Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!

From: BeamGuy (nobody_at_SPAM.com)
Date: 07/06/04 

Date: Tue, 6 Jul 2004 09:19:31 -0400

"cquirke (MVP Win9x)" <cquirkenews@nospam.mvps.org> wrote in message news:a1bie01u7dcnnmdcc8sp181rf8e7rucvdk@4ax.com...
> On Sat, 3 Jul 2004 16:25:35 -0400, "BeamGuy" <nobody@spam.com> wrote:
> >Here is what the US government has to say about MSIE
> >http://networks.org/?src=cert:713878
>
> The seeds of these problems date from IE4 and earlier, when it was
> decided by the industry that arbitrary web sites should be granted
> "limited" programming rights to your PC. JavaScript and Java from
> other vendors and ActiveX from MS.
>
> Each of these had flimsy "limits" on what these allowed the site to
> do. Web developers who used this stuff were continually chomping at
> the bit to be able to create files, call the system API, etc. and so
> envelopes were pushed, what we now see as vulnerabilities were siezed
> upon as undocumented power tricks, extensions were added, etc.
>
> Once you go from the non-existant risk surface of "no, FOAD, you can't
> program the PC" to the large and leaky risk surface of "we'll let you
> do this but not that", you're already sinking. Suddenly at every
> point *within* the system, it's; what zone is this from? What should
> it be allowed to do? It's doomed, pure and simple.
>
> The other really bad decision was to leverage HTML (no longer a safe
> data medium as it has programming capabilities) as tomorrow's "text".
> Everywhere that used to be text - readme files, email "messages",
> cookies, as well as the ex-proprietary Help system - is now
> HTML-capable; hell, even your own directories wil autorun HTML when
> viewed in Windows Explorer. XP doesn't call it "View As Web Page"
> anymore and it's not as easy (possible?) to turn off.
>
> By now, developers are using this stuff. Some application vendors
> have followed MS advice to use IE as the entire presentation layer for
> the program, so you can't kill active content in Local Computer Zone.
> Most web sites use scripting, sometimes to navigate, again in response
> to "try it, it's fun!" hype from the industry, so you can't kill
> active content in the Internet Zone either.
>
> And several related technologies, such as .HTA, .CHM and the
> Desktop.ini -> .HTT stuff, are so pervasive it's impossible to rip it
> all out when it goes gangrenous.
>
> Things really get bad when the OS itself starts to use technologies
> that are indivisible from the "edge", as is the case with XP's RPC and
> other sops to the "we need remote admin!" requirements of corporate IT
> (who are supposed to be using XP Pro anyway).
>
> Combine that with a file system that can only be read by the infected
> OS, and you have everything lined up nicely, just waiting for a
> well-dropped match.
>
> Until XP SP2, MS's focus was always on the trees; why this particular
> ActiveX control was marked safe when it shouldn't have been, why
> cookies allowed to contain scripts (by design!) were being run in the
> wrong zone, etc. But these are just holes in the collander, or
> barnacles on volcanoes of bad design - and unfortunately, we find
> ourselves living in costly buildings built on those volcanoes.
>

cquirk,
Thank you very much for explaining all this. I had been aware that my
office documents contain executable code - the only purpose for which I
am aware of is to spread viruses. It was also starting to dawn on me that
webpages contained executable code - I guess to do all those cute little
things. I was not aware however how sidespread HTML & Java had
become. I guess that is a nice idea if the world had no bad guys out there
trying to break into my bank account.
Maybe this all follows from the "irrational exhuberance" that lead to
the internet stock bubble. Tonight I will check the label on my underwear
to make sure there is no HTML in them. I would not want to have any
security leaks down there!

Relevant Pages
Quantcast