No reason to rush your upgrade to IE 8
By Mark Joseph Edwards Microsoft touts Internet Explorer 8 as a big improvement over previous versions of the browser in terms of security, speed, and compatibility.
While that’s basically true, the inevitable new-release glitches — which are already appearing — suggest you should wait at least a month before upgrading.
When you choose a browser, your first consideration should be security. There’s no doubt that Internet Explorer is the target of more malware than any other piece of software. In fact, using IE is like painting a bull’s-eye on your forehead and walking into a war zone.
Even though IE 8 adds some useful security features, its continued reliance on ActiveX makes the browser vulnerable in its very foundation. This lack of security is a primary reason many people have stopped using IE.
Security isn’t the only factor causing Web denizens to flock to alternative browsers. For years, Internet Explorer’s page rendering has caused major headaches for Web developers and users alike. Some pages that look and function as designers intended in Firefox, Opera, and other third-party browsers have their layouts broken when rendered by Internet Explorer.
IE 8 makes an effort to improve compatibility but ultimately falls short.
Performance is another area where IE has trailed the competition. Just as IE 7 runs faster than IE 6, the new version 8 is quicker than its predecessor. However, early tests indicate that IE 8 is still much slower than other browsers.
Compatibility improvements aid users and coders
IE 7 often jumbles the layout of sites that open and operate just fine in Firefox, Google Chrome, and other browsers. Web designers will be heartened to hear that IE 8 addresses many of these page-rendering deficiencies — and it’s about time!
Constructing sites that work well in all browsers is definitely going to be much easier. Likewise, people who surf the Web will be less likely to encounter sites whose layouts are broken in IE 8. Without getting into the nitty-gritty, let me just say that IE 8 passes the Web Standards Project’s Acid2 compliance test, as explained by the IEBlog.
Taking compatibility a step further, IE 8 includes a “compatibility view mode” that reverts to IE 7′s rendering engine. You can toggle this mode on or off using a button near the search bar at the top of the browser. (The button icon looks like a broken document, as shown in Figure 1.)
Figure 1. Internet Explorer 8 features a new compatibility button near the reload and close buttons.
But there’s a catch: IE 8 decides when to display the compatibility button. Obviously, if the button isn’t showing, you can’t click it. However, you can manually configure sites you want to view for compatibility by engaging the Compatibility View Settings option on the Tools menu. (See Figure 2.)
Figure 2. You can access IE 8′s compatibility settings via the Tools menu.
If your organization uses custom intranet applications designed specifically for IE, you may need to adjust those applications to support version 8.
Reader Jim Johnson reports that his intranet woes were not alleviated by using the new browser’s compatibility mode. Jim had to force IE 8 into IE 7 mode by pressing F12 to open the Developer Tools and then selecting Internet Explorer 7 as the browser mode. These steps allowed him to sign in and use his company’s intranet applications.
Microsoft provides a way for Web developers to handle browser incompatibilities on a page-by-page or site-wide basis. To force a page to render using IE 7 styles, end users can click View, Source and then change the header’s meta http-equiv= setting to read as follows (be sure to retain the open and closed angle brackets at both ends of the tag):
meta http-equiv=”X-UA-Compatible” content=”IE=EmulateIE7″ /
For site-wide rendering control, site owners can configure their servers to send the following HTTP header:
X-UA-Compatible: IE=EmulateIE7
Phishing filter upgraded to fight malware
Among the noteworthy security enhancements in IE 8 is the SmartScreen filter. This feature upgrades IE 7′s Phishing Filter by adding a malware defense. (The Phishing Filter in IE 7 protects users against accidentally landing on spoofed sites and also detects other attacks that might try to steal your personal information.)
IE 8′s new anti-malware component is a reputation-based filtering system. In this respect, it’s like McAfee’s SiteAdvisor and Symantec’s Norton Safe Web. Unlike SiteAdvisor, however, SmartScreen also works with signature-based technologies such as Microsoft’s Malicious Software Removal Tool, Windows Defender, and others.
You can enable the browser’s new InPrivate mode, which prevents IE from saving cookies, your browsing history, cache data, and other personal information.
IE 8 also offers better protections against cross-site scripting attacks and clickjacking, a hacker technique that tricks you into clicking on hidden page elements. Finally, Microsoft includes Data Execution Prevention (DEP/NX) memory protection in IE 8 to help prevent exploits that use memory tricks to launch malicious code.
However, none of these security features is foolproof. A prime example presented in early March at the CanSecWest conference is described in a Computerworld article. A researcher identified only as Nils compromised IE 8 running on Windows 7 by taking advantage of a shortcoming in the DEP/NX protection system.
More speed in IE 8, but not nearly enough
Microsoft would have us believe that speed isn’t very important when it comes to page surfing. (Considering the miserable performance of previous versions of IE, that’s understandable.) In fact, the company’s IE 8 documentation states: “Ease and speed in the real world are measured in minutes, not milliseconds.” I guess that’s Microsoft’s pre-emptive defense against browser-speed test results.
Computerworld’s JavaScript-performance tests show that Google Chrome is four times faster at JavaScript rendering than IE 8. In the same tests, Firefox 3.0.7 was 59% faster than IE 8 when rendering JavaScript on pages, Safari 47% faster, and Opera 38% faster.
So, does JavaScript rendering speed really matter? If you visit 50 such pages, and if they take an average of 2 seconds each to load, you’ll spend an extra 60 seconds waiting in IE 8 than you would in Firefox. Over the course of a year, that’s 6 hours of wasted time.
Of course, if you surf more than 50 pages a day, you could be wasting even more time with IE 8. In the business world, time is money, but time’s even more precious in your private life. A browser’s speed definitely matters — a lot!
There’s no doubt that IE 8 is a much better browser than IE 7. Nevertheless, it’s still inferior to Firefox and other alternatives. As to whether you should upgrade to IE 8 now or later, my advice is to use Firefox instead of either version.
If you must use Internet Explorer, I suggest you wait at least a month — two months would be better — before upgrading to IE 8. (If you’re still using IE 6, however, install version 7 right away, for the sake of your security as well as for the added performance.)
Why do I think you should wait? At present, only a fraction of Windows users worldwide participated in the IE 8 beta. Now that the browser has been released to the public, it will be put through the wringer even more strenuously. When that happens, problems are bound to surface. For example, we’ve already received a few reports of odd page-load behavior in IE 8 on Vista systems. And, bizarrely, some IE 8 installations revert to IE 7 after loading Windows hotfixes.
Furthermore, the bad guys are bound to start banging on the new browser even harder to unleash new exploits. Let some of that play out before you jump into IE 8 with both feet. Unless you have a compelling reason to upgrade to IE 8, just relax, wait, and watch what unfolds. (Popcorn is optional.)
Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.
By Dennis O’Reilly 
