lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407070502.i6752UU01877@pop-6.dnv.wideopenwest.com>
From: mvp at joeware.net (joe)
Subject: IE Web Browser: "Sitting Duck"

It is a core component of the current Windows UI, this is not the same as
being a core component of Windows. Explorer is simply a UI shell that sits
on the operating system known as Windows. The entire shell is replaceable
and has been for a long time, since at least Win3.1. 

Do programs written for the explorer shell use explorer shell components.
Yes. This, as you mention is the nature of DLLs and the idea that you don't
have to write everything from scratch. It is why this stuff gets stuffed
into DLLs instead of into big EXEs. Every modern OS has the concept of
shared modules like that. This is so you don't have to write your own object
pickers and other things so they A. Look consistent B. Reduce dev time - RAD
solutions. 

People have been replacing shells for ages on Windows. It has never been
what you would consider mainstream though because most Windows users are not
deep techno weenies like is enjoyed by some of the other Oses that currently
have some small measure of favor in techno weenie world now. When Windows
was first growing up, most of us weenies were over on real Unix or on Mini's
swapping RTS's around or even on full Mainframe's begging for more cycles
for trek or hunt the wumpus. Once it started getting used seriously by
companies us Weenies were like, ick, Windows, no way, that VB blows... Who
uses BASIC? No one!! You should cry out. Well unless you were on the Digital
Equipment Systems that had huge chunks of the system written in BASIC-PLUS
or BP-2. Of course on DEC, BASIC-PLUS is fine, it has the PLUS in it and
after BP you pretty much had Macro Assembler as the serious language with
some crazy university people talking about that language with the stupid
name... I think it was called c. If you were actually planning on turning in
an assignment in the next 6 months, you probably didn't choose to do it in
MASM. Of course you had FORTRAN and COBOL as well but you couldn't do fun
games in those. The people really using Windows were non-weenies and didn't
care that you could change the shell, they didn't want it changed as excel
and word and most importantly solitaire worked just fine with the way it
was. So Windows never gained the popularity as a weenie OS even though one
of the biggest Weenies was responsible for it. But then, he was in it for
money and the idea he was changing the world. And he got both. 


Anyway, I wouldn't doubt it if half or better of the people ragging on
Windows on this list have any idea that you can replace the shell. They
might know you can use different shells in *nix - note I say they *might*
because the *nixs are picking up a lot of the people who were previously
clueless in Windows and they aren't learning much going to *nix. They just
think it is better and more secure because they know even less about it than
they did about Windows. They aren't true weenies, just people who think they
know enough to be weenies. Being a techno weenie is a "cool" thing now. I
don't know when that happened but it seems to have occurred. 

The people who do change shells regularly on Windows though seem to have a
blast doing it. Actually I recall when the explorer shell first came out and
people had fits over it, they had to publish this...
http://support.microsoft.com/?kbid=142255. It is why progman is STILL around
in XP (note it is gone in Windows Server 2003 - there progman maps to
explorer though I would expect you could copy progman from XP or 2K or
probably even NT4 and it would work on K3). Actually, I just tried this. I
keep a VM that uses CMD as the default shell around for testing things and I
copied progman from XP over to it and it worked fine. 

I believe there may actually be one or two open source (or possibly they
were simply free bin) projects out there still to create the perfect Windows
Shell, at least there were a couple of years back when I last went and
looked. Those shells can, if they want, leverage the DLLs that Microsoft
provided for the explorer shell or create lots of new stuff and use that.
The earliest replacements were usually to lock machines down to kiosk mode
for someone's custom P.O.S. apps. Many evil admins used to do it to jr
admins (a majority of the Windows Admins) by slapping down cmd.exe as the
shell (as mentioned above) so they get a big black screen with a blinking
cursor and that is it unless they know how to call something else up. Heck I
would expect you could make a shell if you wanted that was completely based
on firefox or thunderbird if email/news was your thing. Not sure how useful
that would be but I am pretty confident you could do it if you wanted to put
the time into it. 

Does the UI need work? You will get no argument from me.  Does IE need work?
Again you will get no argument from me. Does the fact that the UI and IE
need rework mean that Windows needs a redesign? Absolutely not. That whole
conversation was about why Windows needed a core level redesign. The UI and
IE do not come into play with that conversation. I am not saying IE doesn't
suck, I am saying in the context of that converation, it was a moot point.
Period.   

Anyway, even if you replace the shell, you still have the SCuM crunching
away, the event log system still crunching away, the process system, etc etc
etc - the base components can't be turned off and something else used. 

As for the IE not being a simple executable statement... Come on, there
isn't much in Windows that is a simple EXE. Everything is importing from one
or another DLL or else it would be worthless. Even the simplest command line
tools I write will tend to have at least 3-5 DLLs tied in. Go get
Thunderbird and load it on an XP machine. Go get process explorer from
sysinternals or tlist from MS or tasklist from MS. Look at the DLLs and
functions being called. In Sysinternals it is really obvious, Thunderbird
calls more MS DLLs than anything else.  With TLIST it isn't quite as easy to
see but someone used to really looking at Windows can pick out the Windows
DLLs over the others.... Of course there are more because the functionality
of Thunderbird is very limited compared to the functionality of Windows
(Hint one is an OS, one is an email/news client), it pulls from several
different DLLs as it is using lots of different functionality of Windows
which is spread over more DLLs than the Thunderbird specific DLLs need to be
spread. 


                     0x00400000  thunderbird.exe
                     0x01460000  FULLSOFT.DLL
                     0x02070000  profile.dll
                     0x10000000  qfaservices.dll
                     0x60020000  jar50.dll
                     0x60090000  js3250.dll
                     0x60120000  NSLDAP32V50.dll
                     0x60150000  NSLDAPPR32V50.dll
                     0x60160000  nspr4.dll
                     0x601f0000  nssckbi.dll
                     0x60220000  plc4.dll
                     0x60230000  plds4.dll
                     0x60250000  smime3.dll
                     0x60270000  softokn3.dll
                     0x602f0000  xpcom.dll
                     0x60350000  xpcom_compat.dll
                     0x61210000  POINT32.dll
                     0x61220000  MSH_ZWF.dll
        3.2.0.0 shp  0x60190000  nss3.dll
        3.2.0.0 shp  0x602d0000  ssl3.dll
     5.1.2600.0 shp  0x71a50000  mswsock.dll
     5.1.2600.0 shp  0x71a90000  wshtcpip.dll
     5.1.2600.0 shp  0x71aa0000  WS2HELP.dll
     5.1.2600.0 shp  0x71ad0000  WSOCK32.dll
     5.1.2600.0 shp  0x76fb0000  winrnr.dll
     5.1.2600.0 shp  0x76fc0000  rasadhlp.dll
     5.1.2600.0 shp  0x77c00000  VERSION.dll
    3.50.5016.0 shp  0x77120000  OLEAUT32.dll
  5.1.2600.1106 shp  0x73000000  WINSPOOL.DRV
  5.1.2600.1106 shp  0x746f0000  msimtf.dll
  5.1.2600.1106 shp  0x74720000  MSCTF.dll
  5.1.2600.1106 shp  0x76380000  msimg32.dll
  5.1.2600.1106 shp  0x76670000  SETUPAPI.dll
  5.1.2600.1106 shp  0x76f20000  DNSAPI.dll
  5.1.2600.1106 shp  0x76f60000  WLDAP32.dll
  5.1.2600.1106 shp  0x77dd0000  ADVAPI32.dll
  5.1.2600.1106 shp  0x77e60000  kernel32.dll
  5.1.2600.1217 shp  0x77f50000  ntdll.dll
  5.1.2600.1240 shp  0x71ab0000  WS2_32.dll
  5.1.2600.1255 shp  0x77d40000  USER32.dll
  5.1.2600.1346 shp  0x7e090000  GDI32.dll
  5.1.2600.1361 shp  0x78000000  RPCRT4.dll
  5.1.2600.1362 shp  0x771b0000  ole32.dll
  6.0.2800.1106 shp  0x5ad70000  uxtheme.dll
  6.0.2800.1106 shp  0x763b0000  comdlg32.dll
  6.0.2800.1233 shp  0x773d0000  SHELL32.dll
  6.0.2800.1400 shp  0x1a400000  urlmon.dll
  6.0.2800.1400 shp  0x70a70000  SHLWAPI.dll
  7.0.2600.1106 shp  0x77c10000  msvcrt.dll
 2001.12.4414.42 sh  0x77050000  COMRes.dll
 2001.12.4414.53 sh  0x7c890000  CLBCATQ.DLL
 5.82.2800.1106 shp  0x71950000  COMCTL32.dll


To contrast, here is a simple little command line tool I recently wrote for
doing LDAP mods and such... 

       1.0.0.50 shp  0x00400000  AdMod.exe
  5.1.2600.1217 shp  0x77f50000  ntdll.dll
  5.1.2600.1106 shp  0x77e60000  kernel32.dll
  5.1.2600.1106 shp  0x76f60000  WLDAP32.DLL
  7.0.2600.1106 shp  0x77c10000  msvcrt.dll
  5.1.2600.1106 shp  0x77dd0000  ADVAPI32.dll
  5.1.2600.1361 shp  0x78000000  RPCRT4.dll
  5.1.2600.1255 shp  0x77d40000  USER32.DLL
  5.1.2600.1346 shp  0x7e090000  GDI32.dll


If the UI is designed to be heavily influenced by and using lots of internet
components and web browsing is the model you use, of course the
functionality should be stripped out of the browser EXE itself and placed
into DLLs that other processes can leverage, only makes sense, standard
coding practices for systems. This again gets you consistency and
easier/quicker development. I personally don't like the MMC idea, I don't
like the web browsing as the whole user experience idea, etc. However,
because I don't like it doesn't mean I see Windows as useless or needing a
complete redesign. Certain pieces certainly need help though. 

It would be kind of cool if that is the way it is going to be they allow
others to follow a specific set of guidelines in such a way that you could
plug a different set of DLLs in as replacements so you could say use another
browsers functionality. But then people would complain because their
favorite browser couldn't be used because the people writing the browser
didn't want to produce the proper exports and blackbox guidelines in the
DLLs and go about blaming MS for that. On the nice side though, MS does
allow you methods in which to write your own stuff to get around it. Don't
like the MMC, write your own interface, I have written many. Don't like the
browser, write or download another. Don't like the shell write or download
another. 

This is probably a bit jumpy, I wrote this over the course of the whole day
and my mind was on about 1500 different things. I apologize if it is jumpy,
but I am not rewriting it irregardless of how jumpy it is. :o)


 joe

 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Barry
Fitzgerald
Sent: Tuesday, July 06, 2004 10:28 AM
To: joe
Cc: FULL-DISCLOSURE@...ts.netsys.com
Subject: Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

joe wrote:

>Couple of things.
>
>1. The conversation you are referring to was a conversation about 
>issues with core base components that necessitated a complete redesign. 
>You kept bringing up items that were NOT core base components - they 
>were UI components. IE being one of them. The very fact that you have a 
>choice to use a different browser should help you understand that. Try 
>to use a different ACL system on Windows NT based systems and tell me how
that goes.
>
>  
>
The choice to use a different browser doesn't imply that IE isn't a core
base component at all.

Is it a part of the kernel?  No...

Is it completely unremovable?  Of course not...

Is it a part of the standard Windows UI?  Yes...

Is it impossible to remove easily and difficult to remove cleanly?  Yes...

Will removing it make many programs operate incorrectly?  Yes...

I think you see where I'm going with this.  It's a core component in MS
Windows, though it may not be a part of the OS kernel, it is, nonetheless,
undebatably, a core component of MS Windows as a software.  
Keep in mind, IE is more than just a simple executable.  The DLLs that it
uses are built to be used  by other portions of the system and are
extensively used.  Of course, this is the nature of DLLs.

                               -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ