Re: Wait for it?? Or switch.

From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 06/29/04 

Date: Tue, 29 Jun 2004 20:39:17 +0200

On Mon, 28 Jun 2004 19:11:08 -0700, "Kent W. England [MVP]"
>henry baker wrote:

>I'm sure that Mozilla has vulnerabilities worth explointing, but since
>the scope of the Mozilla browsers is much smaller than the scope of IE,
>I am sure those browsers are less complex and will avoid many of the
>most nagging vulnerabilities that continue to plague IE in the area of
>cross-zone scripting and browser controls.

The obverse: Knowing your huge market share makes you a #1 target
would require a stronger focus on not screwing up (code defects) or
playing with fire (overly risky designs). MS hasn't risen to this
challenge... which may be impossible where defects are concerned, but
that's all the more reason for prudent design, and that IS possible.

>That said, in addition to the Three Points of Windows Security, I
>recommend at least one more protection specifically for IE -- Quik-Fix
>from www.pivx.com.

Beta. Not sure if the release would be free; looks like the site's
keeping its options open there, at least :-)

Looking at the White Paper at...

http://www.pivx.com/qwikfix/whitepapers/Qwik-Fix_Pro_WhitePaper.pdf

...it looks like risk management, which is an old friend...

http://cquirke.mvps.org/9x/riskfix.htm

...and the blurb talks the same language as the documentation for XP
SP2, i.e. "hey, let's find a way to turn this broken junk off while we
wait for a fix!". They are (perhaps understandably) coy about what
these fixes actually *are*; I suspect they are an automation of manual
changes we do already, such as renaming away files or locking down
settings to amputate risky "services" we DON'T WANT.

As this now requires fending off SFP, which strives to protect
malware's constitutional right to be auto-run on the system by
defending stuff like WScript.exe, SHSCrap.dll or MSHTA.exe from being
renamed away, there's some ease-of-use value to be added :-)

What I *don't* like about the system is that it's automated
dribbleware, and I can see a "too many cooks" crisis looming in the
crossfire between these parallel dribbleware systems (i.e. patches
from MS, fixes from these guys).

If such a crisis happens, it will happen at the same time on the
entire infosphere that is using both systems. That's too small a
segment for MS to go into top gear to fix, and the vendor's own
capacity to manage this is open to question.

MS is like a child that runs crying to mommy after it cuts itself on a
kitchen knife, but learning only the lesson that that particular knife
should be avoided, and carries on playing with other knives.

So you will ALWAYS need risk management to fix MS *design* screwups,
because MS will almost never see these as the problem.

Take the article on scripts within cookies, for example; did MS
realize that these were a bad idea? Nope; all they saw as the problem
was that these scripts were being run in "My Computer" zone, not
"Internet" zone. They were quite happy to run scripts in "don't
worry, they are only harmless text" cookies BY DESIGN.

Take MS's response to Kak; did they realize that running scripts in
unsolicited email messages was a Bad Idea? Nope; WinME shipped with
this nonsense still going on. All they did was patch the particular
ActiveX control (EyeDog) that was used that particular time.

Patching is simply not enough, but duelling patch / fix systems may be
too much while *still* being not enough ;-/

>-------------------- ----- ---- --- -- - - - -
   No, perfection is not an entrance requirement.
   We'll settle for integrity and humility
>-------------------- ----- ---- --- -- - - - -

Relevant Pages

  • Re: single page apps, URL hash setting, bookmarking, & the back button.
    ... older browsers, the number of user's might actually increase? ... It demonstrates that the design is strictly multi-browser, ... I test my scripts in some browsers/configurations. ...
    (comp.lang.javascript)
  • help with preview page problem
    ... I'v been building a site going back and forth between design and preview. ... But, today, for some reason, ... I've checked in different browsers and it's all the ... How can I fix this? ...
    (microsoft.public.frontpage)
  • Re: Publisher 07 Form Wont Work With Mac
    ... These were created to give a consistent design element to the site. ... look fine in IE, but are faint, slightly blurred in Firefox. ... used by IE, Firefox, and Mac users alike. ... steps, constant comparing in different browsers, etc. ...
    (microsoft.public.publisher.webdesign)
  • Re: Publisher 07 Form Wont Work With Mac
    ... The good news is that by downloading Firefox, changing the design as ... used by IE, Firefox, and Mac users alike. ... steps, constant comparing in different browsers, etc. ...
    (microsoft.public.publisher.webdesign)
  • Re: Help needed with how to proceed
    ... And they also have outdated, old browsers, slow modems, old computers, etc. ... You only need to design webpage which will degrade as best as possible in non-capable browsers: that is a) access to content and b) navigation functionality. ... - page would work in non-capable frame browsers, in non-CSS browsers, in browsers with javascript support disabled or inexistent, etc. ...
    (comp.infosystems.www.authoring.html)