Web browsers battle at festival

Microsoft is ignoring web standards and should use its position to promote competition among browsers, the chief technology officer at Opera has said.

The complaint comes as Mozilla, the makers of another rival web browser, declared the "browser wars" over at the South by Southwest festival in Texas.

Hakon Wium Lie, from Opera, said: "Microsoft has to make sure there is user choice when it comes to browsers."

Internet Explorer's newest version will be standards compliant, Microsoft says.

Mr Lie said Microsoft's platform dominance gave them an "obligation to promote competition".

His company has already complained to the EU that Microsoft is using its dominance to promote Internet Explorer over Opera and other browsers. And Google has lent its support to the complaint.

Mr Lie said he was concerned that Microsoft would use its Windows Software Update System to distribute the forthcoming new version of Internet Explorer to users.

"That system should be used for other browsers too, to ensure users have genuine choice.

"We would be happy to channel Opera into that software update system," he added.

Firefox down

Mozilla's chief technology officer, Brendan Eich, told BBC News they would support any move to incorporate Firefox into the Windows Update System.

But Chris Wilson, platform architect of the Internet Explorer platform team, said adding other browsers to the automatic updates could confuse users.

He told BBC News: "It could be jarring [for users].

"The move form one browser to another is a bigger leap because they have different UI [user interfaces], different tenets and different missions," he said.

He pointed out that all the other browsers had their own automatic update systems.

He added: "Microsoft doesn't own the ecosystem - we don't own the OEM [original equipment manufacturer] channel.

"Other people can install things on there. I have had systems with other browsers pre-installed before."

Hobson's choice

Mr Lie said: "There is a choice for people who are conscious about it - they can download and install them.

"But there is still one dominant browser, Microsoft's Internet Explorer and most people don't care or don't know how to get other browsers.

"There is still room for more competition. Why does Internet Explorer have so many users when in the past it has been such a terrible browser.

"There are so many better options there," he added.

Mr Lie said Microsoft had backtracked on a commitment to be standards compliant with Internet Explorer 8, because the browser would not use default support standards when used on intranets.

Mr Wilson said the company had done this to ensure web developers could continue to use Internet Explorer 7 on their pages while they updated them to Internet Explorer 8.

Mr Eich said the imminent release of Internet Explorer 8 would see an end to the "browser wars" with users split between the last three versions of Internet Explorer, Firefox 2, Firefox 3, Safari, Chrome and Opera.

Mr Wilson agreed the "wars" were shifting into an era of co-operation.

"It's certainly fair to say there is a lot better co-operation and focus on interoperability across all the browsers."

Microsoft has faced criticism for "going it alone" in areas such as security and when it acted to fix the problem of so-called click-jacking, which is a cross-scripting method of shifting users from one URL to others without their knowledge.

While the problem affects all browsers, Microsoft implemented a solution on its own.

Mr Wilson said: "You need to respond very quickly otherwise you are leaving users to hang out to dry. We looked at where we were in the [development] cycle and couldn't wait for another cycle to address click-jacking."

He told BBC News: "In security issues you have to get solutions deployed quickly. We are perfectly happy for other browsers to take that solution and build on it."

Holes in the machine

Malicious software may just be a property of the network, says regular contributor Bill Thompson


The Conficker worm will be active again on 1 April, according to an analysis of its most recent variant, Conficker.C, by the net security firm CA.

This malicious piece of software, also known as Downup, Downadup and Kido, spreads among computers running most variants of the Windows operating system and turns them into nodes on a multi-million member "botnet" of zombie computers that can be controlled remotely by the worm's as yet unidentified authors.

Since it first appeared in October 2008 it has apparently infected more than 15 million computers around the internet, though even that number is no more than an educated guess because the worm works very hard to disguise its presence on a PC.

The worm turns

Conficker spreads through a security vulnerability in the Windows Server Service that allows a carefully written program to persuade the attacked computer to run malicious code instead of the Microsoft-written software.

Once installed it turns off Windows Automatic Update and stops you using the Windows Security Centre. It disables a range of internal services that could be used by anti-malware programs, blocks access to a number of anti-virus websites and even resets and deletes system restore points so you can't go back to an uninfected installation of your operating system.


And at some point it connects to a remote site to download additional malware and register itself as part of the botnet. The analysis of the latest version indicates that this will next happen on April 1st, and the day maybe a bad one because the way it does this has changed in the latest version of the worm, making it significantly harder to stop.

Previous Conficker infections were controlled to some extent because security researchers were able to determine which servers the worm was going to try to contact and block access to them before it did so. But the C variant has a much larger pool of potential domains to choose from, as it selects 500 target servers from a pool of 50,000 while previous versions chose 32 from 250.

As a result the ad hoc group of security researchers who have been working to limit the botnet's use, the Conficker Cabal, will have a much harder time ensuring that infected systems do not make the connection to the remote service that may allow them to be used to send spam e-mail, log user keystrokes or launch denial of service attacks on other computers.

We will have to wait until April to see how effective efforts at controlling Conficker are, but the analysis that has been done to date shows that it is a particularly well-designed program, one that will be hard to beat.

The overall sophistication of the current generation of malicious software is rather impressive, and I occasionally find myself admiring the skill of its developers in the same way that I can appreciate the technical skill and imagination that goes into fighter planes, tanks and modern armaments.

I may not approve of the use to which the ingenuity is being put, but I can't deny that Conficker's developers are ingenious in the way they have developed and distributed their code.



Whatever happens with this particular worm, we have to hope that the security features in Windows 7 will reduce the impact of all types of malicious software in the Microsoft ecosystem, although there will probably be enough unpatched systems around for some years to sustain Conficker and other worms, especially if the growth of netbooks means that Windows XP is still being used.

But while it's easy to blame Microsoft for making its systems vulnerable we should also acknowledge that our own demands have contributed a great deal to the current situation and may make a complete solution unachievable.

We have demanded complex, sophisticated computers that are easy to use, simple to interact with and able to connect to the internet as full peers. We want what Jonathan Zittrain calls "generative" systems that can run new software to take advantage of new services and connect us to new people. And we do not want to spend hours configuring firewalls, locking down features or scanning for potential malware.

History lesson


Perhaps we should not be surprised that attempts to make these systems secure have failed.

I see a parallel between our attempts to have security and reliability in the complex computer systems we are building today and the attempts by philosophers at the turn of the 20th to reduce all of mathematics to formal logic.

The work of Frege, Russell and Whitehead was undermined by the Austrian mathematician Kurt Gödel when he published his Incompleteness Theorem in 1931. He showed that in any sufficiently complex mathematical system there will be statements that cannot be proved either true or false, and that this is not because of errors or mistakes but is a fundamental property of the system.

His work made it clear that attempts to explain all of mathematics in terms of formal logic were doomed to failure, and there are clear similarities between our attempts to free our computers and the network from malware and the world described by Gödel.

There will always be flaws and security holes in the rich, complex computing environment, and as a result there will always be space for malicious software to propagate.

That doesn't mean our attempts to limit its spread and control the potential damage are futile, but it does mean they will be never-ending.