RE: [Full-Disclosure] IE is just as safe as FireFox

From: joe (mvp_at_joeware.net)
Date: 11/15/04

  • Next message: morning_wood: "Re: [Full-Disclosure] media-motor.net"
    To: <full-disclosure@lists.netsys.com>
    Date: Mon, 15 Nov 2004 14:25:45 -0500
    
    

    > Everytime a Firefox exploit comes out..there is already a fix...
    > is that magic? No..it is good coding...

    What?

    Having a quick fix out is due to low complexity of issue and assisted by a
    lack of dependencies so you have reduced time for patching and testing. It
    has nothing to do with code quality. I have seen some extremely good code
    that hit an issue that took long periods of time to correct due to the
    complexity of the issue with all of the requirements that had to be stacked
    up to cause an issue. I have also seen crappy code that could be pretty
    quickly patched up for various things and often contributed to how crappy it
    was. Again, code quality and time to patch has nothing to do with each other
    except if you had great code you wouldn't even have to worry about exploits
    and patching. Great code, IMO, requires 100% assertions of all incoming data
    and NO ONE does that. Programmers assume that incoming data will fit in a
    specific range and go with it. At some point we as developers (some earlier
    than others) learned that we should at least be checking for data length
    though that still isn't the full assertion that should be done on the
    quality and state of the data. One reason for not doing a full assertion is
    for future flexibility, don't check the data too close so you don't have to
    recompile for a new use. Mostly it is done because coders just don't think
    someone will do something so off the wall or are too lazy or too pressed for
    time to care.

    Saying that, I agree, as I have stated many times on this list, that IE
    needs to be backed down. If there has to be some piece of it that absolutely
    has to be in the OS it should be a very basic very small very simple hello
    world basic HTML only rendering capability - you get fonts and anchors and
    not much more - it isn't even possible to execute anything even if the user
    agrees with a signature in blood. The code being tiny and truly a part of
    the OS in that it isn't possible to upgrade it to IE version x. It is
    updated with OS updates. Code so small and tight and well controlled and
    understood and practically memorized by the developers that MS could put a
    monetary guarantee behind the ability to exploit it. Say HTTP-EQUIV gets $10
    million if he finds a way to crack it and run remote exploit code with a
    realistic POC.

    If someone wants a full function IE, they load that separately an dit runs
    in a sandbox as guest. Personally I never agreed that IE was truly part of
    the OS. There are some artificial dependencies built in for some of the
    display stuff like help, etc but NTFS and threading and all of that works
    just fine without IE.

    If pulling IE out of the Explorer shell is too difficult. Then I for one
    would be fully behind a new secure type shell replacement for the Explorer
    Shell. We had ProgMan Shell for several years then we got the Explorer
    Shell. Maybe it is time to get a new shell, at least for servers.

    I was recently in Redmond and the message I kept feeding back over and over
    again was that we needed a way to not have to load IE onto machines. I am
    looking to moving forward ideas. If they give me the ability, I am not going
    to whine why I can't do the same on Win9x or 2K or even XP. So many people
    bitch on this list about MS supporting legacy stuff and then they or someone
    else starts bitching that MS isn't back porting the changes. Pick one or the
    other but keep in mind if things have to keep getting back ported, resources
    for that aren't moving us forward. I myself, would rather move forward.

      joe

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Todd Towles
    Sent: Friday, November 12, 2004 10:10 AM
    To: Rafel Ivgi, The-Insider; full-disclosure@lists.netsys.com;
    Colin.Scott@csplc.com
    Subject: RE: [Full-Disclosure] IE is just as safe as FireFox

    <SNIP>
     Everytime a Firefox exploit comes out..there is already a fix...is that
    magic? No..it is good coding...
    <SNIP>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: morning_wood: "Re: [Full-Disclosure] media-motor.net"

    Relevant Pages

    • Re: Reduce XPe image size - removing network components
      ... Have you made a custom shell for the application? ... > A/V chipset components (minus the network controller). ... > After satisfying the dependencies I notice that more than half of the ...
      (microsoft.public.windowsxp.embedded)
    • Crunchgen (Was Re: actual boot device)
      ... > loader into the image - it is already packed enough. ... a shell and basic binaries into memory for administrative purposes ... patching techniques (patching on output of a tool, ...
      (freebsd-hackers)
    • Re: Dangers of using a non-base shell
      ... because if one of it's dependencies ... fails or is updated significantly, it could break, and prevent login. ... The suggested solution was to use a base shell and append ... 'bash -l' to .shrc to automatically enter bash. ...
      (freebsd-questions)
    • Re: What happens in procedure 1 the very instant sub procedure 2 is called?
      ... That will be handy to know if there are any dependencies ... that depends entirely on what you're calling code does. ... it will return control back to the original ... >If, for instance, your called MySubmakes a call to Shell() it ...
      (comp.databases.ms-access)
    • Re: Custom Shell - .NET? or Win32
      ... dependencies. ... Make sure you are logged under administrator and have enough permissions to load all the framework libraries. ... Did you try loading your application manually with Explorer Shell for instance? ... When I try to use the custom shell, ...
      (microsoft.public.windowsxp.embedded)