Let's face it, web developers. Even if you're the most devoted fan of Firefox, Opera, or Safari, the 800-pound gorilla in the room is still Internet Explorer. Like IE or hate it, your pages had better work properly with it. Unfortunately, you can only have one version of IE running on a test PC at a time...or can you?

Add Virtual PC 2007 SP1 to your Windows XP, Windows Vista or Windows Server 2003 or 2008 box, and install your choice  of Windows XP SP3+IE6, Windows XP SP3+IE7, Windows XP+IE8 Beta 2, or Windows Vista+IE7 in VHD format. Now, it's easy to find out which pages make a particular flavor of IE gag, and you can switch between IE versions running in different VMs with the click of a mouse. For more Virtual PC downloads, including release notes, click here.

These disk images work until April 2009, so you have plenty of time to work out page glitches. Not developing websites? No problem! Try them anyway. 

As we told you last week, Microsoft rolled out two new security programs, Microsoft Active Protections Program and Microsoft Exploitability Index, during the Black Hat USA 2008 Conference. Unfortunately for Microsoft, the same conference saw a presentation by security experts Mark Dowd and Alexander Sotirov that renders these and other protections for Windows Vista, including its much-touted Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) features, effectively null and void.

Dowd and Sotirov's presentation, How To Impress Girls With Browser Memory Protection Bypasses, made their point by beginning their presentation with a live exploit against IE7 on Windows Vista. And, as the photo at the top of this article suggests (from page 40 of the presentation), it does seem to impress the girls!

How did they do it? The full presentation (available here in PDF format) is quite technical, but here's the short version. according to SC Magazine:

In explaining the problem, the researchers said that most memory protection mechanisms are based on two things: detecting corruption and stopping common exploit patterns, and attempts to reinforce these are integral to Vista. But in many cases, some of the built-in protection mechanisms in Vista are not enabled by default for compatibility reasons.

“At the desktop level, compromises had to be made because of compatibility issues. Exploiters have a lot more control over browsers,” Sotirov said.

And in many cases, third-party applications are not compiled to use the Vista memory protections. For example, Java and Flash are not compiled using the critical protection called ASLR.

What can be done? My take: Microsoft needs to rethink the balance of compatibility versus protection, do a better job of informing users of what's protected and what's not, and get third-party application vendors to take advantage of the protection features in Vista. What about ordinary users like us? Watch out for compromised legitimate websites, and, as always, as our own Will Smith says, think before you click.

What's your take on Vista and other browser security issues? See us after the jump for your chance to sound off.
 

You can now give the future of Microsoft web browsing, Internet Explorer 8, a try. Discover how to try it safely.

Microsoft's MS07-069 Security Update's been breaking browsers everywhere. Until Redmond gets its act together, here's a solution and a workaround that enable you to keep browsing and Windows Updating.