Thread: US-CERT Vulnerability Note VU#713878: IE Specific Security Hole
View Single Post
Old 12-17-2004, 05:18 PM   #21
LennonCook
Jack Burton
 

Join Date: November 10, 2001
Location: Bathurst & Orange, in constant flux
Age: 37
Posts: 5,452
Quote:
Originally posted by Thoran:
I've said it before but IMO if other OS's and Apps were the subject of as concerted and intense an attack as M$ faces from it's many opponents... they'd fare no better. Open Source, by virtue of its inherent openness (it's greatest strength imo)... would be PARTICULARLY susceptable.
No, no, and no
This article uses Apache and IIS to disprove both points. Apache is open source, and more popular than IIS (70% market share and rising, I believe), and yet it is historically the more secure of the two. The number of attacks is a factor, yes, but hardly the only one.

Quote:
The risk I see here for M$ opponenets is if M$ can actually put together a secure system... its competitors won't have an adequate response. It's like drug immunity... the more and harder a bug is attacked by a drug, the quicker it builds up immunity and if it survives it emerges stronger than the competition. It's survival of the fittest, and the community is currently assisting M$ in debugging their goliath, seems like fun but possibly not so smart in the long run.
Security isn't the only benifit. Try making a web page sometime that will work across all browsers... you can't. You basically have two choices: have it work in IE, and have it work in everything else. And do not say "you should design specifically for the one with the greatest user base": the number of websites designed specifically for it is one of the only reasons IE still has a high market share (in the tech-savvy crowd at the very least).

Quote:
I think more people should be working to uncover the weaknesses of the apps they're loyal to (Linux, Firefox, whatever) in order to prevent M$ from getting an insurmountable lead. I'm sure you've all seen the previews of longhorn (and NGSCB)... it's a significant change in security model, and if effective (and it looks like it may be) it will be something that will need to be addressed by the competition.
Longhorn, from what I've seen, will if anything be worse. Microsoft do not plan to uncouple IE from the Windows core, infact they want to integrate it further, so that there is no difference between IE and Windows. This also applies for other programs that are nested deeply into Windows in a completely unremovable way, not just IE. In other words, yes it will be a "significant change in the security model", but I'm sure you will find it will be a change for the worse.


EDIT: The patch I mentioned before for the Tabbrowsing Vulnerabilities has been granted review+ . It is now only waiting for superreview and approval-1.7.6 , and it will be checked in to the mozilla.org CVS .

[ 12-17-2004, 08:24 PM: Message edited by: LennonCook ]
LennonCook is offline