Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: incrediBILL
Today, another security hole was mentioned on German online news magazines. So this is probably the 10th security issue in two months. I don't use Windows much so virtually every time I boot into Windows and want run "WindowsUpdate", I will have to install yet another security fix.
If the Internet Explorer was anything but software (and installed by default and being almost impossible to remove) everyone would file law suits and demand a saver product. Why/How can Microsoft deliver such a piece of cr*p?
Here are some of the headlines (from German online news magazines) from the last two months. And this is without the Messenger, Outlook, Office and general Windows security holes:
Golem Network News -- 05.04.2002, 09:55
Sicherheitsloch im CSS-Interpreter vom Internet Explorer
heise online -- 29.03.2002, 14:58
Sicherheitspatch für den Internet Explorer
Golem Network News -- 11.03.2002, 10:24
Sicherheitsloch im Windows Explorer
Golem Network News -- 05.03.2002, 10:17
Sicherheitslücke in Microsofts Java-Machine
heise online -- 04.03.2002, 16:26
Internet Explorer führt lokale Dateien aus
heise online -- 22.02.2002, 13:03
Neue Sicherheits-Patches von Microsoft
Golem Network News -- 22.02.2002, 11:11
Drei neue Sicherheitslücken in Microsoft-Produkten entdeckt
heise online -- 12.02.2002, 15:49
Internet Explorer: Neue Patches, neue Lücken
And don't tell me you are using some "personal firewall". It's nothing but an illusion of security and will provide hardly any real security if you allow your browser to pass traffic through it.
How could Microsoft allow this to happen?
We are not talking about the little programming shop on the corner. This is a multinational, established, brand leader in it's industry. How could Microsoft put out such apparently shoddy programming?
I think in order to understand it, we have to look at the Microsoft culture. For two plus decades, Microsoft has been writing for microcomputers. 95% of that time, Microsoft programers have had to concern themselves with one man - one machine.
There were no considerations needed for logins, security, or multi-user environments. It wasn't even until the late 80's that MS put out a solid networking system. Even that networking was for a closed loop environment where the biggest concern was file sharing - not security.
During MS's massive growth during the 80's, who did they hire? They hired green horn, fresh off the farm college boys in Bill Gates' image. Most of whom grew up on one user - one machine computing. They were the high school kids that toyed with the first commodores, apple 2's and ataris.
That culture instilled itself as much as cement in the cornerstones of the building. Many of those programmers entire life experience with computers could be spelled with two letters: pc. Not only did they hire guys fresh out of college that had done nothing but pc programming, they were the same guys that taught the new guys.
Desktop security in that environment was defined by the latest screen saver or keyboard lock utility - all hail SideKick!. They didn't have the training in multiuser, networked environments. It wasn't their game.
Suddenly, in the mid-90's, after years of single user programming, Microsoft found themselves a day late to the internet party without an invitation. When MS did sit down to begin work on internet software, they went to the same guys who'd been programming for one user - one machine for two decades.
That scramble turned panic when Gates called all hands to battle stations in 97. As they went to work in earnest on internet software, they did so in the rushed, hurried, gotta have it yesterday environment. "We'll fix it in the upgrade" became the battle cry.
That code that was produced out of the one user - one machine Microsoftie culture of the 80's, still lives on in many of MS's products today. We see error after error, virus after virus today because the work never went into the core in the first place.
That's no consolation for those of us that would like to use their products, but it does put a back drop on all the problems we continue to see with MS internet software. I just hope they get the worst of them found and fixed before something worse net wide happens.
I still think the OS itself is sound (98se is the best OS I've ever used), but until there is a track record of security, I am going to continue to use all the alternatives to Microsoft products available.
Home users also use it alot because they will buy a PC with Windows and as such they will install IE. Most home users will surf with what they've got rather than going to the troble of downloading and installing new software.
I'd like to stress at this point I use MS even though I'm not keen on it.
do these people shout and holler about netscape? how could netscape release netscrap 4.x, a browser that simply didn't work. why did it take them so long to release 6.x? why did they release 6.0, another browser that simply didn't work properly, was a pain to install, repeatedly crashed and still didn't display sites properly? how could such a large corporation neglect loyal users for so long?
the bottom line is that no browser is perfect, but they are all free. at least IE works, which is a lot more than can be said for the alleged competitor browsers.
so, is anyone actually using IE? yes, about 95% of my site visitors use IE.
i expect that if netscrap and other browsers were as popular as IE, hackers would find just as many security holes in them as they manage to find in IE. the thing is, there is no point hunting for security holes in netscrap or opera because usage is so low.
Everthing works first time (unless I have fouled up), I can use CSS, DHTML and Java without having sleepless nights.
Still doesn't excuse the holes and seeming lack of attention to detail, but even so...
In time i think quality will win, and since AOL is said to be switching from IE to Netscape and the Gecko engine (it was bound to happen after they bough NS a few years back), we are all going to have to take NS 6 very seriously very soon.
Also, standards are becoming more important with portable devices hitting us bigtime in the future, so less i should think that designing for IE (meaning non-standard) will soon take a back seat.
1) It is probably written in C++, a language that encourages security flaws through buffer overruns. Some other languages don't have that problem.
We'll fix it in the upgrade" became the battle cry.
That could be said of Netscape as well.
As for the browser wars, right now it's not a war. All the MS bashing isn't suprising. Reminds me of Monty Python's bit in Life Of Brian. What have the Romans ever done for us? Apart from the aquaduct, sewer system, roads, law enforcement...
Netscape has plenty of bugs, NS users are hesitant to mention them. As for the proliferation of malware targeted at MS browsers, why would anyone bother writing code targeted at NS users? Malware writers want recognition so they target the largest market.
As for AOL, adopting the Gecko engine may or may not occur, but if AOL changes the way their browser looks too much they risk confusing the user and that is a well documented no-no. Does anyone consider AOL FORCING Netscape on its users a success for NS? Seems like Micro$oft took quite a bit of heat for "forcing" their browser on us poor unsuspecting surfers.
Competition is a good thing though, the end user benefits. Until Microsoft is dethroned, they will remain the target of choice, however misguided the attackers are. :)
Netscape 6.0 was a major problem for me because it was so buggy and so obviously not ready for release. It was horrible and I was soured on their product for a long time after it. I've started using it again now and then because I like having alternatives, and I've found the newer release has fixed most of the problems.
Opera is a nice browser and I actually paid for the PRO version (don't like adware). I've started using it more and more, just because I don't like MS's decision to dump Java.
I do hope that AOL goes ahead with it's plans to replace IE, simply because I would like to see more competition in this area.
(edited by: rcjordan at 3:09 pm (utc) on April 5, 2002)
I think you hit the nail on the head there Richard. The release of Netscape 6 has left people with lots of negative feeling/experiences - a bit of a blunder really.
In defence of the Mozilla browser project the version I'm using now - 0.9.9 - nearly a year on from when Netscape 6 was released - is very stable, is not buggy and IMO conforms to the standards better than IE6.
I've not kept track of the security incidents with Mozilla - maybe I'll start to ... I can't help but feel that open source code where people have the chance to inspect and fix security problems for something that has become as integral to computer use as a web browser cannot help but be a good thing. Sure, holes may be found more easily by being open source - but the patches will be released 1000 times quicker than with closed source software.
expect that if netscrap and other browsers were as popular as IE, hackers would find just as many security holes in them as they manage to find in IE. the thing is, there is no point hunting for security holes in netscrap or opera because usage is so low.
Exactly my thoughts. It would be theoretically impossible to test a product for everything that it is capable of doing, especially an internet product. Look at how rapidly people/spammers/hackers adapt and refine their tactics.
It's basically a result of the culture - build something as fast as you can and release a patch to fix the problems that are going to show up a month later. Instead of having tests, just release it and you'll have a testing ground for free. If people stopped paying for the laterst release, and made a ruckus about companies not putting out quality product, there might be some changes. As it is now, there is no downside to releasing a buggy product. Look at all the Microsoft bugs, and has their marketshare fallen? No, in fact it has risen...
That being said, I'm not a MS basher. In fact, pretty much all my software (minus web development) is MS. IE 6 works perfectly for me, and is as standards compliant as it gets (to my knowledge). The only standards issue in previous (5.x) versions was the CSS box model, and who wouldn't get that wrong? Let's see, I specify my box to be 300px, then I add 25px margin on the inside of the box, suddenly the box is 350px wide? The W3C were the ones who screwed that up!
Software companies are rewarded for sloppiness. Look at SimGolf (addicting!) - already has two patches out which fix two pages worth of items. CivIII had at least two patches, fixing probably 10 pages worth of items. Apache has patches, and even Linux has security holes.
I used Win for years and after toying with mac and finaly settling on linux I count myself lucky to be aware of the choice.
And that, in a nutshell is explains IE popularity, just becuase win users can choose doesn't mean they do. Check the logs, how many ie5.0's are there? Loads right... Most of the masses niether know nor care that they might even upgrade let alone change!
I don't hate microsoft. I applaud there beutiful, blatant and downright crafty and clever approach.
I just wish that the general public wern't so embarrasingly stupid.
Their opinion has to be, "so what if the webmasters, users and competition look down on us for creating a bad product. They're not paying for it." And as was mentioned above, "Why should we pay for testing. Let the hackers test it; we'll fix it in the update."
We performed testing on Linux, Unix and the Mac OS (I think the mac was OS7.5 at the time). Windows NT 4.0 and later 2000 was by far preferred by the users, was by far more stable, and had by far more products available. That actually was the main problem with the other operating systems - much less software was available.
As far as security and such are concerned, we use automated tools to keep the software up-to-date on all of the desktops.
Our systems are stable partially because they are totally locked down. We found that users who install their own products have many orders of magnitude more problems with the OS than those who don't. So when we rolled out new systems at Y2K we locked them down and the problems almost went away. The statistics changed by the same order of magnitude regardless of the OS.
I hear lots of complaining about windows, but in my experience when competently managed 2000 and XP are very good indeed. And that's the result of hard experience.
Did you ever wonder if some of the hackers are Netscape or other browser programmers just out to give MS a bad name.
Marshall, I think you've touched on a good point; after all, the king of the hill is the one to attack, and that is the attraction. It has (often) been argued that if other OS'es or browsers, enjoyed MS's popularity, they too would be subjected to similar attacks.
Never underestimate the resourcefulness of someone determined to wreak havok with the sole motivation of trying to "beat the devil." In this case, the devil is whoever's on top....
:) come on, who cares of Hotmail is down for a few minutes - they got a full page advertisement on news.com maybe some new people will sign up for the passport/hotmail service now.
I'd say the principle is a bit more malevolent that. For those bent on destruction, any place of concentrated resources is the spot to attack.
This is why genetic diversity is important to species survival, why terrorists look to transportation hubs for their mayhem, and why the Internet itself was created.
Microsoft is not a physical concentration of assets, but their near-monopolies in browsers and other business related software means their success has created a cyber-vulnerability of great magnitude. No matter how poor or good Microsoft's products may be, diversity is essential for our cyber-health in a world where not everyone has good intentions.