|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
00:08 EST/05:08 GMT | News Source:
ComputerWorld |
Posted By: Kenneth van Surksum |
Microsoft Corp. would better protect users by severing Internet Explorer's connections to Windows, then patching the browser invisibly in the background -- daily if necessary, a security expert argued today.
"The browser is the heaviest-used application that interacts with the Internet, and the most likely source of malicious content. IE vulnerabilities should be given the highest priority and patched first," said Wolfgang Kandek, CTO at security company Qualys Inc.
|
|
#1 By
15406 (216.191.227.68)
at
2/11/2009 12:24:26 PM
|
Silly security experts. Didn't they hear MS at the antitrust trial telling the judge it was impossible to remove IE from Windows?
|
#2 By
16797 (65.93.31.100)
at
2/11/2009 3:35:34 PM
|
Hey, Lloyd, where are you already? Come on, feed the troll..
|
#3 By
23275 (24.196.4.141)
at
2/11/2009 5:11:00 PM
|
werk'in Gonz
the notion that all graphical interface operating systems do not depend upon a broswer to render large parts of the interface is so laughable that a more detailed reply would be inappropriate. MS can no more remove IE than Apple can remove webkit from OS X.
|
#4 By
23275 (24.196.4.141)
at
2/11/2009 5:15:30 PM
|
The notion that (COM/DCOM e.g., ActiveX) is any less a remote methoding technique than Corba, Java RMI, or FLASH Remoting, is simply outrageous and as foolish as it is to assume that any other RMI is any more secure than ActiveX, or any less a part of competing browsers.
So security experts without an agenda, will tell computer users to use IE 7/8 on Vista/Windows 7 in their default protected modes and run as standard users.
Do that and you can enjoy a very safe, worry free browsing experience.
.... or you can kid yourself as Latch does and lie to yourself with every click.
|
#5 By
3653 (65.80.181.153)
at
2/11/2009 5:59:20 PM
|
latch would have replied more eloquently and completely, except they got in a new shipment of cocktail napkins this morning.
Does that mean TWO napkins per coffee served? Hasn't latch heard there's a recession on?
|
#6 By
20505 (216.102.144.11)
at
2/11/2009 6:58:50 PM
|
From the Qualys website.
As the CTO for Qualys, Wolfgang is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. Prior to joining Qualys, Wolfgang was Director of Network Operations at the Online Music streaming company myplay.com and at iSyndicate, an Internet media syndication company.
|
#7 By
15406 (216.191.227.68)
at
2/12/2009 8:38:38 AM
|
#3: <sigh> More strawmen. Nobody said the OS shouldn't have a browser. They said it should be possible to remove IE from Windows. I can explain the difference further if required.
#4: So security experts without an agenda, will tell computer users to use IE 7/8 on Vista/Windows 7 in their default protected modes and run as standard users.
I have yet to read any security researcher that isn't a Friend of Microsoft or MS Partner recommending IE as the browser of choice. In fact, I don't know if I can remember *anyone* recommending IE other than you. Do you know of any unbiased security researchers that publicly recommend IE? Link? I seem to recall lots of security researchers, even CERT, recommending users stay the hell away from IE.
Do that and you can enjoy a very safe, worry free browsing experience.
Until next month's exploit.
.... or you can kid yourself as Latch does and lie to yourself with every click.
You're on to me. My whole web-browsing history is a vast tapestry of lies.
|
#8 By
92283 (70.67.3.196)
at
2/12/2009 9:40:25 AM
|
#7 "I can explain the difference further if required."
Please do.
Oh. Also explain how Firefox avoids using calls to Windows APIs.
|
#9 By
16797 (65.93.150.97)
at
2/12/2009 9:54:08 AM
|
#7 Please do explain.
If IE is using some library, for example the one that contains FileOpen dialog class, should, as part of IE removal, that library be removed too? So no other application can display FileOpen dialog after that? Likewise, is library that parses HTML/XML or renders HTML allowed to be used by, for example, Windows Help or.. any other application (Steam client for example)?
What happens if both IE and another application are using same library to perform some task? Should that library be removed if IE is removed?
This post was edited by gonzo on Thursday, February 12, 2009 at 09:55.
|
#10 By
23275 (24.196.4.141)
at
2/12/2009 10:39:02 AM
|
Latch, you're going to have to be much more specific... which versions? IE 6 on XP Home with the user running as an Admin?
You continually draw on circumstances applicable eight years ago and opposite the explosive growth in blended threats between 2000 and 2004.
Clearly, you're not trying to apply nonsensical arguments to the present state of Windows and IE 7/8
I do reason that in very short order, ancient arguments like yours are going to seem utter ridiculous; you're risking greater irrelevance each time you fall back on the past.
Again, the safest online browsing experience is found in IE 7/8 on Windows Vista/Windows 7 using default Protected Mode browser settings and running as a standard user. There simply is no way any software can run without an authorized user's permission. Even remote code exploits would fail due to the Windows Integrity Mechanism - e.g., ASLR+DEP (hardware and software DEP/NX, or Zero Execute Bits). "Me to all: stay the hell away from Moz/FF, and Safari. Chrome wisely uses Protected Mode, just as Moz/FF/Safari could."
|
#11 By
143 (65.221.158.226)
at
2/12/2009 11:16:40 AM
|
Windows is not Linux and it shouldn't be!
|
#12 By
15406 (216.191.227.68)
at
2/12/2009 12:18:47 PM
|
#8: I didn't really think I would have to explain this since it's pretty self-evident. Here goes. Try to follow along:
The article talked about Microsoft making it possible to uninstall IE completely from Windows. Ketchum, as usual, misconstrued that to mean that the OS shouldn't ship with a browser. I guess this makes sense in his world where IE is the only web browser. In reality, being able to remove IE from Windows means OEMs would have the ability to bundle whichever browser they want without IE always tagging along as an active exploit target.
Oh. Also explain how Firefox avoids using calls to Windows APIs.
What does that have to do with the price of keyboard cleanser?
#9: I didn't really think I would have to explain this since it's pretty self-evident. Here goes. Try to follow along:
The article talked about Microsoft making it possible to uninstall IE completely from Windows. Ketchum, as usual, misconstrued that to mean that the OS shouldn't ship with a browser. I guess this makes sense in his world where IE is the only web browser. In reality, being able to remove IE from Windows means OEMs would have the ability to bundle whichever browser they want without IE always tagging along as an active exploit target.
If IE is using some library, for example the one that contains FileOpen dialog class, should, as part of IE removal, that library be removed too?
No. Why would you do that? That would be stupid. Smells like a strawman.
#10: It is very clear that you are trying very hard to minimize and downplay the morass of problems that is IE, but then it's widely recognized that that's your function here.
I do reason that in very short order, ancient arguments like yours are going to seem utter ridiculous; you're risking greater irrelevance each time you fall back on the past.
You reason this, do you? Based on what reasoning? That MS is going to stop stuffing IE full of bugs sometime soon? I seem to remember you and others telling me how Vista would never been hacked, how IE7 would never be hacked, etc etc. Again and again. Then they got hacked. My argument gets renewed every month with Microsoft's help while you go on endlessly about how I'm going to be wrong real soon now.
|
#13 By
23275 (24.196.4.141)
at
2/12/2009 12:27:47 PM
|
Latch, kindly show me one hack that is not mitigated, or obviated by at least two other layers in the security model protecting Windows Vista and 7 users?
Just one.
|
#14 By
28801 (65.90.202.10)
at
2/12/2009 12:32:06 PM
|
Latch wants to hang his hat on noscript. To me it just gets in the way and is even more annoying than UAC.
|
#15 By
23275 (24.196.4.141)
at
2/12/2009 1:10:45 PM
|
#14, Yeah, as if NOSCRIPT is in any way different, or easier to use and set than security zones in IE and the myriad of policies that can be affected by single users, or centrally via policy objects...
Each and every time he posts, he reveals a level of naiveté that would be charming if not laced with vented spleen. My concern is that even one young person would in any way be influenced by such drivel.
|
#16 By
15406 (216.191.227.68)
at
2/12/2009 1:11:43 PM
|
#13: Sure. Just as soon as you show me a security researcher that isn't in Microsoft's pocket publicly recommending IE as I asked for in #7.
#14: This has got nothing to do with me or Firefox or NoScript. This has to do with being able to remove IE from Windows.
|
#17 By
16797 (65.93.150.97)
at
2/12/2009 1:31:27 PM
|
Troll is hungry. We must feed him more.
#12 Stop dancing and answer the questions :)
Looks to me you don't even understand why NotParkerToo asked about FF using Win32 API. Let me try to help you..
For example, IE can execute vbscript and javascript code. If I unistall IE, should Windows still be able to run vb scripts? Mind you, IE and WSH may both be using same libraries to achieve that. Do those libraries belong to IE or WSH... or are those simply part of Windows, so that any application/component (IE, WSH, IIS, .NET..) can use them?
Simply, what does it mean to remove IE?
How do you define what is part of IE and what is part of Windows? Is there such a line between components if same libraries are used by many applications, IE being just one of them?
|
#18 By
23275 (24.196.4.141)
at
2/12/2009 1:38:35 PM
|
In your way Latch, and in your world, you select things that are absolutes when it works to support your position. Some poorly defined condition like, "a researcher not in Microsoft's pocket.." What is that nonsense.
In the real world, where the goal is do some good and actually achieve something, like secure systems, things are not absolute, they are a product of an effort involving many steps, layers and attending decisions. e.g., http://www.nsa.gov/ia/_files/os/winvista/Windows%20Vista%20FAQs.pdf Just as Vista/Win7's security is presented in layers which work together.
For all interested in Windows Vista/7 security, please see, http://blogs.technet.com/security/archive/2006/08/12/446104.aspx
|
#19 By
15406 (216.191.227.68)
at
2/12/2009 2:21:38 PM
|
#15: At least I'm not constantly blowing pro-MS smoke up everyone's ass. I don't see how that's helpful, except to Microsoft. I can tell from your post that you've never used NoScript but that's not surprising as it's not from Microsoft. It's dead-simple and effective. I'm not sure how right-click -> Allow is harder than wading through IE's options and changing zone settings. But like I said before, this isn't about NoScript. This debate would go smoother if you wouldn't repeatedly break out your Deflect-O-Matic.
#17: I already answered your question when I said your point was stupid. Only a moron would think that you must also remove any libraries that IE might use. That's not what the article proposed and that's not what I proposed so I don't know where that idea (strawman?) came from.
For example, IE can execute vbscript and javascript code. If I unistall IE, should Windows still be able to run vb scripts? Mind you, IE and WSH may both be using same libraries to achieve that. Do those libraries belong to IE or WSH... or are those simply part of Windows, so that any application/component (IE, WSH, IIS, .NET..) can use them?
No, since vbscript and handled by the Windows Scripting Host. But I already explained this concept in my last post to you.
Simply, what does it mean to remove IE?
Remove the UI and the rendering engine would be my guess. Microsoft could answer that better if they weren't busy pretending that it's impossible.
Is there such a line between components if same libraries are used by many applications, IE being just one of them?
That's the smart approach for a componentized system.
#18: Some poorly defined condition like, "a researcher not in Microsoft's pocket.." What is that nonsense.
That's me making sure you didn't pull Rob Enderle or Ed Bott out of Bill Gates' butt. I knew it would be impossible for you to find an objective security researcher to recommend IE, but there would no doubt be a Microbot posing as one not too far away.
|
#20 By
16797 (65.93.150.97)
at
2/12/2009 2:33:37 PM
|
#19 "Remove the UI and the rendering engine would be my guess."
Why the rendering engine if that same library (you do realize that "rendering engine" is just another library) is also used (and shipped by) other MS applications (WMP, Windows Help, etc) or third-party apps (Steam client for example)? You do realize that "rendering engine" is available to anyone as WebBrowser control?
(see, for example, this: http://msdn.microsoft.com/en-us/library/w290k23d.aspx)
So, let me repeat my question: why is a library that renders HTML ("rendering engine") different from library that provides FileOpen dialog? They are both used by IE. And many other apps, MS or third party? Why should one be removed when IE is removed (whatever that means) while the other one stays?
This post was edited by gonzo on Thursday, February 12, 2009 at 14:35.
|
#21 By
15406 (216.191.227.68)
at
2/12/2009 2:54:54 PM
|
#20: You do realize that "rendering engine" is available to anyone as WebBrowser control?
Yes, I'm aware of that. Nobody is saying rip out IE with a rusty saw and leave the rest alone to crash & burn. Changes would have to be made. Microsoft worked hard to embed IE into Windows for reasons both technical and political. There's nothing that says they couldn't remove IE and patch the holes. There could be a generic object model for the browser that all vendors would have to support if they wanted their browser used on Windows. Then you could make generic browser API calls and they would be serviced by whatever browser you had installed.
At the end of the day we're all babbling about nothing since this will never happen anyway.
So, let me repeat my question: why is a library that renders HTML ("rendering engine") different from library that provides FileOpen dialog? They are both used by IE.
Because in this instance the browser library is the one with all the security problems that needs regular patching. Also, I don't think there is a distinction between IE and the HTML rendering library from a practical point of view. When I say remove IE, I mean remove the IE interface, the mshtml.dll engine and whatever other libraries that are unique to IE. Perhaps it's more technically correct to say remove the mshtml.dll rendering engine as IE is likely just a container for that engine.
|
#22 By
16797 (65.93.150.97)
at
2/12/2009 3:26:53 PM
|
There could be a generic object model for the browser that all vendors would have to support if they wanted their browser used on Windows.
Well, why stop with browser? Let's force them to make the same change so that we can replace kernel, shell, NTFS, DirectX, etc, etc.
Hey, let's act as if it is our product and they have no say about it. They made successful product, but now we take over :) You know what.. is that not called communism?
Perhaps it's more technically correct to say remove the mshtml.dll rendering engine as IE is likely just a container for that engine.
Well, do you realize that if you remove mshtml.dll, that WebBrowser control won't work --- and any other application that uses it? Including any other Win component that relies on it? IE is just one consumer of mshtml.dll..
Take a look here:
http://msdn.microsoft.com/en-us/library/aa741312(VS.85).aspx
See that WebBrowser is built on top of mshtml.dll...
One thing they could do is to provide slightly different set of libraries for IE. Sure, that would mean that now they have to maintain two different things that do the same job.. not sure how effective that is, given that you can have bugs in each :)
Anyway..
|
#23 By
2960 (72.196.201.130)
at
2/13/2009 8:11:16 AM
|
2 days and no new news?
|
#24 By
17855 (205.167.180.131)
at
2/13/2009 8:45:28 AM
|
Latch without your competitive alternative views this would be a ver dull forum.
Thank You!
|
|
|
|
|