IEAK 10 for Windows 8 now available

Internet Explorer Administration Kit 10 (IEAK 10) for Windows 8 is now available for download at http://ieak.microsoft.com. IEAK 10 simplifies the creation, deployment, and management of customized Internet Explorer 10 packages. IT Professionals can use IEAK 10 to configure the out-of-box Internet Explorer 10 experience for their users and to manage user settings after deploying Internet Explorer 10.

• Kevin Luu, Program Manager, Internet Explorer

IE 9.0.11 Available via Windows Update

Microsoft Security Bulletin MS12-071 - Critical

This security update resolves three privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 9 on Windows servers. For more information, see the full bulletin.

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, seeMicrosoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

• Tyson Storey, Program Manager, Internet Explorer

BUILD 2012: 50 Performance Tricks to make your HTML5 Applications and Sites faster

Creating high performance Web applications is crucial for every Web developer, be it a Web site that runs on a standards based Web browser or a Windows Store App. Microsoft recently hosted the BUILD 2012 conference at the Microsoft campus in Redmond, WA. At this conference, I had the opportunity to share the Internet Explorer team’s favorite 50 performance tips to make HTML5 apps and sites faster. If you weren’t able to attend the conference, I recommend you check out the video.

These performance tips and tricks apply equally to Web sites that run on standards based Web browsers, and Windows Store Apps, which are also just the Web. There are six principals detailed in the talk that will help you improve the performance of your apps and sites today:

• Quickly respond to network requests
• Minimize bytes downloaded
• Efficiently structure markup
• Optimize media usage
• Write fast JavaScript
• Know what your application is doing

I hope you enjoy the talk.

— Jatinder Mann, Internet Explorer, Program Manager

W3C Web Performance: Continuing Performance Investments

The W3C Web Performance working group recently held the W3C Workshop on Performance on Thursday, November 8, 2012. The goal was to hear current challenges and proposals for new performance ideas for the working group to consider. There were 45 attendees from 21 organizations, including most browser manufactures (Microsoft, Google, and Mozilla), hardware organizations (Intel, Qualcomm, Nokia, Motorola), network organizations (Cisco, Akamai, F5), and top Web properties (GMail, Google Search, Bing, NetFlix, LinkedIn, Zynga, and more). Details on the presentations and discussions from the workshop can be found in this report.

Providing the ability to accurately measure the performance characteristics of Web applications and create power- and CPU-efficient applications is critical to Web performance. The W3C Web Performance working group worked on achieving those goals in its recently completed second chartered period. In under two years, the working group rapidly standardized and modern HTML5-enabled Web browsers implemented these eight interfaces: Navigation Timing, Resource Timing, User Timing,Performance Timeline, Page Visibility, Timing control for script-based animations, High Resolution Time and Efficient Script Yielding. Internet Explorer 10 is the first browser to support all eight of these new APIs.

The working group has since been focused on gathering data to understand which areas to focus on in its third chartered period. In addition to the Workshop on Performance, the working group has invited performance experts to its weekly conference calls and has broadly surveyed the performance community on ideas.

Based on all the data gathered these past few months, the Web Performance working group has decided to focus on the following areas in the third chartered period:

• Timing Metrics The working group will continue to improve the Timing interfaces, Navigation Timing, Resource Timing,User Timing and Performance Timeline. For example, we will consider providing Web workers support in the Timing interfaces and including information on video byte ranges in Resource Timing.
• Efficient Script Yielding The working group will continue to improve on power- and CPU-efficient APIs, like the setImmediate API defined in the Efficient Script Yielding specification.
• Prerender The working group will standardized the prerender feature which allows navigations to appear almost “instantly” in cases where the browser has high confidence that a user will visit an URL.  The way this feature would work is that the browser will proactively navigate to a Web page in a hidden tab, when it sees the “prerender” link type or has high confidence that user will visit that link. When the user does visit that link, the browser will make the hidden tab visible, giving the perception of instant navigation.
• Resource Priorities Today, browsers download resources in the priority order that they believe are most efficient in helping the page load occur quickly. However, developers may want to prioritize some resources over others. For example, downloading images above the fold may be of higher priority than those below the fold. Though, developers can give some hints to the browser on download priority, like using the “defer” and “async” attributes in markup, these concepts do not include most resources. To help the browser prioritize downloading resources, the working group is expanding the charter to include interoperable means for developers to give the browser hints on the download priority of resources.
• Diagnostics Interfaces Developers are interested in learning how to make their Web applications faster and less error prone. The working group is expanding the charter to include interoperable means for developers to get browser diagnostics information on their Web applications. For example, using these interfaces a developer could understand where memory is leaking or what errors users are encountering on their Web applications.
• Beacon Today, analytics scripts will block the current page from unloading by running in a loop in order to confirm that analytics data has been sent to a Web server. This behavior will delay the navigation to the next page, resulting in user perception of poor performance. To help developers avoid that pattern, the working group is expanding the charter to include an interoperable means for developers to asynchronously transfer data from the browser to a Web server, with a guarantee from the browser that the data will eventually be sent.
• Display Performance Developers are interested in understanding the performance of their games and animations.
  The working group is expanding the charter to include interoperable means for developers to get frame rate and throughput of the display type of information.

This working group is a great example of how quickly new ideas can become interoperable standards that developers can depend on in modern HTML5-enabled browsers. Together with industry and community leaders who participate in the working group, we hope to continue to make rapid progress on interoperable standards that will benefit developers and everyone who uses the Web.

Jatinder Mann, Internet Explorer, Program Manager

Microsoft Security Bulletin MS12-077 – Critical

This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 9 and Internet Explorer 10 on Windows clients including the Internet Explorer 10 Release Preview for Windows 7 and Windows Server 2008 R2, and Moderate for Internet Explorer 9 and Internet Explorer 10 on Windows servers. This security update has no severity rating for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update. For more information please see the full bulletin.

Microsoft Security Advisory (2755801) Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10

Microsoft is also releasing an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. For more information please see the full advisory.

Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

— Tyson Storey, Program Manager, Internet Explorer

Update to Alleged Information and Security Issue with Mouse Position Behavior

Over the last few days we’ve seen reports alleging abuse of a browser behavior regarding mouse position. Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy.

We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.

Online advertisers started a shift (link) “from a ‘served’ to a ‘viewable’ impression[s].” Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits (link). One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company. Their recent blog post, “There are two ways to measure ad viewability. There is only one right way,” makes their point of view very clear. Different analytics companies use different and equivalent methods to gather consumer information across different browsers on different devices.

The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft’s security team has discussed with researchers across the industry. We take these risks very seriously. Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine. From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.  

—Dean Hachamovitch, Corporate Vice President, Internet Explorer

Update:
Since the time of our post – these additional security blogs provide a good and balanced overview with respect to this topic:Actionable Intelligence: The Mouse That Squeaked and Spider.io Warns of Massive IE Security Flaw; But is it Legit?

HTML 5.0 and Canvas 2D Reach Candidate Recommendation Status

Today marks an important milestone for Web development, as the W3C announced the publication of the Candidate Recommendation (CR) version of the HTML 5.0 and Canvas 2D specifications. The specifications are on track for finalization by 2014. We want to congratulate the W3C on this achievement and bringing these specifications forward.

Internet Explorer 10 already offers hardware-accelerated HTML 5.0 and Canvas 2D support allowing developers to build compelling, cross-browser Web applications with good performance. We look forward to working with the Web community to finalize interoperable specifications in a timely manner. At the same time, we are actively involved in defining the scope for HTML 5.1, which includes exciting multimedia and other features that will continue to advance Web experiences.

You can read more about the progress to-date with HTML 5.0 and Canvas 2.0 specification, the next steps toward reaching Final Recommendation status, and progress toward defining HTML 5.1.

-- Sandeep Singhal, Group Program Manager, Internet Explorer

Penguin Mark: Blazing Fast Holiday Fun

We don’t want the holiday season to pass without sharing another new HTML5 experience that makes the most of your PC hardware and the new touch capabilities in Windows 8.

Check out Penguin Mark and enjoy some GPU-powered holiday fun. This experience brings together hardware-accelerated HTML5 capabilities like canvas, CSS3 animations and transitions, audio, WOFF, power and performance APIs, and more. Be sure to turn your volume up for maximum entertainment. The faster your browser, the higher your Penguin Mark score goes.

Click to test your browser’s holiday spirit with Penguin Mark

With Windows 8, we delivered a whole new browserthat’s fast and fluid, and built for touch browsing. IE10 adds support for a broad range of developer capabilities, including new touch APIs, performance, HTML5, CSS3, JavaScript, and more. We continue to be amazed and delighted by what developers are building on HTML5 and excited to be part of it.

Thank you!

Your participation and feedback is an important part of how we build IE. Today we want to say thank you to everyone who browses the Web with Windows 8, is using IE9 or IE10 preview on Windows 7, runs the test drives, and shares your feedback with the IE team. We also want to thank the people and groups who make the standards process work, the broad community of Web developers, and enthusiastic consumers who work to move the Web forward.

From the entire IE team, we wish you a Happy Hardware-accelerated Holiday Season, and we look forward to another exciting year and more progress on the Web in 2013.

—Rob Mauceri, Group Program Manager, Internet Explorer

Microsoft Security Bulletin MS13-008 - Critical

Today, we are releasing an out-of-band security update to fully address the issue described in Security Advisory 2794220. While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.

This security update resolves one publicly disclosed vulnerability in Internet Explorer versions 6, 7, and 8. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 and Internet Explorer 10 are not affected. For more information, see the full bulletin.

Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

— Tyson Storey, Program Manager, Internet Explorer