Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Web browsers - a mini-farce

from [Michal Zalewski] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Web browsers - a mini-farce
Date: Wed, 20 Oct 2004 10:35:08 +0200 (CEST) 
On Wed, 20 Oct 2004, Martin wrote:


Here, may I make your collection more complete?
/.../
PS: No, it's not been discovered by your tool. And I reported
    it already several years ago.


No you can't, for that very reason. But you are very much advised to
report it to them and to FD or other lists.

Gee...

I reported on a very basic, objective observation. HTML parsers /
renderers in popular alternative browsers are considerably more fragile
than in MSIE. Some of them just annoy, and some seem to be exploitable
under right conditions. That's that. I did not use a dodged tool, I did
not made up results, it's all open source, and rather well documented. You
are free to reproduce it.

I am not a Microsoft-loving, Linux-bashing zealot; if you bother to visit
by homepage or google around, it will become apparent that I use and enjoy
Linux, and usually do not touch Windows with a ten foot pole; not because
of religious beliefs, but simply because I find it not suited well for
what I do on a daily basis. I did poke fun at Microsoft in the past, too:

  http://lcamtuf.coredump.cx/strikeout/

For this particular issue, I got numerous confirmations, including new
submissions from people using Safari, w3m, elvis, Konqueror and so forth,
so this is not really a localized problem, but rather a sign that
Microsoft did something others couldn't be bothered to.

I specifically stated that this does *NOT* prove that MSIE is safer to
use; there are numerous other factors beside code parsing that count. But
it indeed casts doubt on the claims of higher security of the alternative
browsers, suggesting that much of it may turn to be just a result of the
current status quo.

A number of people assumes that I say MSIE is better than open source
browsers; I did not say this, and I do not have any agenda to push. It's
really disappointing to get so much hate mail when objective results
suggest one thing, and be well received when they point the other way (at
Microsoft, Sendmail, etc).

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-20 10:24 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] Re: Web browsers - a mini-farce, Michal Zalewski
Next by Date:  Re: [Full-Disclosure] Re: Stupid idea, Home Security
Previous by Thread:  Re: [Full-Disclosure] Web browsers - a mini-farce, Martin
Next by Thread:  Re: [Full-Disclosure] Web browsers - a mini-farce, Daniel Veditz
Indexes:  [Date] [Thread] [Top] [All Lists]