homepage Welcome to WebmasterWorld Guest from 54.161.202.234
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 40 message thread spans 2 pages: < < 40 ( 1 [2]     
Patches Coming for 9 Fresh IE Holes
Brace yourself:
Brett_Tabke




msg:619323
 4:25 pm on Jul 13, 2004 (gmt 0)

[slashdot.org...]

At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?

What's sad is that Internet Explorer 6 was released about two and a half years ago, has had no new features added, and they still haven't finished fixing it.


 

Brett_Tabke




msg:619353
 3:46 pm on Jul 14, 2004 (gmt 0)

> Am I starting to sound like a MS representative?

No, I just don't think you are coming to terms with the scale and scope of the problem.

Elephant vs Mouse.
The empire state building vs a trailer house.
All the beaches in the world vs a grain of sand.
The sun vs a match.
Microsoft IE security record vs Netscape/Mozilla security record.

webdevsf




msg:619354
 4:02 pm on Jul 14, 2004 (gmt 0)

However, because IE is tighty integrated into the Operating System, not only are more exploits possible, more devastating and intrusive exploits are possible.

Because IE is tighty integrated into the Operating System I can use a rich windows interface on my intranet applications, without having to deploy to thousands of users.

Because IE is tighty integrated into the Operating System I can print in any format I want, not just what the browser says i can.

Because IE is tighty integrated into the Operating System I can save documents to my filesystem, instead of having to run everything from the server and worrying about hitting the back button all the time and losing my data.

Because IE is tighty integrated into the Operating System I can leverage my existing investment in IT infrastructure without having to recreate everything from a file system to a message board to a messaging server, without having to hire new IT professionals to learn an entire new set of software.

Software is not made for IT professionals. It is made for users who are trying to do something. Users who don't switch to mozilla and open source are not idiots, they just have a day job that doesn't involve IT.

Hanu




msg:619355
 4:07 pm on Jul 14, 2004 (gmt 0)

>Elephant vs Mouse

Now, that is propaganda ...

bedlam




msg:619356
 4:26 pm on Jul 14, 2004 (gmt 0)

Software is not made for IT professionals. It is made for users who are trying to do something. Users who don't switch to mozilla and open source are not idiots, they just have a day job that doesn't involve IT.

You've missed the point; the number and kinds of vulnerabilities in IE are beginning to require ordinary users to become security professionals just in order to get those perks you mentioned...

-B

tedster




msg:619357
 4:36 pm on Jul 14, 2004 (gmt 0)

webdevsf, you're right. Those are all the good reasons for the browser/OS integration. And the security problems we've got are the unforeseen price.

I think what happened is that the extent of malicious hacking was not given nearly enough weight - in the enthusiasm to give end users all the grand possibilities. And that decision had at least as much to do with extending market dominance as it did with serving the end users.

I have friends who are making thousands cleaning up what office workers have imported into their systems via IE. The day jobs those workers hold down may not be in IT, but they do involve a bit of recreational surfing in some pretty dicey neighborhoods - on coffee break, I assume ;)

webdevsf




msg:619358
 4:49 pm on Jul 14, 2004 (gmt 0)

You've missed the point; the number and kinds of vulnerabilities in IE are beginning to require ordinary users to become security professionals just in order to get those perks you mentioned...

So what? If you work in a corp, you hire IT pros to do this. If you have a small biz, you hire consultants. It's one of the costs of doing business.

If you are an individual, you buy anti-virus software, you buy a fireawll, and you buy hardware from a vendor who provides service for you in case of problems.

Ultimately, like all software, it catches up and gets commoditzed and does the work for you. It may take a few years, but it does.

If Moz can offer both security and rich features, they would win. But offering security without OS rich features is going to lose. MS knows that and focuses rightly on what the customer demands first.

Eventually, all these issues will get resolved within a few years, and MS will have both a secure and feature-rich, OS integrated browser, whereas Moz will just have a secure one.

grelmar




msg:619359
 5:17 pm on Jul 14, 2004 (gmt 0)

As often as I rant against MS, I'm going to have to partially agree with WebDev.

A lot of the features made possible through coupling IE with the OS have become a major part of everyday life in modern offices. We're not going to get rid of that anytime soon, nor should we want to. Overall, it increases productivity.

However...

That doesn't mean we have to stick with IE as a browser. And this is an argument I rarely see. Keep the IE functionality for all the benefits it gives us with our intranets, and surfing our own file systems. It's very usefull for that. But take away its access to the net.

From a programming point of view, it would be an easy thing to do. You'd still have all the wicky-whacks that OS touts (rightly) as a major feature. Buyt you would eliminate a huge mass of security issues. You simply divide the digital world into two parts: The internal framework of your own computer and intranet, and the outside "dangerous" world of the internet. Have one set of rules (IE) for the safe inner world, and a different set of rules (a stand-alone, uncoupled browser) for the big bad dangerous world "out there".

How hard would that be? Really? All the MicroSofties would get the "Rich Computing Experience" (*cough*) that they so adore, but they'd be able to surf much mroe securely.

And froma business point, MS could actually benefit from this approach. Think of all the time and money the spend now working on security issues for a product that generates no income. Think of all the bad press it generates. Think of how much of that baggage they would be able to shed if they simply cut the strings between IE and the outside world?

Then all the microsofties could live in their nice, secure little mega-corp controlled world without having to worry about the big bad bullies of the open source community...

errr... dang, I was gonna try and be nice to the microsofties for a change. I veered away somewhere along the line.

webdevsf




msg:619360
 5:25 pm on Jul 14, 2004 (gmt 0)

From a programming point of view, it would be an easy thing to do. You'd still have all the wicky-whacks that OS touts (rightly) as a major feature. Buyt you would eliminate a huge mass of security issues. You simply divide the digital world into two parts: The internal framework of your own computer and intranet, and the outside "dangerous" world of the internet. Have one set of rules (IE) for the safe inner world, and a different set of rules (a stand-alone, uncoupled browser) for the big bad dangerous world "out there".

Tools->Internet Options->Security->Local Intranet Zone

IE has bugs in this code right now that allows code from one zone to act like its from another more priveleged zone. Once all the "security zone" bugs get fixed, these kind of problems will be reduced or eliminated.

Brett_Tabke




msg:619361
 9:05 pm on Jul 14, 2004 (gmt 0)

> Elephant vs Mouse
>Now, that is propaganda ...

Some estimate there have been over 1000 holes in IE patched. There have been less than 15 (4 critical) in Mozilla).

15 vs 1000?

That's a Mouse vs Elephant.

(But the Sun vs a Match, was a bit of a reach ;-)

grelmar




msg:619362
 9:21 pm on Jul 14, 2004 (gmt 0)

Tools->Internet Options->Security->Local Intranet Zone

IE has bugs in this code right now that allows code from one zone to act like its from another more priveleged zone. Once all the "security zone" bugs get fixed, these kind of problems will be reduced or eliminated.

Sorry, I wasn't clear.

What I meant was completely banning IE from accessing the internet, period.

Not really a "zone" issue, but an access one. As long as IE has access to both the internet and intranet, then you're going to get zone crossover security issues.

Eliminate the internet as a zone altogether, as far as IE is concerned, and let the stand alone browsers duke it out for access to the net.

And it would be very easy to do. Heck, any one of us can do it already just fiddling with your firewall settings.

If I can do it by flipping a virtual button on my firewall, how hard would it be for the Redmond Brigade to do it in a few lines of code?

This 40 message thread spans 2 pages: < < 40 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved