Interesting People mailing list archives
Why IE is insecure: flawed logical thinking... [RISKS] Risks Digest 23.81
From: David Farber <dave () farber net>
Date: Mon, 28 Mar 2005 16:12:14 -0500
------ Forwarded Message From: RISKS List Owner <risko () csl sri com> Date: Mon, 28 Mar 2005 12:16:58 -0800 (PST) To: <risks-resend () csl sri com> Subject: [RISKS] Risks Digest 23.81 Date: Thu, 24 Mar 2005 09:29:34 -0700 From: Craig DeForest <deforest () boulder swri edu> Subject: Why IE is insecure: flawed logical thinking... IE appears to be insecure in part because of flawed logical thinking by its development team. There is currently a debate of sorts in the news between Mitchell Baker ("chief lizard wrangler" of the Mozilla Foundation) and Dave Massy (head developer of Internet Explorer) over which web browser is more secure. In a recent ZDNET article (also covered on Slashdot; see links at end), Baker points out that, since IE is tightly coupled ot the Microsoft Windows operating system, it is bound to be less secure than Mozilla, which is well separated from its host OS. Dave Massy's reply is very interesting (link at bottom): >The issue of not being part of the OS is an interesting one though that >is frequently the subject of misunderstanding. IE is part of [Microsoft >Windows] so that parts of the SO and other applicaaitons [sic] can rely on >the functionality and APIs being present. IE in turn relies on OS >functionality to do it's [sic] job. To be clear there are no OS APIs that >IE uses that are not documented on MSDN as part of the platform SDK and >available to other browsers and any other software that runs on Windows. Dave is making a flawed argument: Premises: - IE uses a documented interface to the OS - The OS interface is available to other software on the OS Conclusion: - The complexity of our interface is irrelevant to security The argument is wrong for two reasons: there is a false hidden premise (that the OS is bulletproof); and the argument itself is invalid (even if the hidden premise were true, the conclusion would not follow). One only need read back-issues of RISKS to find case after case of complex, unanticipated failure modes in complicated interfaces, each element of which is thought to be secure. That lesson is at least 30 years old -- I am thinking of the stories about hidden data channels in Multics. This is of interest to RISKS readers because it is a stunning example of poor design by flawed logic: even if the IE coding were flawless at the subroutine level (we can bet that it isn't), Dave's stated attitude toward interface security would doom it to be susceptible to attack. References: http://news.zdnet.com/2100-9588_22-5630529.html http://blogs.msdn.com/dmassy/archive/2005/03/22/400689.aspx http://slashdot.org/article.pl?sid=05/03/24/1352211&tid=113&tid=154 ------------------------------ ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Why IE is insecure: flawed logical thinking... [RISKS] Risks Digest 23.81 David Farber (Mar 28)