RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

["Drew Copley" <dcopley () eEye com>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Barry Fitzgerald
> Sent: Wednesday, June 30, 2004 3:07 PM
> To: Drew Copley
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] (IE/SCOB) Switching Software 
> Because of Bugs: Some Facts About Software and Security bugs
>
> Drew Copley wrote:
>
> > Conclusion: Mozilla may be better. I think there is some strong
> > chance of that. But only marginally. It has had bugs. It has a lot
> > of features, which means a lot of potential for security issues. They
> > have kept their browser more conservative then Microsoft has kept
> > Internet Explorer. Traditionally, Mozilla developers have been
> > far more "RFC compliant" - as the saying goes then Microsoft. 
> >
> >
> >
> >  
>
> Hello Drew,
>
>        I'll start with my own disclaimer.  I have been a Free 
> Software 
> developer in the past and my bias is hereby established. 
>
>        However, while I agree with the general point that any 
> piece of 
> software will have bugs and switching simply because a bug has been 
> found is a bad idea, to say that is not to say that all bugs 
> are equal.  
> (I know that that's not what you were saying, but I know that someone 
> will read into what was said that way.)  I'm sure that MS Calc has 
> bugs.  I know, though, that MS Calc's bugs are, most likely, 
> not going 
> to allow black hats to compromise systems and steal people's data. 

You are right, that is not what I am saying but some could read
it that way, actually. Sorry, should have noted that in my first
reply.

>        I've had experiences in the past that have shown me 
> one thing and 
> one thing alone: the argument about marketshare being the primary 
> motivation of all cracking is played up far too heavily.  Many black 
> hats and script kiddies focus their bugfinding on the most-installed 
> target, this is true.  But, there is a sufficient body of people out 
> there still attempting to target other applications -- some 
> of them are 
> very bright.  I always wince whenever I see someone bring up the 
> marketshare argument because my prior experience dictates that it is 
> simply not so simple.
>
>        In my opinion, Microsoft's biggest flaw with Internet 
> Explorer is 
> that it is a program that can take untrusted content and 
> process it in a 
> trusted manner.  Yes, I know about zoning and yes I 
> acknowledge that as 
> long as people have the write to access/modify something, 
> there's always 
> some way that they can shoot themselves in the foot.  
> However, there's a 
> far difference between people executing programs off of 
> websites/emails 
> and people simply viewing a website and being "infected" by a 
> trojan/adware/spyware.
>
>        We both know that this scenario is not new.  We also both know 
> that Microsoft is not the only one who's been caught mixing trusted 
> processing methods and untrusted processing methods in the 
> same piece of 
> software.  However, it's my decided opinion that a web browser's sole 
> design priority is to process input that is, by definition, 
> unsafe in a 
> safe way.  A program, like Internet Explorer, that mixes OS function 
> with (in my opinion, very poor) sandboxing will always have backdoors 
> that allow people to execute code in a trusted fashion.  
> Programs that 
> do not include this code will never have those types of flaws.
>
>        I would like someone to prove that Mozilla can be 
> tricked to run 
> software in the background without the user's knowledge.  I 
> don't just 
> mean running an XPI on a system with software installation 
> enabled.  I 
> also mean without using a plugin to carry out the attack.  I 
> also don't 
> mean javascript-based XSS attacks - those are a different animal.
>
>        I mean a full-on attack using a plain vanilla install 
> of Mozilla 
> to silently attack a system and compromise it. 
>
>        The next stage, once that's been proven, is to not just put a 
> bandaid on Mozilla, but to fix the architecture so that that type of 
> attack cannot be carried out.
>
>         That is the solution to this type of problem.  That is where 
> Internet Explorer (and conversely, Microsoft and many other 
> companies) 
> has failed.  I don't think that it's one bug that's changing anyone's 
> mind - rather, it's the history of bugs and lack of attention that's 
> plagued people.
>
>         I don't mean any disrespect saying this - it's just my 
> perspective.  I agree with the majority of what you've said, in 
> generalization -- but, in specificity, I tend to disagree, 
> err - if that 
> makes sense. :)
>
>                     -Barry
>
>      
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html