February 28, 2006

EOLAS is (sorta) Now

Today Microsoft released their long-awaited and originally much feared update to the way ActiveX controls render in Internet Explorer. ActiveX is the technology IE employs to embed interactive content such as Flash, Shockwave, Java and video, and the change is instigated by a long-running feud with Eolas Technologies who claim their patent covers such applications.

In order to get around this patent dispute, updated IE 6 browsers will require user interaction before running embedded content, unless that embedded content is dynamically written-in using VBScript or JScript, Microsoft's implementation of Javascript. Macromedia/Adobe has information and an online presentation that will run you through the user experience [direct link to Flash presentation].

Where the original patch threatened by Microsoft presented quite an obtrusive experience, the final approach described in Adobe's presentation shows there's much less to be concerned about, at least for Flash content, and if you've followed the practice of plug-in detection and degradation via an external .js script, nothing at all.

However, if your sites haven't followed this practice, then you should take a look at Microsoft's known issues technote, which describes issues with transparent Flash content, popular with superstitial advertising, issues with overlapping DHTML menus, controls that prompt before loading and CSS techniques to hide controls. Issues with 64-bit machines and Google's Toolbar are also documented.

Interestingly and importantly, Microsoft appears to have categorized the update as an optional install. Users who select Express Install will not get the update -- you have to intentionally install the update using the Custom management method. It remains to be seen if OEM installs will ship with the update enabled, or if future "critical" security updates will include the Eolas fix.

Posted by Lewis Francis at February 28, 2006 7:14 PM

Another web dev hack? Oh, the humanity!

Posted by: Allan Evans at March 3, 2006 9:46 AM

For some types of content like Flash and apparently Windows Media (imagine that), the effect will is quite negligible. For others, like Shockwave for Director, QuickTime, RealPlayer and Java applets, your user will need to dismiss an alert box before the content will load -- the original "much feared" implementation of the EOLAS hack.

Further, if you are depending upon ActiveX's auto-install functionality, then add these EOLAS alert box dismissal clicks to the IE6 SP2 clicks + the normal validation dialogs on top of whatever interaction is required by the control itself -- a formidable new challenge and barrier to future plug-in penetration.

Posted by: Lewis Francis at April 1, 2006 10:07 PM

UPDATE: the EOLAS patch reportedly will be released in a cummulative security update on April 11.

Posted by: Lewis Francis at April 1, 2006 10:10 PM

fuck you EOLAS! fuck you!

Posted by: Sebhelyesfarku at April 21, 2006 4:39 AM

Its a joke?
Eolas is a bad choice...If you want an "real" safe system switch it of :D

Posted by: Flug Kuba at November 6, 2008 8:51 AM
TrackBack URL for this entry:

Listed below are links to weblogs that reference 'EOLAS is (sorta) Now' from Information Gift.

EOLAS Imminent
Excerpt: According to eWeek, Microsoft's EOLAS fix for IE 6 is scheduled for widespread release in a cumulative security update on April 11th. All new PCs shipped with Windows will include the new version of IE 6. If you need to...
Weblog: Information Gift
Tracked: April 1, 2006 10:17 PM

Post a comment

Remember personal info?

Voigt-Kampf verification (needed to reduce spam):