Full Disclosure mailing list archives
Re: Microsoft Faces Angry IE Users' Questions
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 11 Jul 2004 14:00:05 +1200
Florian Weimer <fw () deneb enyo de> wrote:
Haha. Apparently, Internet Explorer on Windows XP Service Pack 2 will break one of our internal web applications (which uses MIME content type, not extensions, to provide application information. Fortunately, we don't use Internet Explorer, but it's still quite a paradigm shift. I wonder if they break down and release a "fix" in a week's time.
Historical precednet suggests that (perhaps largely undocumented) regsitry settings will be available to (re-)enable the former, but now deemed "broken", functionality. You need look no further back than the kerfuffle a couple of months ago over the removal of IE's patently incorrect support for "user:pwd@" userid data in http URIs for an example, but there are many other, earlier examples. Of course, what such cop-out "revert to insecure functionality" options tend to invite are unscrupulous third-party developers (if not also Microsoft's own application developers) to add a "check for registry setting X and tweak it appropriately" function to their installation scripts. That is a very cheap option for the developers and therefore much more desirable to them than fixing what is more often than not some inherently shoddy architectural issue (aka design flaw) in their product or servcie that would require major re-working to fix. Most users rather blindly trust their application developers' code and don't check what security (or other) changes those developer's installation routines make to their machines. If such opt-out settings are generally available for XP SP2 "fixes", once SP2 is rolled out many, many users will silently and unknowingly have their overall security lowered, and many vulnerabilities re-introduced to their systems, by installing the "patches" offerred by their vendors "to fix XP SP2 incompatibilities". Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft Faces Angry IE Users' Questions st3ng4h (Jul 09)
- Re: Microsoft Faces Angry IE Users' Questions Jordan Cole (stilist) (Jul 09)
- Re: Microsoft Faces Angry IE Users' Questions Nick FitzGerald (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions bipin gautam (Jul 10)
- Security contact at Lexmark? Anyone? Peter Kruse (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Florian Weimer (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Jordan Cole (stilist) (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Florian Weimer (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Nick FitzGerald (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Eric Paynter (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Frank Knobbe (Jul 11)
- Re: Microsoft Faces Angry IE Users' Questions Frank Knobbe (Jul 11)
- Re: Microsoft Faces Angry IE Users' Questions Nick FitzGerald (Jul 10)
- Re: Microsoft Faces Angry IE Users' Questions Nick FitzGerald (Jul 11)
- Re: Microsoft Faces Angry IE Users' Questions Jordan Cole (stilist) (Jul 09)