Jon Udell: Microsoft Wants Back In

In his recent Strategic Developer column, GreaseMonkey in Crisis, Jon Udell argues that Microsoft should be let back into the web community on questions of security and standards.

“Open source software and the collaborative culture that surrounds it, have surely enhanced Firefoxs security. But also necessary is a disciplined approach to to reducing the attack surface area. And one of the most vocal and visible proponents of that discipline today is … Microsoft. …If the long-delayed refresh of Internet Explorer has been rethought along similar lines, it could be prove to be an excellent platform on which to safely tap into the power of AJAX … The Open Source and Microsoft cultures can complement one another. I hope they will”

Commendable sentiments based on three assumptions:
1)that Microsoft is committed to Web development and standards consistently for the long haul. Very recent evidence, “the long delayed refresh of Internet Explorer” and Microsofts own Smart Client strategy that emphasize Windows desktop clients over Web browser based would suggest the contrary. As soon as the immediate problems are solved – lingering security problems in not just IE but still a broad base of Microsoft applications plus a continuing loss of IE market share to other browsers – when these problems are solved – will Microsoft continue “to complement” Open Source Web development ?
2)that Microsofts approaches to reducing the attack surface areas go beyond tightening default settings on installation that have opened up vulnerabilities in IE, IIS, and so many Redmond apps. Microsoft has delivered App, OS, and OS kernel privileged states to end users most notably in ActiveX which the programming and security community tried to warn them off – in the late 199os and early 2000s. So they should know a lot about “reducing attack surfaces” for internal processing privileges. But see what they are doing about this in IE7, .NET Compact Framework, and other cutting edge apps.
3)that Microsoft has redressed the balance on long overdue promises to implement Web Standards in IE7 and other Web applications. As we have pointed out in our article here on IE7, given 10 web compliance issues, IE7 barely scores 1/2 on redressing them. Even now Redmond is arguing a)that its has only surfaced 25% of the features and fixes in IE7 but b) that it will not be able to pass the ACID2 set of browser compliance tests and will be hard pressed to make the CSS2 grade. Redmond is utterly mum about the other 9 1/2 standards and component fixes.

So this all comes back to an issue of trust. And time and again, Microsoft and its very top officers have found that their commitments to 80-90% market dominance means they have to be zero-sum players. In order for Microsoft to win nearly everybody else has to lose. And of course this has meant crossing both trust and ethical lines. Among other things, this has meant promising to meet standards now and then renegging in the future.

For example, in the Web development arena by stopping all development on IE after it won 85%++ market share in 1999-2000, that meant Microsoft could not only leave a whole slew of promises to come to W3C standards in HTML, CSS, DOM, JavaScript undone; but also it could thwart the development of a whole range of new Web browser standards – XFORMS, SVG, JPEG2000, CSS, Mouse Gestures, JavaScript E4X and 2.0 implementation, DOM rationalizations, etc, etc. Many of these ignored fixes and thwarted standards could enhance Web reliability and security. So why not have Microsoft deliver on these standards in IE7 and their other Web Applications first and use that as their welcome-back ticket into the Web community ?

Another measures of Microsofts good intentions would be the availability of a stick to standards switch in Visual Studio and its other development and code generation tools. Such a switch when turned off would allow all the Microsoft proprietary extensions to not be flaaged in the Visual Studio development editor. But when turned on, it would red squiggle underline all proprietary code and using code completion would suggest an alternate construct to replace the offending extension. Macromedias new Dreamweaver 8 carries this type of standards guard to a new level with a whole slew of validators and other support. Why cant Redmond do the same?

So lets us demand a lot more of Microsoft on adhering to Web and other standards. Redmond has to prove in actions and deeds over years that they are not like Lucy – willing to pull the standards football out from under us heretofore Charlie Brown developers whenever it suited their purposes. Fool me once, shame on you; fool me twice (or closer to n-times), shame on me.

(c)JBSurveyer 2005