April 25, 2006
IE 7b vs Plug-in Detection
Ever since the first IE7 beta came out, I've been mystified by a security dialog that came up on my site, prompting me to approve or deny the running of the Windows Media 6.4 Shim control [screengrab, 32K PNG].
Today I finally figured out the trigger, and it affects all sites using AWStats' optional awstats_misc_tracker.js (for adding screen res, color-depth and plug-in reporting to AWStat's excellent open source stats package) and scripts that detect the Windows Media control like Webmonkey Nadav Savio's Plug-in Bot. It does this because both scripts rely on testing the presence of Windows Media by attempting to instantiate the WM ActiveX control, thus activating the new security model in IE7. You'll get this issue even if you have the latest version of Media Player.
I've reported the problem to AWStats, but an immediate fix would be to disable WMP reporting by commenting out the following line from awstats_misc_tracker.js:
var TRKwma = awstats_detectIE("MediaPlayer.MediaPlayer.1")
As for Windows Media plug-in detection/degradation strategies, we could always assume the presence of WMP on Win IE and special-case straight delivery to that platform. Not such a loss as the majority of today's Win users will already have a version of WMP, but it would negate the opportunity to provide graceful degradation for those in the minority.
However, it may be that this is simply a remaining bug in IE7b, as the new security model reportedly contains a list of "allowed" ActiveX controls that do not trigger the security alert bar such as Flash Player; presumably Microsoft would want its own Media Player to be treated equally. You can track this report, vote for its resolution and leave comments on Microsoft Connect (free registration and MS Passport required).
In any event, and unless you get complaints, this shouldn't be much of an issue till the official IE7 release towards the end of the year.
April 14, 2006
EOLAS Arrived + Latest Shockwave Behavior
As expected, this week Microsoft pushed out several security updates, one of which included the EOLAS patch. Unlike the initial, optional update, Cumulative Security Update for Internet Explorer (912812) is classified as a High Priority fix; you can expect your clients and customers to begin experiencing the effects of the EOLAS patch on rich media enhanced sites that have not yet been made compliant.
The good news for Shockwave developers is that the latest version of the Shockwave Player (10.1.1r16), released in the middle of last month, now enjoys the same inobtrusive behavior under EOLAS patched IE as does the Flash Player. Previous versions of the Shockwave Player trigger an alert box upon page instantiation. Besides providing better EOLAS compatibility, 10.1.1r16 offers the ability to present Flash 8 content and, among other bug fixes, addresses issues with QuickTime 7 QTVR content. More details available in Bug fixes for Director and Shockwave versions 10.x.x.
April 2, 2006
Reputation Management: SiteAdvisor
SiteAdvisor is a service that tracks and rates sites for their propensity to spam or infest your system with spyware and other malware, started by a group of MIT engineers spurred to action after too many holidays spent cleaning up their families' computers. Plug-ins are available for Win IE and Firefox users which will, upon installation, alert you to questionable sites as you surf, and overlay ratings in search results from Google and Yahoo with Google Maps-type balloon notes [screengrab, 72K png]. Automated and manual analysis, community and site-owner feedback collate security and reputation information, rock'n it Web 2.0 style; in short, It's a Beautiful Thing™.
General users or reputation managers can manually check SiteAdvisor's growing database, and every time you query an unrated site it becomes queued for future testing. SiteAdvisor reports on spam potential, downloads, online affiliations and "annoyances". Reports show the number of messages per week you can expect to get if you sign up at a given site, with an example inbox demonstrating received email subject lines. Downloads are examined for the presence of malware, a neat diagram shows color-coded affiliated sites to reflect their rating (more on this below), and annoyances like excessive pop-ups and tracking cookies are listed. All reports offer detailed drill-down analysis.
I ran the test on a few of Threespot's current clients and was happy to find none raising red flags. I did find one linking to an affiliate site that hoisted a yellow flag, reporting "somewhat spammy" email. Here's where reputation and/or brand management questions come into play for agencies either tasked with this role or for whom have taken it on as part of a general client advocacy -- should we alert our client that one of their affiliates has been marked by this service as a potential spammer?
Because bookmarklets are cool, I've created another to make it easy for users to query SiteAdvisor's data. To use, simply drag the SiteAdvisor: Check Site link to your Bookmarks bar, navigate to a site to test and click on the bookmarklet to try it out.
April 1, 2006
According to eWeek, Microsoft's EOLAS fix for IE 6 is scheduled for widespread release in a cumulative security update on April 11th. All new PCs shipped with Windows will include this new version of IE 6.
If you need to catch up, I've covered the EOLAS patch and its impact on web development here and here, but the short and sweet is if you haven't dynamically written out your embedded content, your IE 6 users will no longer enjoy the seamless rich media integration with web pages for which they've been accustomed. For some content, like Shockwave, QuickTime, Real and Java applets, the above will be quite the understatement; be prepared to explain to your clients what the problem is and how it can be worked around.
And here's hoping that if you have tons of affected content, you've had the foresight to use plug-in detection and degradation strategies that are EOLAS-complaint.