[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C293951@owa.eeye.com>
From: dcopley at eEye.com (Drew Copley)
Subject: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> Barry Fitzgerald
> Sent: Wednesday, June 30, 2004 3:07 PM
> To: Drew Copley
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] (IE/SCOB) Switching Software
> Because of Bugs: Some Facts About Software and Security bugs
>
> Drew Copley wrote:
>
> >Conclusion: Mozilla may be better. I think there is some strong
> >chance of that. But only marginally. It has had bugs. It has a lot
> >of features, which means a lot of potential for security issues. They
> >have kept their browser more conservative then Microsoft has kept
> >Internet Explorer. Traditionally, Mozilla developers have been
> >far more "RFC compliant" - as the saying goes then Microsoft.
> >
> >
> >
> >
> >
>
> Hello Drew,
>
> I'll start with my own disclaimer. I have been a Free
> Software
> developer in the past and my bias is hereby established.
>
> However, while I agree with the general point that any
> piece of
> software will have bugs and switching simply because a bug has been
> found is a bad idea, to say that is not to say that all bugs
> are equal.
> (I know that that's not what you were saying, but I know that someone
> will read into what was said that way.) I'm sure that MS Calc has
> bugs. I know, though, that MS Calc's bugs are, most likely,
> not going
> to allow black hats to compromise systems and steal people's data.
You are right, that is not what I am saying but some could read
it that way, actually. Sorry, should have noted that in my first
reply.
>
> I've had experiences in the past that have shown me
> one thing and
> one thing alone: the argument about marketshare being the primary
> motivation of all cracking is played up far too heavily. Many black
> hats and script kiddies focus their bugfinding on the most-installed
> target, this is true. But, there is a sufficient body of people out
> there still attempting to target other applications -- some
> of them are
> very bright. I always wince whenever I see someone bring up the
> marketshare argument because my prior experience dictates that it is
> simply not so simple.
>
> In my opinion, Microsoft's biggest flaw with Internet
> Explorer is
> that it is a program that can take untrusted content and
> process it in a
> trusted manner. Yes, I know about zoning and yes I
> acknowledge that as
> long as people have the write to access/modify something,
> there's always
> some way that they can shoot themselves in the foot.
> However, there's a
> far difference between people executing programs off of
> websites/emails
> and people simply viewing a website and being "infected" by a
> trojan/adware/spyware.
>
> We both know that this scenario is not new. We also both know
> that Microsoft is not the only one who's been caught mixing trusted
> processing methods and untrusted processing methods in the
> same piece of
> software. However, it's my decided opinion that a web browser's sole
> design priority is to process input that is, by definition,
> unsafe in a
> safe way. A program, like Internet Explorer, that mixes OS function
> with (in my opinion, very poor) sandboxing will always have backdoors
> that allow people to execute code in a trusted fashion.
> Programs that
> do not include this code will never have those types of flaws.
>
> I would like someone to prove that Mozilla can be
> tricked to run
> software in the background without the user's knowledge. I
> don't just
> mean running an XPI on a system with software installation
> enabled. I
> also mean without using a plugin to carry out the attack. I
> also don't
> mean javascript-based XSS attacks - those are a different animal.
>
> I mean a full-on attack using a plain vanilla install
> of Mozilla
> to silently attack a system and compromise it.
>
> The next stage, once that's been proven, is to not just put a
> bandaid on Mozilla, but to fix the architecture so that that type of
> attack cannot be carried out.
>
> That is the solution to this type of problem. That is where
> Internet Explorer (and conversely, Microsoft and many other
> companies)
> has failed. I don't think that it's one bug that's changing anyone's
> mind - rather, it's the history of bugs and lack of attention that's
> plagued people.
>
> I don't mean any disrespect saying this - it's just my
> perspective. I agree with the majority of what you've said, in
> generalization -- but, in specificity, I tend to disagree,
> err - if that
> makes sense. :)
>
> -Barry
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists