4 of 11Image
For years, Microsoft user interface designers labored under the notion that Windows users wanted a friendly assistant to help them perform ordinary tasks. Clippy, the chirpy, googly-eyed paper clip that debuted in Office 97, became the stuff of endless parodies: “It looks like you’re writing a ransom note. Would you like some help with that?”
Windows XP had its own set of cringingly cute cartoon characters in the form of Search Assistants: Rover the dog, Merlin the Wizard, and a pair of other forgettable characters.
The worst part of the XP search experience was the set of tricks and corny punch lines each character would deliver as it made you go through extra steps to find files.
Eventually, someone in Redmond came to their senses and canned the characters in favor of a simple, fast search add-on. Not coincidentally, that happened after Google delivered a simple, fast search add-on for Windows.
Thank goodness for competition!
At the dawn of the commercial Internet, in the mid-1990s, Netscape represented an existential threat to Microsoft. Microsoft, which had not yet been reined in by the U.S. Department of Justice, responded aggressively to the dominance of Netscape Navigator, introducing Internet Explorer 1.0 at the same time as Windows 95 and revising it at a breakneck clip for the next six years.
Netscape could not compete, eventually selling itself to AOL in 1998. By the time XP launched in 2001, IE's market share was in monopoly territory, hovering around 90%.
Windows XP shipped with Internet Explorer 6, which was full of then-revolutionary ideas. This press release from 2001 almost sounds like a parody in retrospect. Seriously, "unparalleled support for industry standards"?
Internet Explorer 6 features a new visual design as well as innovative browser capabilities, including enhanced Explorer Bars, integrated instant messaging, media playback and automatic picture resizing, as well as improved privacy for personal information on the Web and unparalleled support for Internet industry standards. In addition to being easier to customize and deploy, Internet Explorer 6 is a feature-rich platform for building Web-based applications and developing compelling content for users.
And then, with victory assured, Microsoft decided to stop shipping new revisions of Internet Explorer. Part of the blame goes to the all-hands-on-deck focus on security, which stopped development of many Microsoft products as coders were sent for mandatory security training. But whatever the reason, it opened the door for a competitor.
Ironically, that competitor turned out to be built on the old Netscape code base, which had been open-sourced by AOL in 1998. It was originally called Phoenix (risen from the ashes of Netscape, get it?) and by the end of 2004 it had been renamed Firefox and had nearly a 4% share of all browser usage. As Microsoft continued to ignore IE and and security issues with the browser got worse, Firefox became increasingly popular.
Microsoft belatedly resumed development of Internet Explorer, shipping IE7 with Windows Vista in late 2006. A vastly improved IE8 shipped in 2009 with Windows 7. But those releases did little to slow the precipitous decline in market share for IE. Even worse, much of the web developer community had developed a visceral loathing for Microsoft’s browser.
Today, Microsoft has rededicated itself to web standards—this time for real. And its efforts with IE9 have earned grudging respect from some web professionals. But it will never be able to make up the momentum it lost with five years of neglect in the middle of the last decade.
Credit: chart data from Net Applications
Microsoft's ActiveX technology seemed like a very bright idea in 1996, when the World Wide Web was still shiny and new. ActiveX controls were helper programs that could be called by a local app or a Web browser for a specific function. But the architects who dreamed up ActiveX didn't think of its consequences on PC security. The results over the next 10 years or so were disastrous. Today, if you ask a computer security professional or an IT pro about ActiveX, they'll probably just roll their eyes and groan.
The subject came up last year when I criticized Adobe's record on security. Several readers pointed out, quite reasonably, that the same Symantec report I referenced in that post said that "ActiveX technologies still constituted the majority of new browser plug-in vulnerabilities [in 2009], with 134." And indeed, for years after XP's introduction Microsoft was continuing to deal with the fallout of ActiveX insecurity.
Initially, ActiveX provided a convenient way for crooks to sneak malware onto Windows PCs. These were classic social engineering attacks, with malware disguised as a required update to play media files, for example.
Microsoft dealt with those But then, in June 2009, the mother of all ActiveX vulnerabilities was discovered. This is the infamous MSCOMM32.OCX ATL Loader Remote Code Execution Vulnerability (CVE-2008-0024). The problem was found in a template file that was included with Microsoft Visual Basic. In its security advisory, IBM Internet Security Systems rated its exploitability as "high" and described what made the problem so acute:
Although this ActiveX control is not installed by default, most PCs have it. Nearly all Visual Basic applications include this DLL during the installation process, and, since it's considered a shared component of these applications, it is typically left on the system even after an uninstall. So, if a Visual Basic program has ever been installed on a computer, it probably has this ActiveX control installed, too, which makes this component highly prevalent, and, therefore, a lucrative target for attackers.
There's no telling how many ActiveX programs were affected by this vulnerability, but the number is probably in the hundreds. The problem was worst for anyone using Windows XP with Internet Explorer 6.
Over time, Microsoft has tightened security around ActiveX controls dramatically. IE7 introduced a feature called ActiveX opt-in, which made it impossible for an attacker to use an installed ActiveX control without permission. In Windows Vista and Windows 7, Internet Explorer use Protected Mode, which sandboxes ActiveX controls so they're unable to do any serious damage. And cumulative updates to Internet Explorer routinely set ActiveX "killbits" for vulnerable controls to block them from running at all.
In modern Windows versions, you're unlikely to find more than a handful of ActiveX controls. (Adobe's Flash plugin for Internet Explorer is the most common one.) But it's taken years to shake off the security headaches that came with ActiveX, and Internet Explorer's image remains tarnished today.