lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041020102432.R52578@dekadens.coredump.cx> From: lcamtuf at ghettot.org (Michal Zalewski) Subject: Web browsers - a mini-farce On Wed, 20 Oct 2004, Martin wrote: > Here, may I make your collection more complete? > /.../ > PS: No, it's not been discovered by your tool. And I reported > it already several years ago. No you can't, for that very reason. But you are very much advised to report it to them and to FD or other lists. Gee... I reported on a very basic, objective observation. HTML parsers / renderers in popular alternative browsers are considerably more fragile than in MSIE. Some of them just annoy, and some seem to be exploitable under right conditions. That's that. I did not use a dodged tool, I did not made up results, it's all open source, and rather well documented. You are free to reproduce it. I am not a Microsoft-loving, Linux-bashing zealot; if you bother to visit by homepage or google around, it will become apparent that I use and enjoy Linux, and usually do not touch Windows with a ten foot pole; not because of religious beliefs, but simply because I find it not suited well for what I do on a daily basis. I did poke fun at Microsoft in the past, too: http://lcamtuf.coredump.cx/strikeout/ For this particular issue, I got numerous confirmations, including new submissions from people using Safari, w3m, elvis, Konqueror and so forth, so this is not really a localized problem, but rather a sign that Microsoft did something others couldn't be bothered to. I specifically stated that this does *NOT* prove that MSIE is safer to use; there are numerous other factors beside code parsing that count. But it indeed casts doubt on the claims of higher security of the alternative browsers, suggesting that much of it may turn to be just a result of the current status quo. A number of people assumes that I say MSIE is better than open source browsers; I did not say this, and I do not have any agenda to push. It's really disappointing to get so much hate mail when objective results suggest one thing, and be well received when they point the other way (at Microsoft, Sendmail, etc). -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-10-20 10:24 -- http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists