Subject: [ PFIR ] Warning: New Microsoft Patch Breaks Web Pages -- On Purpose!
OK, let's be fair about this, the underlying purpose of the
Microsoft patch isn't to break Web pages, though this result was
understood and expected.
Some venues are calling the issue a "mini-Y2K" -- which is a bit
overdramatic -- but it *is* important and could have significant
effects around the world.
As of a few days ago, vast numbers of Internet Explorer (IE) users
are experiencing Web pages all over the Net which simply don't work
as expected any more.
Simplified backstory first. A couple of years ago, Microsoft lost a
patent fight over commonly used techniques to embed "active" content
into Web pages. While "ActiveX" operations are usually cited in
this regard, in reality all manner of embedded active player objects
are apparently involved, including Flash, QuickTime, RealPlayer,
We can argue about whether or not such techniques should be patentable
in the first place. A lot of us believe that such patents have gone
way overboard and that the USPTO is far out of its depth.
In any case, MS decided that they didn't want to pay the associated
license fees for the patented techniques (so far, the holders of the
patent have seemingly not gone after open source browsers in
non-commercial contexts -- such as Firefox -- which is why Firefox is
not currently affected by this issue).
Several months ago, MS issued a patch to change IE behavior to what
they believe is a non-infringing operation. This requires that users
explicitly click embedded objects first (theoretically guided by a
small hint message that appears if they happen to mouse over the
objects, which will supposedly be visually boxed as a cue), before
the objects will become active. In the case of active objects that
already require a click to start, this means that *two* clicks will
now be needed.
There are variations on this theme. For example, in some cases,
playback of video may commence automatically, but the video control
buttons reportedly won't be active unless the user clicks them first.
There are ways to redesign Web pages to restore the original
behaviors, more or less. But these typically require the use of
security issues, especially on large sites.
If MS originally issued the patch that changed IE behavior months
ago, why is this a big deal today? Because only now is Microsoft
pushing out that patch as part of the standard automatic "Windows
Update" mechanisms. Previously, you would have had to manually
download the patch yourself. Millions of people are currently
receiving the patch, and seeing the associated effects.
Now for an even more bizarre twist. Microsoft, realizing the sudden
negative impact that this patch could have on many users, has just
issued yet *another* patch (which as far as I know must be downloaded
manually) that specifically *disables* the "offending" patch until
the next planned IE update in a couple of months or so, restoring
the original IE behavior until then on a temporary basis. Got that?
You can't make this stuff up.
Perhaps the biggest problem with this situation is that many Web
sites don't realize that they can be affected even if they don't use
ActiveX. In fact, I wasn't aware of this until a few days ago, when
I started having problems with a relatively simple embedded Flash
video on one of my sites. You can see the effects and side-effects,
plus the explanations I've now placed on the page, at:
Since the embedded video area is itself black, the new IE behavior of
"boxing" the object as a cue to an additional click turned out to be
essentially invisible. Surprise!
Note that the underlying display code is unchanged. I have not at
necessary to "fully" workaround this silly situation.
Are we all bozos on this bus, or what?
Tel: +1 (818) 225-2800
- People For Internet Responsibility - http://www.pfir.org
- International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
pfir mailing list