::scr Internet Explorer - Danger in numbers?
Ash Argent-Katwala
scr@thegestalt.org
Fri, 22 Feb 2002 11:49:48 +0000 (GMT)
Another day, another exploit[0]
Are any of you using Internet Explorer in anything like a safe manner? This
goes beyond making yourself more of a target by using something quite so
popular. They've even introduced new buffer overflows lately[1]. This is
about the style of development as much as anything else. Will it get better
with their new focus on trustworthy computing? Schneier is fairly
interesting on the topic in the last CRYPTO-GRAM[2].
Looking at it from the other end - in terms of what you should serve to
users. If people pretty much need to turn off Javascript and the rest of the
client-side code in IE to offer anything close to a safe browsing experience
in that browser, is all dynamic HTML just a waste of time - even if you
succumb to the (somewhat perforated) argument that practically everyone is
using IE? I'm religious enough about it that I want everything to degrade
to work reasonably well in noddy-HTML, but what's the point of anyone
spending the effort if people really ought to be turning the features off
anyway at the moment?
[0] http://www.theregister.co.uk/content/4/24168.html
[1] The roll-up patch two weeks ago.
http://www.theregister.co.uk/content/4/24027.html
Note that the buffer overrun wasn't in 5.01 but was in 5.5 and 6.0.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp
[2] http://www.counterpane.com/crypto-gram-0202.html
--
ash
a-k
... it is because giants were standing on my shoulders