Earlier this week, Internet Explorer 8 started blocking access to completely harmless sites, claiming, “This website has been reported as unsafe.”
While some good sites go bad from time to time, typically infected with subverted iFrames and bad advertisements, IE8 was blocking sites that didn’t have any ads — Visa.com, for one, as well as MoneyTreeInc.com and SalesAspects.com. It also looks like many (if not all) sites that use Telerik’s RadMenu under Microsoft’s ASP.Net were blocked.
It’s still too early to tell, but as best I can discern, all of the sites I can find that triggered IE8’s alarms were running Windows Server and IIS.
I haven’t seen any reports of problems with the Internet Explorer 9 version of SmartScreen. Since IE7 doesn’t have SmartScreen, the bug appears to be isolated to IE8.
Microsoft has yet to post any official explanation, although it appears as if the problem has been fixed.
We’ve all encountered bad antivirus signature file updates; update your antivirus signatures and all of a sudden old, trusted programs get flagged as harboring viruses or other nasties. Infamously, back in April, a bad update to McAfee’s signature file marked the Windows program svchost.exe as “infected” on some machines and quarantined it. When XP users tried to reboot their systems, they were locked out because svchost wasn’t available. Thousands of good PCs turned up with blue screens.
Bad anti virus updates can break machines, but they tend to happen in small doses. A few thousand PCs get sent to never-never land, the antivirus manufacturer gets stuck with lawsuits, clever people figure out ways to get around the damage, and life in the PC world goes on.
But what happens when, as in this case, millions of people get locked out of perfectly legitimate websites? It all goes by in real time. Users have no idea why their trusted website sprung a leak — but they’ll run, and they won’t come back anytime soon. Web admins pull their hair out, thinking they’ve done something wrong, trying to mollify customers, and keeping the boss from breathing fire. Heaven only knows how much money the shunned websites lost because of a stupid mistake at Microsoft.
We’ve all agonized over the problems with cloud computing. Add this to the list.
I wonder if Microsoft will ever divulge the full details, particularly if — as appears to be the case — the bogus false positives blocked people from getting at Microsoft own servers?.