Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: IE is just as safe as FireFox
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 19 Nov 2004 13:29:32 -0500

Vincent Archer wrote:

Other apps flatly refuse to work with anything but IE. None of these
are strictly "web applications" anymore - they are applications that use
an UI processor, which happens to be the HTML processor as well.

You see, this is precisely the problem.

HTML processors in web browsers should be designed to take in untrusted data and treat it, exclusively, in an untrusted fashion. The problem with latching "trust zones" onto this is that you provide a backdoor that allows any person who can exploit the complex internal trust relationships (or otherwise bypass it) to do whatever the HTML processor allows it to do, which in the case of IE is almost anything.

The web browser was never meant to be a trusted application engine. It was meant to display data, not interact with the software on your computer. If done carefully and responsibly, add-ons that allow for code launching are fine - as long as they can be removed at will and without difficulty and do NOTHING transparently. What we have here is misuse of a technology. That's where the root of these problems exist. And any company that relies on the misuse of technology, frankly, needs to address their IT strategy immediately and think very clearly about what the ultimate end result of that is.

p.s. There will always be buffer overflows and ways to exploit programs using input, but following my line of thinking above, it becomes MUCH easier to secure the browser so that those issues can be effectively mitigated.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]