Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 07/05/04
- Next message: Tony: "virus and popups"
- Previous message: phen: "Re: lsass patch"
- In reply to: BeamGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Next in thread: BeamGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Reply: BeamGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 05 Jul 2004 13:12:43 +0200
On Sat, 3 Jul 2004 16:25:35 -0400, "BeamGuy" <nobody@spam.com> wrote:
>Here is what the US government has to say about MSIE
>http://networks.org/?src=cert:713878
The seeds of these problems date from IE4 and earlier, when it was
decided by the industry that arbitrary web sites should be granted
"limited" programming rights to your PC. JavaScript and Java from
other vendors and ActiveX from MS.
Each of these had flimsy "limits" on what these allowed the site to
do. Web developers who used this stuff were continually chomping at
the bit to be able to create files, call the system API, etc. and so
envelopes were pushed, what we now see as vulnerabilities were siezed
upon as undocumented power tricks, extensions were added, etc.
Once you go from the non-existant risk surface of "no, FOAD, you can't
program the PC" to the large and leaky risk surface of "we'll let you
do this but not that", you're already sinking. Suddenly at every
point *within* the system, it's; what zone is this from? What should
it be allowed to do? It's doomed, pure and simple.
The other really bad decision was to leverage HTML (no longer a safe
data medium as it has programming capabilities) as tomorrow's "text".
Everywhere that used to be text - readme files, email "messages",
cookies, as well as the ex-proprietary Help system - is now
HTML-capable; hell, even your own directories wil autorun HTML when
viewed in Windows Explorer. XP doesn't call it "View As Web Page"
anymore and it's not as easy (possible?) to turn off.
By now, developers are using this stuff. Some application vendors
have followed MS advice to use IE as the entire presentation layer for
the program, so you can't kill active content in Local Computer Zone.
Most web sites use scripting, sometimes to navigate, again in response
to "try it, it's fun!" hype from the industry, so you can't kill
active content in the Internet Zone either.
And several related technologies, such as .HTA, .CHM and the
Desktop.ini -> .HTT stuff, are so pervasive it's impossible to rip it
all out when it goes gangrenous.
Things really get bad when the OS itself starts to use technologies
that are indivisible from the "edge", as is the case with XP's RPC and
other sops to the "we need remote admin!" requirements of corporate IT
(who are supposed to be using XP Pro anyway).
Combine that with a file system that can only be read by the infected
OS, and you have everything lined up nicely, just waiting for a
well-dropped match.
Until XP SP2, MS's focus was always on the trees; why this particular
ActiveX control was marked safe when it shouldn't have been, why
cookies allowed to contain scripts (by design!) were being run in the
wrong zone, etc. But these are just holes in the collander, or
barnacles on volcanoes of bad design - and unfortunately, we find
ourselves living in costly buildings built on those volcanoes.
>-------------------- ----- ---- --- -- - - - -
No, perfection is not an entrance requirement.
We'll settle for integrity and humility
>-------------------- ----- ---- --- -- - - - -
- Next message: Tony: "virus and popups"
- Previous message: phen: "Re: lsass patch"
- In reply to: BeamGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Next in thread: BeamGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Reply: BeamGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
