Full Disclosure mailing list archives
RE: IE is just as safe as FireFox
From: "joe" <mvp () joeware net>
Date: Mon, 15 Nov 2004 14:25:45 -0500
Everytime a Firefox exploit comes out..there is already a fix... is that magic? No..it is good coding...
What? Having a quick fix out is due to low complexity of issue and assisted by a lack of dependencies so you have reduced time for patching and testing. It has nothing to do with code quality. I have seen some extremely good code that hit an issue that took long periods of time to correct due to the complexity of the issue with all of the requirements that had to be stacked up to cause an issue. I have also seen crappy code that could be pretty quickly patched up for various things and often contributed to how crappy it was. Again, code quality and time to patch has nothing to do with each other except if you had great code you wouldn't even have to worry about exploits and patching. Great code, IMO, requires 100% assertions of all incoming data and NO ONE does that. Programmers assume that incoming data will fit in a specific range and go with it. At some point we as developers (some earlier than others) learned that we should at least be checking for data length though that still isn't the full assertion that should be done on the quality and state of the data. One reason for not doing a full assertion is for future flexibility, don't check the data too close so you don't have to recompile for a new use. Mostly it is done because coders just don't think someone will do something so off the wall or are too lazy or too pressed for time to care. Saying that, I agree, as I have stated many times on this list, that IE needs to be backed down. If there has to be some piece of it that absolutely has to be in the OS it should be a very basic very small very simple hello world basic HTML only rendering capability - you get fonts and anchors and not much more - it isn't even possible to execute anything even if the user agrees with a signature in blood. The code being tiny and truly a part of the OS in that it isn't possible to upgrade it to IE version x. It is updated with OS updates. Code so small and tight and well controlled and understood and practically memorized by the developers that MS could put a monetary guarantee behind the ability to exploit it. Say HTTP-EQUIV gets $10 million if he finds a way to crack it and run remote exploit code with a realistic POC. If someone wants a full function IE, they load that separately an dit runs in a sandbox as guest. Personally I never agreed that IE was truly part of the OS. There are some artificial dependencies built in for some of the display stuff like help, etc but NTFS and threading and all of that works just fine without IE. If pulling IE out of the Explorer shell is too difficult. Then I for one would be fully behind a new secure type shell replacement for the Explorer Shell. We had ProgMan Shell for several years then we got the Explorer Shell. Maybe it is time to get a new shell, at least for servers. I was recently in Redmond and the message I kept feeding back over and over again was that we needed a way to not have to load IE onto machines. I am looking to moving forward ideas. If they give me the ability, I am not going to whine why I can't do the same on Win9x or 2K or even XP. So many people bitch on this list about MS supporting legacy stuff and then they or someone else starts bitching that MS isn't back porting the changes. Pick one or the other but keep in mind if things have to keep getting back ported, resources for that aren't moving us forward. I myself, would rather move forward. joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Todd Towles Sent: Friday, November 12, 2004 10:10 AM To: Rafel Ivgi, The-Insider; full-disclosure () lists netsys com; Colin.Scott () csplc com Subject: RE: [Full-disclosure] IE is just as safe as FireFox <SNIP> Everytime a Firefox exploit comes out..there is already a fix...is that magic? No..it is good coding... <SNIP> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [in] Re: IE is just as safe as FireFox, (continued)
- Re: [in] Re: IE is just as safe as FireFox Gregh (Nov 15)
- Re: IE is just as safe as FireFox Florian Streck (Nov 12)
- Re: IE is just as safe as FireFox Des Ward (Nov 12)
- RE: IE is just as safe as FireFox Todd Towles (Nov 12)
- RE: IE is just as safe as FireFox Todd Towles (Nov 12)
- Message not available
- Re: IE is just as safe as FireFox n3td3v (Nov 12)
- Re: IE is just as safe as FireFox Valdis . Kletnieks (Nov 12)
- Message not available
- RE: IE is just as safe as FireFox Todd Towles (Nov 12)
- RE: IE is just as safe as FireFox Todd Towles (Nov 12)
- Re: IE is just as safe as FireFox William Warren (Nov 12)
- RE: IE is just as safe as FireFox joe (Nov 15)
- RE: IE is just as safe as FireFox Eric Paynter (Nov 16)
- RE: IE is just as safe as FireFox joe (Nov 17)
- Re: IE is just as safe as FireFox Curt Purdy (Nov 14)
- Re: IE is just as safe as FireFox stephane nasdrovisky (Nov 16)
- RE: IE is just as safe as FireFox joe (Nov 17)
- IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 18)