lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200411151925.iAFJPjd11204@pop-5.dnv.wideopenwest.com>
From: mvp at joeware.net (joe)
Subject: IE is just as safe as FireFox

> Everytime a Firefox exploit comes out..there is already a fix...
> is that magic? No..it is good coding...

What? 

Having a quick fix out is due to low complexity of issue and assisted by a
lack of dependencies so you have reduced time for patching and testing. It
has nothing to do with code quality. I have seen some extremely good code
that hit an issue that took long periods of time to correct due to the
complexity of the issue with all of the requirements that had to be stacked
up to cause an issue. I have also seen crappy code that could be pretty
quickly patched up for various things and often contributed to how crappy it
was. Again, code quality and time to patch has nothing to do with each other
except if you had great code you wouldn't even have to worry about exploits
and patching. Great code, IMO, requires 100% assertions of all incoming data
and NO ONE does that. Programmers assume that incoming data will fit in a
specific range and go with it. At some point we as developers (some earlier
than others) learned that we should at least be checking for data length
though that still isn't the full assertion that should be done on the
quality and state of the data. One reason for not doing a full assertion is
for future flexibility, don't check the data too close so you don't have to
recompile for a new use. Mostly it is done because coders just don't think
someone will do something so off the wall or are too lazy or too pressed for
time to care.


Saying that, I agree, as I have stated many times on this list, that IE
needs to be backed down. If there has to be some piece of it that absolutely
has to be in the OS it should be a very basic very small very simple hello
world basic HTML only rendering capability - you get fonts and anchors and
not much more - it isn't even possible to execute anything even if the user
agrees with a signature in blood. The code being tiny and truly a part of
the OS in that it isn't possible to upgrade it to IE version x. It is
updated with OS updates. Code so small and tight and well controlled and
understood and practically memorized by the developers that MS could put a
monetary guarantee behind the ability to exploit it. Say HTTP-EQUIV gets $10
million if he finds a way to crack it and run remote exploit code with a
realistic POC.  

If someone wants a full function IE, they load that separately an dit runs
in a sandbox as guest. Personally I never agreed that IE was truly part of
the OS. There are some artificial dependencies built in for some of the
display stuff like help, etc but NTFS and threading and all of that works
just fine without IE. 

If pulling IE out of the Explorer shell is too difficult. Then I for one
would be fully behind a new secure type shell replacement for the Explorer
Shell. We had ProgMan Shell for several years then we got the Explorer
Shell. Maybe it is time to get a new shell, at least for servers. 

I was recently in Redmond and the message I kept feeding back over and over
again was that we needed a way to not have to load IE onto machines. I am
looking to moving forward ideas. If they give me the ability, I am not going
to whine why I can't do the same on Win9x or 2K or even XP. So many people
bitch on this list about MS supporting legacy stuff and then they or someone
else starts bitching that MS isn't back porting the changes. Pick one or the
other but keep in mind if things have to keep getting back ported, resources
for that aren't moving us forward. I myself, would rather move forward. 

  joe



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Todd Towles
Sent: Friday, November 12, 2004 10:10 AM
To: Rafel Ivgi, The-Insider; full-disclosure@...ts.netsys.com;
Colin.Scott@...lc.com
Subject: RE: [Full-Disclosure] IE is just as safe as FireFox

<SNIP>
 Everytime a Firefox exploit comes out..there is already a fix...is that
magic? No..it is good coding... 
<SNIP>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ