[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

Drew Copley wrote:

Conclusion: Mozilla may be better. I think there is some strong
chance of that. But only marginally. It has had bugs. It has a lot
of features, which means a lot of potential for security issues. They
have kept their browser more conservative then Microsoft has kept
Internet Explorer. Traditionally, Mozilla developers have been
far more "RFC compliant" - as the saying goes then Microsoft.






Hello Drew,

I'll start with my own disclaimer. I have been a Free Software developer in the past and my bias is hereby established.

However, while I agree with the general point that any piece of software will have bugs and switching simply because a bug has been found is a bad idea, to say that is not to say that all bugs are equal. (I know that that's not what you were saying, but I know that someone will read into what was said that way.) I'm sure that MS Calc has bugs. I know, though, that MS Calc's bugs are, most likely, not going to allow black hats to compromise systems and steal people's data.

I've had experiences in the past that have shown me one thing and one thing alone: the argument about marketshare being the primary motivation of all cracking is played up far too heavily. Many black hats and script kiddies focus their bugfinding on the most-installed target, this is true. But, there is a sufficient body of people out there still attempting to target other applications -- some of them are very bright. I always wince whenever I see someone bring up the marketshare argument because my prior experience dictates that it is simply not so simple.

In my opinion, Microsoft's biggest flaw with Internet Explorer is that it is a program that can take untrusted content and process it in a trusted manner. Yes, I know about zoning and yes I acknowledge that as long as people have the write to access/modify something, there's always some way that they can shoot themselves in the foot. However, there's a far difference between people executing programs off of websites/emails and people simply viewing a website and being "infected" by a trojan/adware/spyware.

We both know that this scenario is not new. We also both know that Microsoft is not the only one who's been caught mixing trusted processing methods and untrusted processing methods in the same piece of software. However, it's my decided opinion that a web browser's sole design priority is to process input that is, by definition, unsafe in a safe way. A program, like Internet Explorer, that mixes OS function with (in my opinion, very poor) sandboxing will always have backdoors that allow people to execute code in a trusted fashion. Programs that do not include this code will never have those types of flaws.

I would like someone to prove that Mozilla can be tricked to run software in the background without the user's knowledge. I don't just mean running an XPI on a system with software installation enabled. I also mean without using a plugin to carry out the attack. I also don't mean javascript-based XSS attacks - those are a different animal.

I mean a full-on attack using a plain vanilla install of Mozilla to silently attack a system and compromise it.

The next stage, once that's been proven, is to not just put a bandaid on Mozilla, but to fix the architecture so that that type of attack cannot be carried out.

That is the solution to this type of problem. That is where Internet Explorer (and conversely, Microsoft and many other companies) has failed. I don't think that it's one bug that's changing anyone's mind - rather, it's the history of bugs and lack of attention that's plagued people.

I don't mean any disrespect saying this - it's just my perspective. I agree with the majority of what you've said, in generalization -- but, in specificity, I tend to disagree, err - if that makes sense. :)

-Barry






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html