homepage Welcome to WebmasterWorld Guest from 54.166.105.24
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 44 message thread spans 2 pages: 44 ( [1] 2 > >     
ZDNet Calls 2004: Internet Explorer's year of shame
Long time Microsoft supporter issues strong statements about IE
Brett_Tabke




msg:573090
 1:25 pm on Jul 12, 2004 (gmt 0)

[zdnet.co.uk...]

Small businesses should be seriously looking at alternatives because they are less likely to be able to maintain very good security around the browser with vulnerability management. Smaller businesses should seriously be looking at changing browsers," said Perry.

Since the article was written, another hole was found late last week in the latest IE Patch:
[keralanext.com...]

 

mal4mac




msg:573091
 1:44 pm on Jul 12, 2004 (gmt 0)

How can you be sure other browsers do not have similar security problems?

Although IE is likely to attract more crackers, isn't it also likely to have more people trying to spot & fix security vulnerabilities?

Anyone out there have a convincing argument for moving to another browser?

bumpaw




msg:573092
 1:51 pm on Jul 12, 2004 (gmt 0)

Kim Kommando's newsletter is now recommending people find an alternative in Opera or Firefox. She claims to have a lot of listeners to her show and subscribers to her newsletter.

danny




msg:573093
 1:52 pm on Jul 12, 2004 (gmt 0)

It's a lot harder for people to study Internet Explorer, the source code for which is not available, than it is for them to study Mozilla or one of the other free software browsers. If most technical security people are going to report security problems to the browsers maintainer (rather than releasing malware), this will have a positive rather than a negative effect on security.

This logic doesn't hold for free software products which don't see widespread use, but I think it clearly works for products such as Apache, Mozilla, Linux, etc.

Gibble




msg:573094
 1:59 pm on Jul 12, 2004 (gmt 0)

I switched to firefox at work and at home, and other than very few sites, everything looks exactly the same in firefox as it did in IE. I have tabbed browsing, and some of the plugins are great (especially the webdeveloper one!)

I had tried to switch to Opera, but for whatever reason, I just couldn't...I kept going back to IE.

Brett_Tabke




msg:573095
 2:02 pm on Jul 12, 2004 (gmt 0)

Estimated browser security faults since 1997:

Opera -v7.5 : 12
Netscape -v4 : 40
Mozilla : 25
IE : 200 known, (some estimate that it is really over 1000 effective holes)

Lets be honest: ie has been swiss cheese, while NN/Moz/Opera have been relatively secure.

IE takes weeks -- if not months to years -- to fix problems, while the Team Mozilla, and Operasoftware often fix problems and release patches before they are even publically reported.

[money.cnn.com...]

pageoneresults




msg:573096
 2:10 pm on Jul 12, 2004 (gmt 0)

How can you be sure other browsers do not have similar security problems?

They will as soon as they become mainstream. All of this focus on IE at the moment is only natural as they dominate more than 90% of the browser market share. If any of the other browsers had any respectable part of that market share, they too would be under the same attacks with probably the same number of security holes to deal with.

volatilegx




msg:573097
 2:14 pm on Jul 12, 2004 (gmt 0)

Does the fact that Mozilla Firefox, et al are open source make it easier to find security holes in them? And if that is true, wouldn't that lead to the conclusion that more of the possible holes in Mozilla Firefox have already been found and patched?

korkus2000




msg:573098
 2:15 pm on Jul 12, 2004 (gmt 0)

>>Lets be honest: ie has been swiss cheese, while NN/Moz/Opera have been relativly secure.

Have to agree with page1. No need to really crack opera right now. They are only secure until MS is knocked down. If you don't like IE go use another application. Don't think that it is more secure though because noone is hacking it.

[edited by: korkus2000 at 2:16 pm (utc) on July 12, 2004]

lorax




msg:573099
 2:15 pm on Jul 12, 2004 (gmt 0)

Brett, where did you get your data from? Might add a bit more weight to know the source.

encyclo




msg:573100
 2:32 pm on Jul 12, 2004 (gmt 0)

Mozilla and Opera are currently under intense scrutiny by the bug-hunting community precisely because their use is increasing - Opera has gone through serveral security-related bug-fix versions recently (7.51 and 7.52 and several of the 7.1 and 7.2 series), and Mozilla was patched only this week.

However, IEs special status comes from it's complexity and it's integration with the operating system. That means that a bug in IE has consequences with the whole system - if you crash IE, you crash Windows (remember <input type crash>?). If you crack IE, you crack Windows too.

There are undoubtedly bugs still remaining in Opera and Mozilla, but due to their stand-alone and cross-platform nature the bugs are less serious and less damaging. The latest Mozilla bug is a case in point - platform-specific (Windows XP only) and easy to fix (changing parameters in Mozilla has no consequence on the underlying OS as the code is not used elsewhere).

It is right to say that security by obscurity is a bad idea, but Mozilla and Opera are inherently more secure by design.

sidyadav




msg:573101
 2:32 pm on Jul 12, 2004 (gmt 0)

I think the reason for IE being "slow" at recovering vulnerabilities and holes is simple: they have no reason to be dedicated.

Because if you look at Opera, it gets money with the people who want those ads to be removed -- so it indeed is a dedicated browser-only company and must have a team who work on discovering/fixing bugs, vulnerabilities, whatever.

If you look at Mozilla, being open source is an advantage for them -- they have their own community where they actually discuss in public, their own bugs and eventually someone comes with a fix for it.

But IE?
1) It's not open-source
2) It's not shareware

So which indeed gives them a valid reason for not being "at-it" as fast as the others.

Sid

[edited by: sidyadav at 2:37 pm (utc) on July 12, 2004]

pageoneresults




msg:573102
 2:33 pm on Jul 12, 2004 (gmt 0)

Okay, here is the scenario...

"A secret society of hackers has been commissioned to detect and exploit security holes in the IE browser. No one knows who these hackers are or what their agenda is."

"It has been rumored that a group of anti-MS personnel have been funding this secret society of hackers for the main purpose of bringing down the manufacturer of the browser."

Now, what happens when the "next browser" fills that slot? Maybe the MS team will bring together its own secret society of hackers and do the same thing that was done to them. It's only natural to do unto others as they have done unto you.

Nothing is secure. History has proven time and time again that anything can be comprimised if enough talent and attention is given to it. As soon as one of those "other browsers" start to gain public momentum, the security holes will surface. Mark my words! ;)

py9jmas




msg:573103
 2:35 pm on Jul 12, 2004 (gmt 0)

They will as soon as they become mainstream. All of this focus on IE at the moment is only natural as they dominate more than 90% of the browser market share. If any of the other browsers had any respectable part of that market share, they too would be under the same attacks with probably the same number of security holes to deal with.

Lets have a look. Mozilla's latest security flaw (which was more like a work-around for a MS Windows flaw) was fixed in what, 36 hours? Microsoft still haven't properly fixed IE's latest Active X problems.
[theregister.co.uk...]

Even if the rate of security holes were the same between Mozilla and IE, Mozilla have a far better record of fixing them promptly. That is what is important.

stuntdubl




msg:573104
 2:35 pm on Jul 12, 2004 (gmt 0)

>but due to their stand-alone and cross-platform nature the bugs are less serious and less damaging.

I think this is a huge part of why people SHOULD change. While I don't like the idea of a hacker having control of my browser...I like that idea better than them having access to my whole PC.

I wonder if these escalating issues are making MS think about heavily integrating a browser into Longhorn.

encyclo




msg:573105
 2:48 pm on Jul 12, 2004 (gmt 0)

As soon as one of those "other browsers" start to gain public momentum, the security holes will surface.

Absolutely right - but they forcibly will be more limited and the fixes will come quicker. Microsoft has to test IE patches intensively on over 400 test installations, and even then they can't be sure things aren't going to break outside of IE because there is no separation of roles or code between the browser and the OS.

Dudermont




msg:573106
 3:29 pm on Jul 12, 2004 (gmt 0)

MySQL: Six Times Less Bugs than Proprietary Code

If you seached for something like :open source reasoning
you might find the paper on the study.

I think some of the people here might be on to something. I bet as soon as the open source Apache webserver gets any market share, poeple will realize that it is filled with holes just like the proprietary web servers.

So I guess that the "organized attack" on iis was because it has the largest market share in web servers not because it is easier to hack.

But wait iis doesn't have the biggest market share. Well maybe they targeted iis because it was easier to hack into then. Oh, but that would mean they took the easy route, now that does NOT sound like a criminal to me. They would never try to get ahead the easy way.

korkus2000




msg:573107
 3:32 pm on Jul 12, 2004 (gmt 0)

>>But wait iis doesn't have the biggest market share

It is not market share of IIS. People hate MS because of the client OS market share. Anything MS is going to be attacked because of MS's enemies. When another software gets enough enemies by being mainstream then you will see the attacks on their products.

Brett_Tabke




msg:573108
 3:51 pm on Jul 12, 2004 (gmt 0)

> They will as soon as they become mainstream

This is where the nonsense flies. That's Microsoft water you are carrying.

If Mozilla or Opera had 95% of the browser market, I think we could go a thousand years, and never find more than a handful of errors.

When we talk Moz or Opera security problems, we are talking about a few coding or logical mistakes.

When we talk about IE's hundreds -- if not thousands -- of security problems, we are talking about a fundamental design flaws. eg: the product is defective and should be recalled.

Dudermont




msg:573109
 3:56 pm on Jul 12, 2004 (gmt 0)

People in this thread said that as soon as someone else had "any respectable part of that market share" they would soon be in the same situation as IE.

And also many people think this was "organized crime groups", and we all know that organized crime hates microsoft...or likes money, one of the two.

Kirby




msg:573110
 4:03 pm on Jul 12, 2004 (gmt 0)

>They will as soon as they become mainstream

It wont matter. With Moz or Opera, you're whole system isnt exposed.

You can shut a company down for hours with IE. Whats the worst damage one can do to you if you're using Moz or Opera?

pageoneresults




msg:573111
 4:11 pm on Jul 12, 2004 (gmt 0)

Whats the worst damage one can do to you if you're using Moz or Opera?

I'm far from being a security expert but, what would stop a hacker from utilizing exploits where they can gain control of your system through your browser?

Kirby




msg:573112
 4:33 pm on Jul 12, 2004 (gmt 0)

>what would stop a hacker from utilizing exploits where they can gain control of your system through your browser?

Thats the question, POR. How much control of the OS can one gain through Moz or Opera? If you can bring down an OS like one can with IE, then I agree, its just an issue of time and market saturation. So how much damage can one do with Moz or Opera?

korkus2000




msg:573113
 4:57 pm on Jul 12, 2004 (gmt 0)

Brett I am not carrying propaganda. I have just worked for some really large companies in many fields and have seen how the smaller competitors thrive off the subset of users who are frustrated with a product.

Water is wet the sky is blue and a lot of people hate MS. I use to absolutely hate MS when I was an apple only person. What I had to realize was that just because I felt macs were far superior to windows, that didn't mean people were going to change. I ended up insulting the people I wanted to convert by acting like they were not as intellegent using windows.

I agree that integrating IE with windows is not the best idea architecturally speaking, but I will not agree that MS is full of crappy programmers and only their products have problems. To agree with that is just anti-microsoft propaganda.

We all know that when a company, and I mean any company, that gets big starts to look more at the bottom line then their user base. If you are accusing MS of this, then I don't think anyone will disagree.

So lets go back to the original topic and quote:

Small businesses should be seriously looking at alternatives because they are less likely to be able to maintain very good security around the browser with vulnerability management.

I think this says it all. Many of the exploits for windows and IE get updates, just users don't update them.

I could care less what browser people use as long as it is not crazy with code from where we have been and present standards. Making blue = red or making a strong tag really mean itallic. I also hope I don't have to pay for the darn thing.

bignet




msg:573114
 8:55 pm on Jul 12, 2004 (gmt 0)

Title should read:

2004: Internet Explorer's year of Extinction
[webmasterworld.com]

Survival of the fittest implies that, but another popular thread

Teknorat




msg:573115
 11:58 pm on Jul 12, 2004 (gmt 0)

We forced the entire company to go to Firefox this month. They're not happy but we are.

tedster




msg:573116
 12:11 am on Jul 13, 2004 (gmt 0)

The thing that hasn't been emphasized in this thread is that IE has major taproots right into the Windows operating system. That's the fatal design flaw, IMO. It was more of a marketing decision to do that than a well considered technical decision. IE Mac does not expose Macntosh users.

You don't get that OS integration problem with other browsers. So, yes, the "monoculture" argument (going after the biggest target) has "some" truth to it, but just a little bit.
Browsers that are not integrated into the Windows OS naturally expose many fewer opportunities for exploits.

bedlam




msg:573117
 1:05 am on Jul 13, 2004 (gmt 0)

Yep,

If you designed a building the same way, you'd just have one huge front door that opened directly onto every single room in the building. Even if you put a great big shiny lock on the front door and locks on all the doors between the rooms, all someone would need to do to get into any particular room is get past the lock on the main door.

If, instead, you design your building so that the front door just goes into the lobby and all the doors off the lobby and between the rooms are locked, your intruder will still have a lot of work to do once he gets through the front door.

-B

Ack! What if Mr Gates had gotten into the contracting business instead: "We think it would be good if you could access the toilet from every room in the house without even having to get up..."

Kirby




msg:573118
 1:08 am on Jul 13, 2004 (gmt 0)

lol. lost my beer on that one, bedlam.

vkaryl




msg:573119
 2:23 am on Jul 13, 2004 (gmt 0)

Does the fact that Mozilla Firefox, et al are open source make it easier to find security holes in them? And if that is true, wouldn't that lead to the conclusion that more of the possible holes in Mozilla Firefox have already been found and patched?

While I have nothing definitive to add to the quoted post or to this thread, I DO have a statement (not that anyone needs to give a rat's ass....)

The one thing that's always bothered me about "open source" stuff is that you generally have NO CLUE who's providing "fixes", "extensions", "upgrades", etc. This is one of the reasons I gave up on *nix a few years back (aside from the fact that "user-friendly" was decidedly NOT EVER in its vocabulary!) - the salient fact that no matter which *nix platform you implement, eventually you will wind up with an "upgrade" which trashes everything you already have in place.... and when you address this fact with the provider of said upgrade, you will receive a polite (or not!) disclaimer that since all open source software is "use at own risk", they're very sorry you lost 100 mb of priceless information, but didn't you have backups?

Been there done exactly that. I DID have backups. But that's NOT THE POINT. The point is that in most cases MS has MORE COMPUNCTION as regards idiot users (myself included which is why I take leave to use that terminology!) than does anything "open source", nearly 100% of which is pointed toward and promulgated by programmers and their near kin.

I still say that open source OSs have some major potential.... BUT.... ONLY A PROGRAMMER COULD LOVE THEM at this point in time.

I have an EXTREMELY large correspondence on the web - approximately a thousand people worldwide on a weekly basis. Only ONE of those people uses a *nix platform - AND HE'S A PROGRAMMER! I LIKE the idea of "free to the people". But it's probably DECADES from reality.

So in the meantime, instead of everyone (naming no names, but we all know who you are, don't we?) trolling for nastiness in re MS etc, how about if we all try to figure out how to minimize the damage for the REAL world?

This 44 message thread spans 2 pages: 44 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved