Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: IE is just as safe as FireFox
From: "Todd Towles" <toddtowles () brookshires com>
Date: Tue, 16 Nov 2004 08:19:06 -0600

I agree with you, maybe good coding was the wrong word. But you got the
idea.

IE isn't part of the OS in Microsoft mind...but it is in the customers.
You get a new computer and you hear on the TV, not to use IE...because
it has holes. A good customer does the right thing and gets another
browser and uses that.  Not knowing that Outlook and IE problem can hurt
them anyways. Microsoft doesn't show separate to the customer - why?
Because they people believe want stuff all connected together, which is
true. Most of the customers don't see what is happening and it takes
professional like us to get the ball rolling...to protect them and us.

Microsoft made a bold step by changing security in SP2. It was going to
break stuff...and it was stupid to see people yell about that. They told
us it would, we knew it would. I am glad to see they are starting to
take steps toward a better systems, but Microsoft has room for
improvement to say the least.

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of joe
Sent: Monday, November 15, 2004 1:26 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] IE is just as safe as FireFox

Everytime a Firefox exploit comes out..there is already a fix...
is that magic? No..it is good coding...

What? 

Having a quick fix out is due to low complexity of issue and 
assisted by a lack of dependencies so you have reduced time 
for patching and testing. It has nothing to do with code 
quality. I have seen some extremely good code that hit an 
issue that took long periods of time to correct due to the 
complexity of the issue with all of the requirements that had 
to be stacked up to cause an issue. I have also seen crappy 
code that could be pretty quickly patched up for various 
things and often contributed to how crappy it was. Again, 
code quality and time to patch has nothing to do with each 
other except if you had great code you wouldn't even have to 
worry about exploits and patching. Great code, IMO, requires 
100% assertions of all incoming data and NO ONE does that. 
Programmers assume that incoming data will fit in a specific 
range and go with it. At some point we as developers (some 
earlier than others) learned that we should at least be 
checking for data length though that still isn't the full 
assertion that should be done on the quality and state of the 
data. One reason for not doing a full assertion is for future 
flexibility, don't check the data too close so you don't have 
to recompile for a new use. Mostly it is done because coders 
just don't think someone will do something so off the wall or 
are too lazy or too pressed for time to care.


Saying that, I agree, as I have stated many times on this 
list, that IE needs to be backed down. If there has to be 
some piece of it that absolutely has to be in the OS it 
should be a very basic very small very simple hello world 
basic HTML only rendering capability - you get fonts and 
anchors and not much more - it isn't even possible to execute 
anything even if the user agrees with a signature in blood. 
The code being tiny and truly a part of the OS in that it 
isn't possible to upgrade it to IE version x. It is updated 
with OS updates. Code so small and tight and well controlled 
and understood and practically memorized by the developers 
that MS could put a monetary guarantee behind the ability to 
exploit it. Say HTTP-EQUIV gets $10 million if he finds a way 
to crack it and run remote exploit code with a realistic POC.  

If someone wants a full function IE, they load that 
separately an dit runs in a sandbox as guest. Personally I 
never agreed that IE was truly part of the OS. There are some 
artificial dependencies built in for some of the display 
stuff like help, etc but NTFS and threading and all of that 
works just fine without IE. 

If pulling IE out of the Explorer shell is too difficult. 
Then I for one would be fully behind a new secure type shell 
replacement for the Explorer Shell. We had ProgMan Shell for 
several years then we got the Explorer Shell. Maybe it is 
time to get a new shell, at least for servers. 

I was recently in Redmond and the message I kept feeding back 
over and over again was that we needed a way to not have to 
load IE onto machines. I am looking to moving forward ideas. 
If they give me the ability, I am not going to whine why I 
can't do the same on Win9x or 2K or even XP. So many people 
bitch on this list about MS supporting legacy stuff and then 
they or someone else starts bitching that MS isn't back 
porting the changes. Pick one or the other but keep in mind 
if things have to keep getting back ported, resources for 
that aren't moving us forward. I myself, would rather move forward. 

  joe



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Todd Towles
Sent: Friday, November 12, 2004 10:10 AM
To: Rafel Ivgi, The-Insider; 
full-disclosure () lists netsys com; Colin.Scott () csplc com
Subject: RE: [Full-disclosure] IE is just as safe as FireFox

<SNIP>
 Everytime a Firefox exploit comes out..there is already a 
fix...is that magic? No..it is good coding... 
<SNIP>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]