Robert McMillan, IDG News Service
Web surfers may start noticing some unusual behavior from their Internet Explorer browser after installing Microsoft's next round of security patches, expected April 11. That's because the software giant is planning to make changes to the way its browser handles dynamic content like Flash or QuickTime--changes that were made necessary following Microsoft's highly publicized patent dispute with Eolas Technologies.
Microsoft has already made these changes available as an optional IE patch, but now they are being rolled into IE's next security update, which will make them effectively mandatory for most users.
"Currently that update is in the testing phase and could be released as early as April," said Stephen Toulouse, security program manager with Microsoft's security response center. "But of course, that isn't final," he added.
There has been some confusion over the date of this next release. Earlier this week, Microsoft's Customer Support Services group published a note saying that the changes were expected on April11, but that announcement was pulled, because that date is "not finalized," Toulouse said.
In August 2003, an Illinois court awarded Eolas $521 million in damages for Microsoft's patent violations. Though Microsoft is appealing this ruling, and challenging the validity of the Eolas patent with the U.S. Patent Office, the court ruling forced Microsoft to make the changes or risk being found in contempt of court.
The ActiveX changes will gum up the way some Web surfers interact with dynamic content by forcing them to click on a pop-up "tool tip" dialog box before being able to interact with things like Flash or QuickTime.
Microsoft, Apple Computer, and Adobe Systems have published work-arounds for the changes, which means that Web sites that have coded these work-arounds will appear as normal to IE users.
But the IE changes will probably take some by surprise, according to Jon Galloway, a Web developer with San Francisco's VelocIT. "A lot of Web sites are not going to update their Flash right away," he said.
The changes will certainly be an annoyance, but they will not prevent users from running Flash or QuickTime files, he said. "It's the kind of thing that's going to upset a marketing department that wants everything to look perfect," Galloway said.
Most of the pain from the IE update will be felt by Web developers who may find themselves scrambling to implement the work-arounds. "Once this rolls out to everybody, suddenly things that used to work automatically will have to be manually done," said Richard Smith, an Internet security consultant based in Boston. "The bottom line is Web sites are going to have a lot of work to do here."
Put to the Test
Developers have had a fair bit of time to test the ActiveX changes. Microsoft released them as part of a February 28 "non-security" update to IE.
One IE user said he'd seen "very little difference" in day-to-day browsing behavior after installing the patch. "Making this change no longer optional might throw some people for a loop, but I think overall it won't be too disruptive," said Todd Towles, a security consultant based in Austin, Texas.
Adobe has published a Web page explaining how Flash developers can work around the problem. The page includes a video demonstration of what the pop-up tool tips will look like.
Microsoft's work-around can be found online.
Apple's QuickTime developer instructions also can be found online.
Copyright 2006 PC World Communications, Inc.