Robert McMillan, IDG News Service
Web surfers may start noticing some unusual behavior from their
Internet Explorer browser after installing Microsoft's next round of
security patches, expected April 11. That's because the software giant
is planning to make changes to the way its browser handles dynamic
content like Flash or QuickTime--changes that were made necessary
following Microsoft's highly publicized patent dispute with Eolas
Technologies.
Microsoft has already made these changes available as an optional IE
patch, but now they are being rolled into IE's next security update,
which will make them effectively mandatory for most users.
"Currently that update is in the testing phase and could be released
as early as April," said Stephen Toulouse, security program manager
with Microsoft's security response center. "But of course, that isn't
final," he added.
There has been some confusion over the date of this next
release. Earlier this week, Microsoft's Customer Support Services
group published a note saying that the changes were expected on April
11, but that announcement was pulled, because that date is "not
finalized," Toulouse said.
In August 2003, an Illinois court awarded Eolas $521 million in
damages for Microsoft's patent violations. Though Microsoft is
appealing this ruling, and challenging the validity of the Eolas
patent with the U.S. Patent Office, the court ruling forced Microsoft
to make the changes or risk being found in contempt of court.
ActiveX Changes
The ActiveX changes will gum up the way some Web surfers interact with
dynamic content by forcing them to click on a pop-up "tool tip" dialog
box before being able to interact with things like Flash or QuickTime.
Microsoft, Apple Computer, and Adobe Systems have published
work-arounds for the changes, which means that Web sites that have
coded these work-arounds will appear as normal to IE users.
But the IE changes will probably take some by surprise, according to
Jon Galloway, a Web developer with San Francisco's VelocIT. "A lot of
Web sites are not going to update their Flash right away," he said.
The changes will certainly be an annoyance, but they will not prevent
users from running Flash or QuickTime files, he said. "It's the kind
of thing that's going to upset a marketing department that wants
everything to look perfect," Galloway said.
Most of the pain from the IE update will be felt by Web developers who
may find themselves scrambling to implement the work-arounds. "Once
this rolls out to everybody, suddenly things that used to work
automatically will have to be manually done," said Richard Smith, an
Internet security consultant based in Boston. "The bottom line is Web
sites are going to have a lot of work to do here."
Put to the Test
Developers have had a fair bit of time to test the ActiveX changes.
Microsoft released them as part of a February 28 "non-security" update
to IE.
One IE user said he'd seen "very little difference" in day-to-day
browsing behavior after installing the patch. "Making this change no
longer optional might throw some people for a loop, but I think
overall it won't be too disruptive," said Todd Towles, a security
consultant based in Austin, Texas.
Adobe has published a Web page explaining how Flash developers can
work around the problem. The page includes a video demonstration of
what the pop-up tool tips will look like.
Microsoft's work-around can be found online.
Apple's QuickTime developer instructions also can be found online.
Copyright 2006 PC World Communications, Inc.
robert McMillan (idg@telecom-digest.org)