Full Disclosure mailing list archives
Re: Web browsers - a mini-farce
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Wed, 20 Oct 2004 10:35:08 +0200 (CEST)
On Wed, 20 Oct 2004, Martin wrote:
Here, may I make your collection more complete?
/.../
PS: No, it's not been discovered by your tool. And I reported
it already several years ago.
No you can't, for that very reason. But you are very much advised to report it to them and to FD or other lists. Gee... I reported on a very basic, objective observation. HTML parsers / renderers in popular alternative browsers are considerably more fragile than in MSIE. Some of them just annoy, and some seem to be exploitable under right conditions. That's that. I did not use a dodged tool, I did not made up results, it's all open source, and rather well documented. You are free to reproduce it. I am not a Microsoft-loving, Linux-bashing zealot; if you bother to visit by homepage or google around, it will become apparent that I use and enjoy Linux, and usually do not touch Windows with a ten foot pole; not because of religious beliefs, but simply because I find it not suited well for what I do on a daily basis. I did poke fun at Microsoft in the past, too: http://lcamtuf.coredump.cx/strikeout/ For this particular issue, I got numerous confirmations, including new submissions from people using Safari, w3m, elvis, Konqueror and so forth, so this is not really a localized problem, but rather a sign that Microsoft did something others couldn't be bothered to. I specifically stated that this does *NOT* prove that MSIE is safer to use; there are numerous other factors beside code parsing that count. But it indeed casts doubt on the claims of higher security of the alternative browsers, suggesting that much of it may turn to be just a result of the current status quo. A number of people assumes that I say MSIE is better than open source browsers; I did not say this, and I do not have any agenda to push. It's really disappointing to get so much hate mail when objective results suggest one thing, and be well received when they point the other way (at Microsoft, Sendmail, etc). -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-10-20 10:24 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Web browsers - a mini-farce, (continued)
- Re: Web browsers - a mini-farce Georgi Guninski (Oct 19)
- Re: Re: Web browsers - a mini-farce Micheal Espinola Jr (Oct 19)
- Re: Re: Web browsers - a mini-farce Rainer Duffner (Oct 19)
- Re: Re: Web browsers - a mini-farce Micheal Espinola Jr (Oct 19)
- Re: Re: Web browsers - a mini-farce kf_lists (Oct 19)
- Re: Re: Web browsers - a mini-farce Micheal Espinola Jr (Oct 19)
- Re: Re: Web browsers - a mini-farce Byron L. Sonne (Oct 19)
- Re: Re: Web browsers - a mini-farce Micheal Espinola Jr (Oct 19)
- Re: Re: Web browsers - a mini-farce Georgi Guninski (Oct 20)
- Re: Web browsers - a mini-farce Georgi Guninski (Oct 19)
- Re: Web browsers - a mini-farce Michal Zalewski (Oct 20)
- Re: Web browsers - a mini-farce Daniel Veditz (Oct 20)
- Re: Web browsers - a mini-farce Pablo (Oct 20)
- Re: IE bugs (Was: Web browsers - a mini-farce) Berend-Jan Wever (Oct 20)
- RE: Re: IE bugs (Was: Web browsers - a mini-farce) Aviv Raff (Oct 20)
- Re: Update: Web browsers - a mini-farce (MSIE gives in) Daniel Veditz (Oct 24)
- Re: Update: Web browsers - a mini-farce (MSIE gives in) Georgi Guninski (Oct 31)