Re: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

From: st3ng4h (
Date: 07/02/04

  • Next message: Raj Mathur: "Re: [Full-Disclosure] Web sites compromised by IIS attack"
    To: Drew Copley <>
    Date: Thu, 1 Jul 2004 20:03:43 -0500

    On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:
    > There has been a great deal of talk about people
    > switching to Mozilla because of this recent Internet
    > Explorer issue.
    > This is a serious misunderstanding about security
    > that comes about because of people's ignorance and
    > because they "believe the hype" but do not look at
    > the details.

    You made some great points that deserved attention (and echo some
    of my own thoughts).

    I have told many people to switch to something, *anything* other
    than IE. I often recommend Mozilla. I know full well when I tell
    them this that it's probably not going to make their browsing
    experience any more secure. It is merely going to add them to the
    6% of people that are not vulnerable to what can be done to their
    machines via IE.

    The "I'm switching to _whatever_ because what I'm using now has a
    bug" and "Program X hasn't suffered from the same problem as
    program Y, therefore Y must be better" standpoints/assumptions are
    wrongheaded and dangerous, IMO, and only work in practice due to
    factors other than a true assessment of security of the software
    in question.

    One of these, as you mentioned, is Microsoft's poor track record
    in fixing these issues. I do agree with people who are choosing
    other browsers because of this reason, and with regards to Mozilla
    specifically there are reasons to believe that the Moz project will
    be faster and more diligent in handling these things. OTOH, they are
    just that- reasons to believe, not hard evidence proven in the real

    Another is that the 94% of IE users, mostly home users, are
    uneducatable, would not want a 'secure' browser if you gave it to
    them, and would remove it if you did. They are too used to the
    plethora of nifty features and being able to do anything and
    everything under the sun within their web browser. What's worse,
    most of the sites they visit require that they use IE or some other
    browser that lets them use the same features, and are nearly useless
    without. How many popular sites are completely unusable without
    Javascript enabled?

    Mozilla is not much better in this regard. Sure, there is no
    ActiveX, less integration with the operating systems- so what? Most
    of these people are still running it with administrator privileges
    on their Windows boxen, and now they have a false sense of security
    to go along with it. If a 'switch to Mozilla' campaign is wildly
    successful and convinces perhaps 50% of them to switch, it will not
    be long before bugs are found and exploited, malicious plugins
    developed, and so forth, that put users at the same risk they were

    So why bother? What we really need to do is wean these people off
    the ridiculous things they "need" in their browser and use it for.
    We need to make corporations understand that continuing to
    spoonfeed users these things on their sites and cater to the people
    who want it in order to hawk their products is irresponsible and bad
    for security as a whole. We need to make developers understand that
    this ain't what web browsers are for and encourage development of
    simple and standards-compliant browsers, which you touched on, that
    someday could possibly be widely used and considered secure in the
    true sense.

    So... who wants to get started on that? ;-)

    In lieu of being able to solve these problems immediately *and*
    keep users happy, I think telling them to switch to Mozilla is a
    step in the right direction. But it is just that, a step, not the
    end-all be-all solution, and there are many more steps that need to
    be taken.


    Full-Disclosure - We believe in it.

  • Next message: Raj Mathur: "Re: [Full-Disclosure] Web sites compromised by IIS attack"