Re: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

From: st3ng4h (st3ng4h_at_comcast.net)
Date: 07/02/04

  • Next message: Raj Mathur: "Re: [Full-Disclosure] Web sites compromised by IIS attack"
    To: Drew Copley <dcopley@eEye.com>
    Date: Thu, 1 Jul 2004 20:03:43 -0500
    
    

    On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:
    > There has been a great deal of talk about people
    > switching to Mozilla because of this recent Internet
    > Explorer issue.
    >
    > This is a serious misunderstanding about security
    > that comes about because of people's ignorance and
    > because they "believe the hype" but do not look at
    > the details.
    [snip]

    Drew,
    You made some great points that deserved attention (and echo some
    of my own thoughts).

    I have told many people to switch to something, *anything* other
    than IE. I often recommend Mozilla. I know full well when I tell
    them this that it's probably not going to make their browsing
    experience any more secure. It is merely going to add them to the
    6% of people that are not vulnerable to what can be done to their
    machines via IE.

    The "I'm switching to _whatever_ because what I'm using now has a
    bug" and "Program X hasn't suffered from the same problem as
    program Y, therefore Y must be better" standpoints/assumptions are
    wrongheaded and dangerous, IMO, and only work in practice due to
    factors other than a true assessment of security of the software
    in question.

    One of these, as you mentioned, is Microsoft's poor track record
    in fixing these issues. I do agree with people who are choosing
    other browsers because of this reason, and with regards to Mozilla
    specifically there are reasons to believe that the Moz project will
    be faster and more diligent in handling these things. OTOH, they are
    just that- reasons to believe, not hard evidence proven in the real
    world.

    Another is that the 94% of IE users, mostly home users, are
    uneducatable, would not want a 'secure' browser if you gave it to
    them, and would remove it if you did. They are too used to the
    plethora of nifty features and being able to do anything and
    everything under the sun within their web browser. What's worse,
    most of the sites they visit require that they use IE or some other
    browser that lets them use the same features, and are nearly useless
    without. How many popular sites are completely unusable without
    Javascript enabled?

    Mozilla is not much better in this regard. Sure, there is no
    ActiveX, less integration with the operating systems- so what? Most
    of these people are still running it with administrator privileges
    on their Windows boxen, and now they have a false sense of security
    to go along with it. If a 'switch to Mozilla' campaign is wildly
    successful and convinces perhaps 50% of them to switch, it will not
    be long before bugs are found and exploited, malicious plugins
    developed, and so forth, that put users at the same risk they were
    before.

    So why bother? What we really need to do is wean these people off
    the ridiculous things they "need" in their browser and use it for.
    We need to make corporations understand that continuing to
    spoonfeed users these things on their sites and cater to the people
    who want it in order to hawk their products is irresponsible and bad
    for security as a whole. We need to make developers understand that
    this ain't what web browsers are for and encourage development of
    simple and standards-compliant browsers, which you touched on, that
    someday could possibly be widely used and considered secure in the
    true sense.

    So... who wants to get started on that? ;-)

    In lieu of being able to solve these problems immediately *and*
    keep users happy, I think telling them to switch to Mozilla is a
    step in the right direction. But it is just that, a step, not the
    end-all be-all solution, and there are many more steps that need to
    be taken.

    st3ng4h

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Raj Mathur: "Re: [Full-Disclosure] Web sites compromised by IIS attack"

    Relevant Pages

    • SUSE Security Announcement: Mozilla various security problems (SUSE-SA:2005:045)
      ... the Mozilla Firefox browser have been reported and fixed upstream. ... The Mozilla suite browser has been updated to a security fix level ... The Mozilla version 1.6 shipped with GA of the SUSE Linux Enterprise ...
      (Bugtraq)
    • [Full-disclosure] SUSE Security Announcement: Mozilla various security problems (SUSE-SA:2005:045)
      ... the Mozilla Firefox browser have been reported and fixed upstream. ... The Mozilla suite browser has been updated to a security fix level ... The Mozilla version 1.6 shipped with GA of the SUSE Linux Enterprise ...
      (Full-Disclosure)
    • Mozilla vulnerabilities, an update
      ... security issues that have been fixed in Mozilla 1.0.1 ... Mozilla, that they should consider getting fresh sources for their projects. ... Mozilla to include the vulnerabilities that have been fixed, ... 104472 Browser Security execution of scripts in the file: ...
      (Bugtraq)
    • [Full-Disclosure] Mozilla vulnerabilities, an update
      ... security issues that have been fixed in Mozilla 1.0.1 ... Mozilla, that they should consider getting fresh sources for their projects. ... Mozilla to include the vulnerabilities that have been fixed, ... 104472 Browser Security execution of scripts in the file: ...
      (Full-Disclosure)
    • Re: Draft I: Selling Internet Whitelisting
      ... unpatched gunk and I don't want any browser that I don't have a patch ... > From a security POV, there are a number of basic, simple steps that can ... > * switch away from Internet Explorer as the default browser, ...
      (microsoft.public.windows.server.sbs)