Full Disclosure mailing list archives
RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: "Drew Copley" <dcopley () eEye com>
Date: Wed, 30 Jun 2004 16:31:45 -0700
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Barry Fitzgerald Sent: Wednesday, June 30, 2004 3:07 PM To: Drew Copley Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley wrote:Conclusion: Mozilla may be better. I think there is some strong chance of that. But only marginally. It has had bugs. It has a lot of features, which means a lot of potential for security issues. They have kept their browser more conservative then Microsoft has kept Internet Explorer. Traditionally, Mozilla developers have been far more "RFC compliant" - as the saying goes then Microsoft.Hello Drew, I'll start with my own disclaimer. I have been a Free Software developer in the past and my bias is hereby established. However, while I agree with the general point that any piece of software will have bugs and switching simply because a bug has been found is a bad idea, to say that is not to say that all bugs are equal. (I know that that's not what you were saying, but I know that someone will read into what was said that way.) I'm sure that MS Calc has bugs. I know, though, that MS Calc's bugs are, most likely, not going to allow black hats to compromise systems and steal people's data.
You are right, that is not what I am saying but some could read it that way, actually. Sorry, should have noted that in my first reply.
I've had experiences in the past that have shown me one thing and one thing alone: the argument about marketshare being the primary motivation of all cracking is played up far too heavily. Many black hats and script kiddies focus their bugfinding on the most-installed target, this is true. But, there is a sufficient body of people out there still attempting to target other applications -- some of them are very bright. I always wince whenever I see someone bring up the marketshare argument because my prior experience dictates that it is simply not so simple. In my opinion, Microsoft's biggest flaw with Internet Explorer is that it is a program that can take untrusted content and process it in a trusted manner. Yes, I know about zoning and yes I acknowledge that as long as people have the write to access/modify something, there's always some way that they can shoot themselves in the foot. However, there's a far difference between people executing programs off of websites/emails and people simply viewing a website and being "infected" by a trojan/adware/spyware. We both know that this scenario is not new. We also both know that Microsoft is not the only one who's been caught mixing trusted processing methods and untrusted processing methods in the same piece of software. However, it's my decided opinion that a web browser's sole design priority is to process input that is, by definition, unsafe in a safe way. A program, like Internet Explorer, that mixes OS function with (in my opinion, very poor) sandboxing will always have backdoors that allow people to execute code in a trusted fashion. Programs that do not include this code will never have those types of flaws. I would like someone to prove that Mozilla can be tricked to run software in the background without the user's knowledge. I don't just mean running an XPI on a system with software installation enabled. I also mean without using a plugin to carry out the attack. I also don't mean javascript-based XSS attacks - those are a different animal. I mean a full-on attack using a plain vanilla install of Mozilla to silently attack a system and compromise it. The next stage, once that's been proven, is to not just put a bandaid on Mozilla, but to fix the architecture so that that type of attack cannot be carried out. That is the solution to this type of problem. That is where Internet Explorer (and conversely, Microsoft and many other companies) has failed. I don't think that it's one bug that's changing anyone's mind - rather, it's the history of bugs and lack of attention that's plagued people. I don't mean any disrespect saying this - it's just my perspective. I agree with the majority of what you've said, in generalization -- but, in specificity, I tend to disagree, err - if that makes sense. :) -Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Barry Fitzgerald (Jun 30)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Ron DuFresne (Jun 30)
- <Possible follow-ups>
- RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)
- RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)
- RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)