Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: incrediBILL
Today, another security hole was mentioned on German online news magazines. So this is probably the 10th security issue in two months. I don't use Windows much so virtually every time I boot into Windows and want run "WindowsUpdate", I will have to install yet another security fix.
If the Internet Explorer was anything but software (and installed by default and being almost impossible to remove) everyone would file law suits and demand a saver product. Why/How can Microsoft deliver such a piece of cr*p?
Here are some of the headlines (from German online news magazines) from the last two months. And this is without the Messenger, Outlook, Office and general Windows security holes:
Golem Network News -- 05.04.2002, 09:55
Sicherheitsloch im CSS-Interpreter vom Internet Explorer
heise online -- 29.03.2002, 14:58
Sicherheitspatch für den Internet Explorer
Golem Network News -- 11.03.2002, 10:24
Sicherheitsloch im Windows Explorer
Golem Network News -- 05.03.2002, 10:17
Sicherheitslücke in Microsofts Java-Machine
heise online -- 04.03.2002, 16:26
Internet Explorer führt lokale Dateien aus
heise online -- 22.02.2002, 13:03
Neue Sicherheits-Patches von Microsoft
Golem Network News -- 22.02.2002, 11:11
Drei neue Sicherheitslücken in Microsoft-Produkten entdeckt
heise online -- 12.02.2002, 15:49
Internet Explorer: Neue Patches, neue Lücken
And don't tell me you are using some "personal firewall". It's nothing but an illusion of security and will provide hardly any real security if you allow your browser to pass traffic through it.
Hehe... do what I did: Buy a Mac, move to B.F.E. Alaska, use Opera as your browser & Eudora for your email. I'm INVINCIBLE!!!! ROFL...
(Well, except that my website & email are hosted in New Jersey...)
someone quoted figures for netscape, the figures are higher for edu sites, alot of the schools seem to use netscape.
i totally agree with MS software being exploited purely because of its wide usage
all things aside, if its compatible, count me in ;)
So I got a buggy patch for a buggy browser!
In the past month, I got infected with a worm twice, and both times happened when I forgot to return to Opera after checking sites in IE. I do know better. I know my IE6 has security problems, so I try never to use it for general browsing. However, when I'm checking PR, what am I gonna do?
Next week I'm visiting my business partners and they have broadband. Guess I'll download a whole new IE installation then.
back to my first coffee of the day.
I think without doubt IE is easily the most standards compliant browser. MS are pushing open standards everywhere like SOAP etc.. It's also the most forgiving browser (which could well be the origin of some of their problems) - I'd personally be happy for this to go and have a totally strict protocol. Admittedly, they've added some of their own non-standard stuff too but believe me if you ever get the chance to work on an IE only web-native application you will fall in love with this extra stuff.
>> In the past month, I got infected with a worm twice
That amazes me. I know there are holes in IE but I'm yet to meet someone whose fell victim to a hole in IE. A recent review of IE builds in our organisation showed we had a handful of people who just hadn't patched since the first release; yet nobody had any problems (obviously) we've patched them up now.
By joshie76. I think without doubt IE is easily the most standards compliant browser... It's also the most forgiving browser... Admittedly, they've added some of their own non-standard stuff too...
A fully standards compliant browser should not be able to forgive sloppy code as it immediatly throws the standards out of the window and becomes non compliant, also the fact that they have thrown in non standard stuff remove the compliance.
IE is also not free. You buy a bare bones box or build one yourself, you then have to pay for the Windows CD (legally), you are paying for all that is on the CD not just the OS, when you buy with bundled software or the OS installed your still paying for it.
Personally I could not care less which is and isn't compliant, I write for IE and fix the bits that don't work on NS, it annoys the h*ll out of me that I have to do that but it's easier than writing 100% compliant code. At the end of the day at least 88% of browsers in use are IE so if I can't fix my code to work on non IE browsers I'm only losing a maximum of 12%, but most things are fixable anyway.
BTW when you preview your post and then use the back button as suggested you lose your post. You all probably know that, but this is the first post I've made on this forum so please forgive me for preaching to the converted.
There is only one reason I don't like NS and that is because of all the extra work I have to do because it it so compliant
I was a staunch NS 4.7 user, and wouldn't change to MSIE for a very simple reason: MSIE doesn't do enough to tell me what's going on. For downloads, it's got a little blue progress bar that slowly fills up at an arbitrary rate. I won't know whether my connection has stalled or not as the blue bar is still filling up slowly. And what's with the MSIE 404 error pages? If the server throws up an error code, I want to see it for myself, not my software's interpretation of it. Regardless of its other merits, information blockout makes MSIE frustrating to use.
The earlier releases of Mozilla had an excellent download display and a readout of the total load time. Not sure why Netscape 6 ditched it. Opera's readout is also good; you get a readout of kb/s download speed and number of images remaining. It's only problem is when the connection stalls (instead of reading 0kb/s, the previous speed simply decays).
I would go so far as to say that I'd like to see a mini Go!zilla style download graph telling me exactly what's going on with the connections. A one-click instant traceroute for troublesome servers would also be nice. :)
I was wondering what you were up to! Thought it best not to ask ;)
Re: The 404 error messages. I thought you only go the MSN screen (which I find quite handy if I'm guessing URIs) if the server response was just a simple 404 - any custom error message would override it.
Welcome to the forum, Jeepers.
I agree with you very much. In fact, I've never liked IE, and I usually avoid it. I agree with EX_S on this one - IE hides too much important information. It's almost as bad as teaching my Mom how to use her AOL account.
That's one thing I love about Opera. You want to see what's happening under the hood? No problem?
I use Windows at home...before that I used MS DOS...at work we have a system that by my choice will be entirely Windows 2000 from next week
so you can't call me an MS knocker...I use the operate syatem because it is the best available option
but I have every right to criticise MS for their utterly ludicrous default settings, their complete inability to get to grips with multi-user systems, and their misunderstanding of the web and the Internet
if I didn't want to use their software I simply wouldn't care...I just want them to get it right...to understand that we are all working in different ways, and would like the chance to have a little more control
...and to stop selling Front Page, of course :)
Somewhat unrelated thought - Does anyone actually agree with the train of thought that it should be illegal for MS to bundle IE with Windows? If so, how would any new computer surf the web? It would make no sense for browser makers to pay computer companies to bundle their browser since the browsers are free, and no one could go download Netscape (or IE for that matter) since they don't have a browser. Basically, we would see either a proliferation of AOL users due to their agressive cd-marketing strategy, or an increase of cds in the mail as every browser manufacturer starts sending them to every address...
I like the current options. Besides, if anyone has a right to sue MS for using their "monopoly", it's Hoyle. Freecell and Solitaire are definitely not an important OS function, and think of all the people who don't buy Hoyle products as a result of a bundled solitaire? ;)
Who pushes the use of one browser over another? Uninformed users will stick with IE or start using AOL the second it hits the mailbox. But a great majority of users are from work, schools, libraries, etc. Those PCs are setup by IT personnel that make informed decisions.(Schools are always behind in technology, thus the high use of netscape.)
Those decisions are based on ease of use and support, as well as compatibility with the OS and other software (ie MS Office, etc)
This doesn't address Macs or other machines, but I am speaking on the majorities
My praise goes to Microsoft for helping to standarize the world of PCs. I also applaud those that truly compete with Microsoft and help push the envelop and improve competition.
I use Opera for the features and speed (amazing!), but I do respect IE6's rendering capabilities, and I still just may type an url into the address bar of any open windows folder simply because it's there... and I can.
I feel strongly however, about "forgiving browsers" and place much of the blame of the preponderance of sloppy coding on their existance.
A little "tough love" would have brought us all to some form of standards much earlier... and with much less squawking!
Now it's like taking a pacifier away from a spoiled toddler. Bwaaaaaaaah! I don't want to write valid code!!! I never had to before...! Bwaaaahaaahaaahhh! ;)
The problem is a bit bigger than just IE. Then OS is designed to pass objects to libraries that can open them. If the lib is not secure, it makes little difference what the front end is. Everybody has their own idea about the best support programs to use to open files. I would compair it to p2p file sharing, the potential for security errors is very big; increase the programs for p2p and you increase the potential.
Papabear, while it would be nice to have everyone contributing to the web with standard code to do so is to censor the web.
The Internet is a massive communication tool, anyone can post anything from anywhere in the world.
Should we punish friends and family because the photos they uploaded of their new baby don't comply with the W3C? Perhaps we should clamp down on Charities trying to use the web but doing it themselves? Or what about those nasty Sandra Bullock fan sites?
Lets ban them all from the web!
Lets turn a free mass communication tool into an elitest club where only those with the right handshake can get in.
Yes, those who call themselves "web designers" should be coding correctly but lets not forget the reason why browser's where invented in the first place - to access the web!
Much like attempting to learn the English language, the exceptions, not the rules, are by far, the most difficult - ain't they?
Clear structure and formal rules are just that, and as such are far easier to learn than the hacks, the work-arounds and the general "jump-through-the-hoop" nonsense we have come to accept as the necessary evils of Web Authoring.
It has been the "forgive-this-sloppy-code" but "don't-render-that-sloppy-code" inconsistancies that has made Web Authoring so foreboding for many newbies.
Forgiving browsers and "devil-may-care" attitudes have done more to make the web a confusing, and less welcoming place, than anything else.
Rules bring order.
Take the four basic rules of XHTML as an example:
These four simple rules alone clear up much of the confusion of writing valid code, but if an attribute is left "unquoted" will the page still display? Yes... and to this I say, "A pity: another learning opportunity lost!"
I would rather see the page fail because of the oversight, not forgiven and rendered regardless. This is what I mean by "tough love."
How long do you think it would take before anyone coding their first webpage would "learn" to quote all attributes, close all tags, and properly nest elements? Far from being elitest, quite the contrary in fact, I see this as absolute fairness for all.
In a perfect world, budding Web Developers would be concentrating on learning advanced techniques, not advanced "hacks" and work-arounds.
Web Standards is an attempt to bring order out of chaos, reason out of insanity and thereby making it less intimidating and far more welcoming to those who wish to write their "great web novels" or post family photos.
From my years of working as a "trouble shooter" I can tell you, I was always much happier knowing conclusively "why something did not work" as opposed to "wondering why it did."
Forgiving browsers are anything but in the long run. Allowing, even encouraging, bad coding habits is not in anyone's best interest.
Tough love gets a lot easier after the first few lessons....
Let's not even get into using HTML as a layout tool for all these years... Just try to explain to a newbie why they need a dozen transparent.gifs to make that table display properly so the picture of the "new baby" lines up with the photo of "Dad" and not opposite the photo of "Uncle Tim." I never did trust that lecherous son-of-a-don't-cha-know! ;) Don't cha?
There in lies your mistake....assuming that people want to learn ;)
People are lazy, nothing new there. I have friends who like to publish stuff once or twice a year. They want to open front page insert a couple pictures, maybe some text and links to other sites.
They could not care less about proper syntax or nesting tags properly, they just want it to work. If they had to learn anything then its too much like hard work and they probbably wouldnt bother.
I hate Front Page and I hate sloppy code but for those people who are not "budding web designers".
I see no reason why they should not be "forgiven" for the lack of knowledge or understanding about a field in which they have no interest.
I see no reason why they should not be "forgiven" for the lack of knowledge or understanding about a field in which they have no interest.
Personally I think anyone using FP should be whipped senseless with a knotted rope. :)
Is it universal or unique to Denmark that almost every small business site is built with that monstrosity?
I reckon it must be government issue over here!
(hey, I seem to have become a full member, wahoo!)
Now it's been almost a week, and guess what:
heise online -- 10.04.2002, 18:11
Zehn neue Sicherheitslücken im Internet Information Server
That translates to "ten (10!) new security holes in IIS".
And yes Microsoft claims them to be critical. They range from
buffer overflows and possible DoS attacts to executing
arbitrary code on the server. Nothing unusual.
Let me add a quote from Bruce Schneier (CRYPTO-GRAM January 15, 2002)
Honestly, security experts don't pick on Microsoft because we
have some fundamental dislike for the company. Indeed, Microsoft's
poor products are one of the reasons we're in business. We pick on
them because they've done more to harm Internet security than anyone
else, because they repeatedly lie to the public about their products'
security, and because they do everything they can to convince people
that the problems lie anywhere but inside Microsoft. Microsoft treats
security vulnerabilities as public relations problems. Until that
changes, expect more of this kind of nonsense from Microsoft
and its products.
So I agree with Brett. Microsoft Windows should have stayed a single
user/single machine OS. They should put up a warning sign, telling
people that Windows can and will not protect their data from anyone
that can access the PC in person or via network. Microsoft Windows
is and will always be a single user/single machine OS. Face it.
Crazy_Fool: i expect that if netscrap and other browsers were
as popular as IE, hackers would find just as many security holes in
them as they manage to find in IE.
markd: I wish everyone in the entire world would use InternetI wish everyone in the entire world would drive
Marshall: Did you ever wonder if some of the hackers areOr any twelve year old kid in the neigboorhood.
Netscape or other browser programmers just out to give MS a bad
JeremyL: I use IE and why wouldn't I. Big deal if thereThat will make you a big exception. Check your
are security issues. I hit windows update and in a minute or two they
joshie76: I know there are holes in IE but I'm yet to meetThey will eventually:
someone whose fell victim to a hole in IE.
heise online -- 10.04.2002, 17:22
Sicherheits-Studie: Hybrid-Angriffe im Kommen
This article (sorry in German) ends with (free translation): more and
more home users fall victim to black hats: hybrid attacks (DoS, active
worms via security holes, email worms) increase as an ever growing
number of Windows PC is being connected to the Internet. These
standard PC systems often haven't had a security update for months.
Trust me, we will see some HUGE attacks in the near future. All
these cable/flat users with their Windows boxes, MISE, OE, and file
sharing (gnutella, morpheus, winmx, KaZaA, ...) activated are just
begging to be attacked.
Of course, neither Microsoft nor the users that haven't installed
security patches in years will be held responsible. It's either
gonna be some "terrorists that declared war on CyberSpace"
(meaning $$$ for lots of 3-letter-agencies) or some script kiddie.
joshie76: MS are pushing open standards everywhere like SOAPAs long as they have to. They can stop tomorrow. I am