Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Web browsers - a mini-farce
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Wed, 20 Oct 2004 10:35:08 +0200 (CEST)

On Wed, 20 Oct 2004, Martin wrote:

Here, may I make your collection more complete?
PS: No, it's not been discovered by your tool. And I reported
    it already several years ago.

No you can't, for that very reason. But you are very much advised to
report it to them and to FD or other lists.


I reported on a very basic, objective observation. HTML parsers /
renderers in popular alternative browsers are considerably more fragile
than in MSIE. Some of them just annoy, and some seem to be exploitable
under right conditions. That's that. I did not use a dodged tool, I did
not made up results, it's all open source, and rather well documented. You
are free to reproduce it.

I am not a Microsoft-loving, Linux-bashing zealot; if you bother to visit
by homepage or google around, it will become apparent that I use and enjoy
Linux, and usually do not touch Windows with a ten foot pole; not because
of religious beliefs, but simply because I find it not suited well for
what I do on a daily basis. I did poke fun at Microsoft in the past, too:


For this particular issue, I got numerous confirmations, including new
submissions from people using Safari, w3m, elvis, Konqueror and so forth,
so this is not really a localized problem, but rather a sign that
Microsoft did something others couldn't be bothered to.

I specifically stated that this does *NOT* prove that MSIE is safer to
use; there are numerous other factors beside code parsing that count. But
it indeed casts doubt on the claims of higher security of the alternative
browsers, suggesting that much of it may turn to be just a result of the
current status quo.

A number of people assumes that I say MSIE is better than open source
browsers; I did not say this, and I do not have any agenda to push. It's
really disappointing to get so much hate mail when objective results
suggest one thing, and be well received when they point the other way (at
Microsoft, Sendmail, etc).

------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-20 10:24 --


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]