Re: Are Java and JavaScript really so malicious for Windows system



"fluidly unsure" <dripping@xxxxxxxxxxxxxx> a écrit dans le message de news: pgCjf.28474$Zv5.6124@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I guess I misunderstood your statement. I thought you were saying that
some of IE was used by other applications/applets/CPLs. That sounds like
an "integrated" component to me and not a "completely normal application".

I'll try to expand on Mark Randall's answer.

Programs are usually built piecewise, by splitting the functionality into small, reusable parts. This is good, since complexity and multiple implementations of the same function increase the probability of bugs slipping in.

Consider the HTTP client part (used to request files to a server using the HTTP protocol). Of course, it's a part of IE (since it needs to process HTTP URLs). It's also a part of many other programs. The fact that this piece is shared by IE and other programs doesn't give IE any special privilege, they are simply reading the same file.

What happened is that so many pieces of IE are useful in other areas (the HTTP protocol API for programs that need to support this protocol, the HTML renderer part for the UI, the script engines for system administration), that only a lightweight wrapper remains as "IE", and the rest is "basic stuff available to Windows programs" a.k.a. the OS.

This is only a matter of good programming practices.

Bottom line, it affects the OS as a whole when it's not working
properly.

This is true in one sense: if several applications share their settings (e.g. for proxy servers), and you put wrong values there, none of these apps will work. On the other hand, it's still better than to have to enter these settings in a different way for every single app.


If you mean that a code execution exploit in IE will magically give you more access to the system than a code execution exploit in Firefox or Opera, that's wrong. What you get in all cases is the ability to execute arbitrary command as the current user.

Therefore it's security is more of a problem than in a more
compartmentalized applications like FireFox. (I'm not saying FF doesn't
have it's own problems)

I don't see in which way Firefox is more compartmentalized.

Isn't the DOM vulnerability an example of the OS being contaminated by
an IE hole?

No more than with any remote code execution exploit in any other program.

.