funsec mailing list archives
Re: Microsoft issues IE update to get around the Eolas patent
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Wed, 01 Mar 2006 03:24:10 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Nick FitzGerald wrote:
Dude VanWinkle to Richard M. Smith:I wonder how many Web sites this Microsoft patch will break.......Well, they don't outright break -- unless I misunderstood something, the user simply has to click the control an extra time before they can _directly interact_ (including via script embedded in the page) with the control, but (initial) dynamic content played or displayed by the control will still activate.
Script embedded with the web page still works. The only combination of things that breaks is: 1. A control that requires explicit *USER* action (i.e. keyboard/mouse input). 2. Said control is instantiated directly from page content (APPLET, EMBED, OBJECT, etc.)
After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. To enable an ActiveX control, manually click the control.I wonder how much spyware this will prevent from being installed?It will have the _opposite_ effect.
I agree, but for a different reason.
To get around the user having to manually "activate" the control by clicking it, web author's can ensure that the control is "dynamically instantiated" (my term), and thus immediately activated, via script, rather than being "passively" instantiated the old (aka "infringeing") way (i.e. via APPLET, EMBED or OBJECT tags in the main page -- this is effectively what the patent rules out), thus requiring "activation". What all that means is that web authors will, and rather quickly I suspect, move to this new construction to get their ActiveX controls enabled and so the pressure on browser users to move back to having MORE script-enabled sites or even more script-enabled security domains in IE will increase, so we will see MORE script-based silliness, including compromises and the like.
Not really true. Most users who have active script disabled also disable or severely cripple ActiveX. Also, many uses of ActiveX/Java/plug-ins/etc. require script to function in the first place. A world without script is a world without (much) ActiveX. This will only further cement that. The only thing I see happening is that this becomes yet another reason why IE users have to click through something and becomes one more desensitization to security-related prompting.
This move is even more reason to abandon IE totally.
I wholly disagree. You won't hear me support Microsoft very often, but I think it has every right to develop the technology and that Eolas has no claim to it, what-so-ever. I think this case illustrates why software patents are a horrible concept and should be done away with.
MS should have taken its loss in the Eolas patent case, combined it with Billy Boy's previous, well-publicized insistence that security is now really more important than functionality, and used that as the raison d'etre for finally killing its shitty pile of security holes that passes with some as a miserable excuse for a web browser.
I'm sorry... but that's ridiculous. *Every major browser on the planet* infringes upon this patent. Firefox, Mozilla, Netscape, Opera, IE, Safari... all infringe on this patent. Why? Because they use the same plug-in loading technology in some form or another. Java applets are an example of that which is fairly portable across browsers and other examples include media handling plug-ins for Quicktime, Windows Media, etc. The only reason Microsoft is dodging this patent is because the patent holder has a personal grudge against the *big bad monopoly* at Microsoft and decided to only sue Microsoft. According to other reports, Eolas lawyers are also harassing other browser developers about licensing after the Microsoft verdict. For the survivability of the web, this patent NEEDS to be shot down as the invalid claim that it is.
It didn't, so we have yet more evidence that, despite Billy Boy's publicly released memo, security is really only more important at MS now if it's _wholly convenient_ for it to be more important. In other words, despite all the grandstanding in the media, actually very little has changed at MS viz security...
I agree with your assessment of security at MS (it's still on a convenience only basis) but I don't see how this example illustrates that. More security is only meaningful if people will use it. Voluntarily wiping out plug-in functionality would be a suicidal effort and a total failure that would not accomplish anything on the security front. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFEBWg6fp4vUrVETTgRAxCuAJ9uBrlcyT3zup8+NKSl+tECYN7rEQCfUzRv 4DOW1iLYPoMcBvlmlgC5FkA= =fUdm -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft issues IE update to get around the Eolas patent Richard M. Smith (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Dude VanWinkle (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Nick FitzGerald (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Matthew Murphy (Mar 01)
- Re: Microsoft issues IE update to get around the Eolas patent Nick FitzGerald (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Dude VanWinkle (Feb 28)