[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40E3399A.7000702@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: (IE/SCOB) Switching Software Because of Bugs:
Some Facts About Software and Security bugs
Drew Copley wrote:
>Conclusion: Mozilla may be better. I think there is some strong
>chance of that. But only marginally. It has had bugs. It has a lot
>of features, which means a lot of potential for security issues. They
>have kept their browser more conservative then Microsoft has kept
>Internet Explorer. Traditionally, Mozilla developers have been
>far more "RFC compliant" - as the saying goes then Microsoft.
>
>
>
>
>
Hello Drew,
I'll start with my own disclaimer. I have been a Free Software
developer in the past and my bias is hereby established.
However, while I agree with the general point that any piece of
software will have bugs and switching simply because a bug has been
found is a bad idea, to say that is not to say that all bugs are equal.
(I know that that's not what you were saying, but I know that someone
will read into what was said that way.) I'm sure that MS Calc has
bugs. I know, though, that MS Calc's bugs are, most likely, not going
to allow black hats to compromise systems and steal people's data.
I've had experiences in the past that have shown me one thing and
one thing alone: the argument about marketshare being the primary
motivation of all cracking is played up far too heavily. Many black
hats and script kiddies focus their bugfinding on the most-installed
target, this is true. But, there is a sufficient body of people out
there still attempting to target other applications -- some of them are
very bright. I always wince whenever I see someone bring up the
marketshare argument because my prior experience dictates that it is
simply not so simple.
In my opinion, Microsoft's biggest flaw with Internet Explorer is
that it is a program that can take untrusted content and process it in a
trusted manner. Yes, I know about zoning and yes I acknowledge that as
long as people have the write to access/modify something, there's always
some way that they can shoot themselves in the foot. However, there's a
far difference between people executing programs off of websites/emails
and people simply viewing a website and being "infected" by a
trojan/adware/spyware.
We both know that this scenario is not new. We also both know
that Microsoft is not the only one who's been caught mixing trusted
processing methods and untrusted processing methods in the same piece of
software. However, it's my decided opinion that a web browser's sole
design priority is to process input that is, by definition, unsafe in a
safe way. A program, like Internet Explorer, that mixes OS function
with (in my opinion, very poor) sandboxing will always have backdoors
that allow people to execute code in a trusted fashion. Programs that
do not include this code will never have those types of flaws.
I would like someone to prove that Mozilla can be tricked to run
software in the background without the user's knowledge. I don't just
mean running an XPI on a system with software installation enabled. I
also mean without using a plugin to carry out the attack. I also don't
mean javascript-based XSS attacks - those are a different animal.
I mean a full-on attack using a plain vanilla install of Mozilla
to silently attack a system and compromise it.
The next stage, once that's been proven, is to not just put a
bandaid on Mozilla, but to fix the architecture so that that type of
attack cannot be carried out.
That is the solution to this type of problem. That is where
Internet Explorer (and conversely, Microsoft and many other companies)
has failed. I don't think that it's one bug that's changing anyone's
mind - rather, it's the history of bugs and lack of attention that's
plagued people.
I don't mean any disrespect saying this - it's just my
perspective. I agree with the majority of what you've said, in
generalization -- but, in specificity, I tend to disagree, err - if that
makes sense. :)
-Barry
Powered by blists - more mailing lists