make me laugh (Score:2)
Re:How Many? (Score:2, Informative)