lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20041020102432.R52578@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Web browsers - a mini-farce

On Wed, 20 Oct 2004, Martin wrote:

> Here, may I make your collection more complete?
> /.../
> PS: No, it's not been discovered by your tool. And I reported
>     it already several years ago.

No you can't, for that very reason. But you are very much advised to
report it to them and to FD or other lists.

Gee...

I reported on a very basic, objective observation. HTML parsers /
renderers in popular alternative browsers are considerably more fragile
than in MSIE. Some of them just annoy, and some seem to be exploitable
under right conditions. That's that. I did not use a dodged tool, I did
not made up results, it's all open source, and rather well documented. You
are free to reproduce it.

I am not a Microsoft-loving, Linux-bashing zealot; if you bother to visit
by homepage or google around, it will become apparent that I use and enjoy
Linux, and usually do not touch Windows with a ten foot pole; not because
of religious beliefs, but simply because I find it not suited well for
what I do on a daily basis. I did poke fun at Microsoft in the past, too:

  http://lcamtuf.coredump.cx/strikeout/

For this particular issue, I got numerous confirmations, including new
submissions from people using Safari, w3m, elvis, Konqueror and so forth,
so this is not really a localized problem, but rather a sign that
Microsoft did something others couldn't be bothered to.

I specifically stated that this does *NOT* prove that MSIE is safer to
use; there are numerous other factors beside code parsing that count. But
it indeed casts doubt on the claims of higher security of the alternative
browsers, suggesting that much of it may turn to be just a result of the
current status quo.

A number of people assumes that I say MSIE is better than open source
browsers; I did not say this, and I do not have any agenda to push. It's
really disappointing to get so much hate mail when objective results
suggest one thing, and be well received when they point the other way (at
Microsoft, Sendmail, etc).

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-20 10:24 --

   http://lcamtuf.coredump.cx/photo/current/

Powered by blists - more mailing lists