April 16, 2006

Warning: New Microsoft Patch Breaks Web Pages -- On Purpose!

Greetings. OK, let's be fair about this, the underlying purpose of the Microsoft patch isn't to break Web pages, though this result was understood and expected.

Some venues are calling the issue a "mini-Y2K" -- which is a bit overdramatic -- but it is important and could have significant effects around the world.

As of a few days ago, vast numbers of Internet Explorer (IE) users are experiencing Web pages all over the Net which simply don't work as expected any more.

Simplified backstory first. A couple of years ago, Microsoft lost a patent fight over commonly used techniques to embed "active" content into Web pages. While "ActiveX" operations are usually cited in this regard, in reality all manner of embedded active player objects are apparently involved, including Flash, QuickTime, RealPlayer, Java, etc.

We can argue about whether or not such techniques should be patentable in the first place. A lot of us believe that such patents have gone way overboard and that the USPTO is far out of its depth.

In any case, MS decided that they didn't want to pay the associated license fees for the patented techniques (so far, the holders of the patent have seemingly not gone after open source browsers in non-commercial contexts -- such as Firefox -- which is why Firefox is not currently affected by this issue).

Several months ago, MS issued a patch to change IE behavior to what they believe is a non-infringing operation. This requires that users explicitly click embedded objects first (theoretically guided by a small hint message that appears if they happen to mouse over the objects, which will supposedly be visually boxed as a cue), before the objects will become active. In the case of active objects that already require a click to start, this means that two clicks will now be needed.

There are variations on this theme. For example, in some cases, playback of video may commence automatically, but the video control buttons reportedly won't be active unless the user clicks them first. Confusing? Yep.

There are ways to redesign Web pages to restore the original behaviors, more or less. But these typically require the use of embedded javascript, which introduces its own complexity and security issues, especially on large sites.

If MS originally issued the patch that changed IE behavior months ago, why is this a big deal today? Because only now is Microsoft pushing out that patch as part of the standard automatic "Windows Update" mechanisms. Previously, you would have had to manually download the patch yourself. Millions of people are currently receiving the patch, and seeing the associated effects.

Now for an even more bizarre twist. Microsoft, realizing the sudden negative impact that this patch could have on many users, has just issued yet another patch (which as far as I know must be downloaded manually) that specifically disables the "offending" patch until the next planned IE update in a couple of months or so, restoring the original IE behavior until then on a temporary basis. Got that? You can't make this stuff up.

Perhaps the biggest problem with this situation is that many Web sites don't realize that they can be affected even if they don't use ActiveX. In fact, I wasn't aware of this until a few days ago, when I started having problems with a relatively simple embedded Flash video. You can see the effects and side-effects, plus the explanations I've now placed on the related page, at this blog entry.

Since the embedded video area is itself black, the new IE behavior of "boxing" the object as a cue to an additional click turned out to be essentially invisible. Surprise!

Note that the underlying display code is unchanged. I have not at this time added the javascript "container" code that would be necessary to "fully" workaround this silly situation.

Are we all bozos on this bus, or what?


Posted by Lauren at April 16, 2006 05:40 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein