Slashdot Mirror
IE Developer Responds to Mozilla Accusations
sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
No one is ready to pay what really bug-free code would cost. We accept a few bugs. Please note that we even accept some airplane crashes (not to mention car accidents), but, naturally, different industries and software components pose different levels of "reasonable" bug count.
And therein lies the heart of the MS development philosophy. Strictly speaking, that's true, but take something like Windows XP. It's is the ultimate case of the kid who cleans his room, ostensibly, but when his mother checks the closet, an avalanche of dirty clothes and assorted toys and things exlpodes from the doorway. I think MS could learn a lot from Apple, as they always have, and should look into utilizing something like BSD to start over. Obviously, they can't come out and say "our products suck; it takes half a gig of ram just to appease the system tray icons in Windows XP...sorry about that." But some way, some time they will have to move away from Windows as it is today.
I Want To Believe
Read the source code if you even bother. It was ejected by WMP not IE nor the KERNEL.
appended to the end of comments you post, 120 bit floating point
Fag.
IF there are no operating system API's used by the browser, then why did MSFT fight so hard not ot have to remove it from the browser. IT might not use the OS API's, but im fairly sure it works the other way round. Has he ever tried to remove IE cleanly from a windows install?
At least that's what Microsoft told the courts...
And because it is effectively an OS service, it has theses "no security at all" modes that if you can escalate to in a script, you 0wn the box.
Test your net with Netalyzr
Why don't they just delete the IE shortcut from the start menu and desktop and remove any file type associations? They might also be able to delete the iexplore.exe as well?!
I can't figure it out. Is Dave playing dumb, or is he really dumb?
The guy works for Microsoft, so maybe it is willful ignorance. How else can you explain someone that works on IE from trying to claim it is not part of the OS? Oh, we're going to get down to nit picking. Yes, yes, yes IE is not part of the kernel.
However, Microsoft wasn't too interested in this argument when it was fighting for its life in court, arguing that IE was embedded and could not be removed from the OS.
And now we see, they were right. IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.
Ironically, the word ironically is often used incorrectly.
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter. That does not make use of any unknown undocumented APIs. Try this, paste this code into a text file (hint: it came straight from your website):
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
wscript.echo "Automatic Cup Holder."
Then run "cscript filename". Oh my god, Microsoft tied vbscript into a stand alone application on your system!!! Give me a break, mod the parent down please
-dk
Eh no, this is an issue will allowing scripts run with unfettered access to the system. Made IE great for intranet applications but a security disaster on the web.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
So then, they agree...
IE may only use documented APIs, but isn't it how many APIs you use before it becomes "a part of the operating system"? If Firefox uses a handfull and IE uses so many it has its fingers curled around every nook and cranny of Windows, what difference does it make whether those nooks are documented or not? When you call enough OS APIs your app is as bulky as the OS itself, and we all know how well that works.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Yes, maybe so, but if it was possible to do this through Firefox running on Linux. I'm sure that the people reporting such a bug would claim that Firefox should not allow such things to occur. And I think that they'd be right to say so.
I would never use I.E. again if Firefox could do one thing (more), to be able to navigate to other (windows) boxes using my browser (like i can in I.E.)
by typing \\servername or \\ip address
my understanding was that this functionality was part of the API that is not available? this is the only thing keeping I.E. on my windows desktop.
This is not meant to be read by geeks, it's for PHBs. Either that or I'll have some of what he's smoking.
Justin.
You're only jealous cos the little penguins are talking to me.
Confirmed. Does not work on IE6 in XP Pro.
"But Mr Dent, the plans have been available in the local planning office for the
..."
last nine month."
"Oh yes, well as soon as I heard I went straight round to see them,
yesterday afternoon. You hadn't exactly gone out of your way to call attention
to them had you? I mean like actually telling anybody or anything."
"But the plans were on display
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked
filing cabinet stuck in a disused lavatory with a sign on the door saying
Beware of the Leopard."
The point is that internet-hosted script shouldn't have permission to do that. And thankfully now it doesn't. Issue fixed, nothing to see here.
That's the sound lusers make as they get their so-called browsers hijacked and spywared to death.
It IS part of the OS like ls is part of many *nix OSes. The real problem is, can it be removed or substituted?
They're working on that. It's called Longhorn. Maybe you've heard of it?
Whether or not they'll achieve any or all of their goals for Longhorn is, of course, open for debate based on past events. But the goal from the beginning has been to de-cruft Windows (and "improve" the user interface by making even more of it task-based. Joy!).
But frankly, my money at this point is on Longhorn being another Windows ME. Big on promises, half-assed changes, and lots of bugs. Maybe I'll be pleasantly surprised.
it still works on IE 6 for windows 2000
I'm not usually one to point out typos, but... You might want to check your spelling when you're making a very public argument about how your software is not more prone to vulnerabilities than another.
IE is part of the Windows Operating System so that parts of the OS and other applicaitons can rely on the functionality and APIs being present. IE in turn relies on Operating System funcitonality to do it's job.
There are maybe a dozen sentences in the blog entry and two in a row have glaring typos (not to mention using "it's" when they mean "its"). I know we should judge it on the merits of what they're trying to say and not the careless way they said it, but it's hard not to have this reflect poorly on the speaker and the claims they're making.
I'm a big tall mofo.
Ironically, MS seems to be using Stallman's definition of an OS -- kernel plus libs & core apps that he uses to insist upon the GNU/Linux name. Personally, I'm more minimalist, kernel & modules & modutils.
If a packet hits a pocket on a socket on a port,
And IE is interrupted as a very last resort,
And the address of the memory makes your FireFox abort,
Then the socket packet pocket has an error to report.
If your cursor finds a IE link followed by a dash,
And the VBScript code puts your windows in the trash,
And your data is corrupted because IE and Firefox clash,
Then your situation's hopeless and your system's gonna crash!
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter
Er...isn't that sorta the point?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
People just love to makethe definition of "OS" whatever is best for them to bash MS.
The MS guy is right. Microsoft was right in court. It's not rocket surgery, haters.
IE is part of the business component "Microsoft Windows". It's "part of the OS" in terms of customer expectations, developer expectations, and the business defintion of what Microsoft defines as an OS. Actually, nowadays it's finally recognized as absolutely ridiculous to ship an OS without a browser.
It is _not_ a part of the OS proper in a CS/technical definition. It is not required for functionality of the kernel or core OS services.
"IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present."
So why not just have an html rendering library and make IE an optional add-on? Plenty of other OS's seem to get by with this approach; I guess that none of them are so hellbent on pushing out a particular product...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Thats the point though the IE gives websites access to the APIs of other programs like WMP without asking the user.
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.
Guys, uh guys, that's The Problem.
http://www.eweek.com/article2/0,1759,1776387,00. asp
To sum my thoughts in that story up, you have a gateway, IE, to the Internet that has deep, Inadequately Protected, connections to the core operating system.
IE, in specific, and Windows, in general, cannot be secured.
Microsoft's one seamless whole is really one giant security hole.
Steven
(Actually, this might not work on IE 6.0+. Can you believe they actually fixed the problem.)
Are you telling me that I can no longer rely on the functionality and APIs being present because they changed it?
I get a permission denied error when I try that page. XPSP2 fully patched.
it still works on IE 6 for windows 2000
Not any more it doesn't - just tried it on a fully patched Windows 2000 box here. Perhaps you should run windowsupdate?
you can go into any windows explorer window and type in a url, wham its really internet explorer... or do i need to see a doctor?!!
As part of the testing phase when I design a new web site I have to point out that the majority of my time is spent "tweaking" the site to display correctly in IE. While on the other hand I can take the same site and test it in Mozilla, Firefox, Konqueror, Safari, Netscape, etc. on various platforms (Linux, Mac, and Windows). I don't see why all browser developers can not or will not just design browsers to be equally compliant. With all the market share MS already has in my opinion they should, as atleast an act of good faith, build IE to conform with standards. I can not see any reason not to, I mean come on how difficult is it.
Open Source, Open Formats, Open Doors, Open Your Mind "Break On Through to the Other Side" The Doors
An article from 2003:
Microsoft allegedly opened up Windows APIs last year... Now, Devos claims that Microsoft's disclosures remain sufficiently inaccurate and incomplete for developers to continue using his own documentation.
Devos claims that Whirling Dervishes has discovered hidden Windows interfaces that are crucial for the development of such applications, but whose existence is denied by Microsoft. Not much change there then, post-lawsuit. These and other interfaces which Devos says should have been part of the API disclosures are used in NSELib, and he proposes to make public full documentation on how to use them.
Developers: We can use your help.
The employees at Microsoft are pure geniuses. I mean, look how long they have been able to pull off shit like this and still profit. Either that or the general public is stupid, which makes Microsoft look intelligent.
XeRo
Now that we have been told directly from one of the Internet Explorer developers that it's definately NOT part of the operating system, any day now we will be able to watch Microsoft completely comply with the ruling against them and simply provide a version of Windows without IE preloaded.
To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows.
This is always the standard Microsoft defense. Our products are written with the same API's as are available to everyone else. Everything's fair.
Except that Microsoft developers get access to the people who wrote the specifications. They can influence the specifications to change. In fact, according to a friend of mine who works at Microsoft, they have a tool which highly optimizes their code after compilation, by, among other things, moving the infrequently used code like error handling routines to the back of their DLL's, etc.
The fact that this tool hasn't been released to other developers is proof that they unfairly compete.
"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."
I would have loved to be at the party they must have had when ActiveX went through it's security reviews.
Seriously though, that post was a load of bollocks. But hey, I pity the guy.. in a way. He can't turn around and admit the architecture's a piece of shit.
What he means is parts of the Windows desktop environment rely on the HTML engine which is also part of IE.
It's like saying KDE can't work without Konqueror and KHTML. Of course it can, you use Gecko.
Also they obviously mean IE is part of the Windows distribution package. Are they going to say MSN/Windows Messenger is part of the OS next?
Honestly, it is this kind of technical retardedness that stops me using Windows.
To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
The question is why would I want my browser to make OS calls? Could that be why the minute you surf the "wrong site" on IE, you get infected with loads of spyware, or worse, a virus?!
I'd rather stick to being limited on some performance issues and functionality (ActiveX sucks anyways) than being able to have a website install loads of crap onto my PC.
IGB: More fun than eating oatmeal!
I tried to rename firefox.exe to iexplore.exe and the operating system would not let me. iexplore.exe would keep coming back....
Granted his machine is a bloody mess, riddled with SpyWare but, prior to the uninstall, at least he could connect to a network - which would make my thankless task of resurrecting this poor abused box much easier.
Lesson: Sure, IE isn't part of the operating system, provided you don't count a working TCP/IP stack as a necessary part of the OS.
Er...isn't that sorta the point?
What, Mozilla does security through lack of features?
I was speaking recently to a developer working on Longhorn and he gave me the following information: IE cannot legally, since the court battles, use any undocumented system API calls. Therefore all of the calls that IE used have been made public on MSDN. They may have strange names and actually do other things than the documentation strictly says, but Microsoft has been forced to announce what "they do" to the public at large.
This just in, IE7 does not fully support CSS2, oh wait...
The HTML browser is part of the OS.
This means when you get the OS, you get the HTML browser.
Given the average user's minimal computer expertese, this leads to the provided HTML browser dominating the market.
This is the issue, not whether or not IE uses hidden APIs.
--
Toby
(Actually, this might not work on IE 6.0+. Can you believe they actually fixed the problem.)
Still not fixed, at least its not fixed as of IE version 6.0.2800.1106
No, because you can include vbscript in any application. I will not be a personal reference to MSDN, but I have had to integrate vbscript into applications before. While it's not fun, it is possible and Microsoft tells you how to do it. Just because mozilla doesn't support vbscript doesn't mean its a hidden API that no one knows about.
-dk
"To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..."
Several points to this:
One, the MDSN documentation is horrific. There are few examples and fewer cross references. So you get into a game of "find the API" call you want.
Second, many of the API's are horribly quirky and have known bugs. The bugs tend to stay because programs become dependant upon them. But the MSDN documentation NEVER DOCUMENTS these "quirks". I'm sure IE has plenty of workarounds for these... but still use the "documented API's"
Thirdly, Microsoft will change the OS calls to suit their whim. Then bury it in the documentation with maybe a one-line blurb buried with about a dozen under changes in the latest MSDN release. (EG The new list control grouping features for XP or when they implemented "coolbars" for IE) And then there were few examples of usage. So general acceptance doesn't occur until some kind soul has trudged through the pixel mines and figured out how the new control API's work.
Lastly, IE functionality may only use ONE OS API call (CreateWindow) and have all custom code written for the rest of the app...er..kernel module...
If it is not at all part of the OS why is it that even after setting firefox as my default and deleting all shortcuts and links to IE some programs when i click for help or to view more information on the web ignore this and somehow open IE ignoring my wishes for me to view there content? If there is no integration then I assume this would never occur.
Open up "My Computer" and in the address bar type. http://www.slashdot.org
No new windows, the toolbar changes, and my web page loads in Windows Explorer, but it looks like IE.
DarkMantle I been bored, so I started a blog.
What, Mozilla does security through lack of features?
If the "features" are insecure, would you want them?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
If IE is truly not part of the OS like this developer is claiming then prove it by making a simple option to uninstall IE from the "Add/Remove Programs" area in the control panel. I'll buy that IE is not part of the OS when MS gives us that option and my Windows computers operate normally without IE installed.
Never attribute to malice that which can be adequately explained by stupidity.
kind of offtopic, i know but anyway. i was bored in college once, so i wrote a VB app in about30 seconds with a textbox, a go button and an IE OCX. the code was this (might not be perfect, ive not done any VB for a long time now):
sub command1_click()
iecontrol.navigate2 text1
end sub
And it was suprising how the security of IE is tied to the address bar and the rendering portion of the browser allowed me into c:, which i wasn't allowed to do in windows explorer. i cant remember if i was able to add/edit/delete files or not though.
"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."
More comments on this thread are going to pick this one up... but let me just get my two bits in.
Your "security reviews" are not stringent... or at least not as stringent as you think. We ALL know that. If they were then IE would not be released. It's the stick which the OS pokes a hole in the security dyke with.
Your IE has exposed the user to attack time and time again. Instead of letting the browser poke the hole why don't you use it to plug the holes before they appear?
Make it as independent of the OS as possible. Did you ever hear one of the "security reviewers" make that comment?
cheers
front
a client of mine had a piece of malware recently that Mcafee had not spotted, the malware had destroyed the MSHTML.DLL (the core component of IE) and as a result the virus scanner wouldnt start and couldnt be updated because it relies on IE for its dialogs and GUI and as IE was disabled , so was all the security processes that Mcafee was supposed to provide
clever huh
Noone is saying that it's a hidden API, only that implementing it's use in IE, when IE is tied to the OS so tightly, is a horrible idea and leads to many new attack vectors, which just aren't present in firefox, explicitly because it doesn't implement vbscript.
how was that flamebait?
I can confirm what the parent said.
Still not fixed, at least its not fixed as of IE version 6.0.2800.1106
"If they have both, tell them we use Linux. And if they have that, tell them the computers are down." -Dave Chapelle
My business plan is ruined! That's Microsoft for you: wait until you depend on a documented part of their OS, and then they slide it out from under you! "IE isn't done until AC's product won't run!"
If the "features" are insecure, would you want them?
If they're worth having, then I'd get them fixed and included.
And this is now fixed.
To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows.. How do we know ? You did not show us the code ;)
Given: An internet browser is an application interfaced to a communications port using a communications protocol to pass message transactions via a defined protocol.
I believe that if a federal judge had sentenced the chieftins of the village of Redmond to spend a single night at the neverland ranch, or fix Internet Exploder; That IE would work better now than Firefox.
why don't you just go and shove your head back up gates's arse!
First sentence:
All APIs that IE uses are documented as part of MSDN, and are part of the Platform SDK, and is available to other software.
Second part
IE is part of the OS, any application that wants to use it is free to, because the APIs are publicly available and free to use.
People get all hot and bothered over this, when it's really simple. Microsoft provides 2 primary dlls: mshtml.dll (contains COM web hosting interfaces) and SHDocVw.dll (which contains the WebBrowser control, which IE itself uses).
Because MS integrates IE into the OS, you can go Start->Run->www.google.com and it will launch using your current web browser (even if it's FF). Or I can launch a process from code, specifying only a URL, and the system will open your browser of choice and navigate to the url.
Basically, integration gives the Windows shell the ability to browse the internet.
Tech, life, family, faith: Give me a visit
'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
But was this case 7 years ago when Win98 came out with the integrated browser? NO. Only now that they've faced anticompetitive presures have they been willing to document certain "secret" api's.
Most of the best software available between 98 and 2002 (when they started releasing api's to the public) was designed by former microsoft alumni or other big companies working in close collaboration with MS. What little information that was available was only available in the "Microsoft Press" books.
This is just another case of Microsoft newspeak, ie: Documentation for most of our API's is available for free, (implying) Documentation for most of our API's has ALWAYS been available for free.
Cool! Amazing Toys.
I'm the guy who posted the story to Slashdot. One thing I noticed and which got edited out was that - nowhere in the post, does Dave Massy criticize Firefox itself. Though it is his own personal blog (it is not the IE team blog), he never mentions anything about Firefox. On the other hand, we have various people associated with Firefox badmouthing IE every chance they get.
I'm sure Dave could have pointed out with glee Firefox recent security problems (IDN, GIF handling ) or update-rollout problems. Can you imagine a Firefox dev not jumping on similar problems with IE and making fun of them?
IE does not use any extra junk that anybody else would not get. In fact, they had to rewrite many of the windowed handles so that they would be windowless (select boxes, etc.)
IE stays inside of Windows because it would be readded anyway if it did not come by default. This is because many third party apps (like AOL) depend on being able to embed IE.
Now that they're being picked up on that as a bad idea, they're suddenly saying it's NOT part of the OS?
Isn't this a "have cake and eat it" situation? It's part of the OS when lawsuits are involved, but completely separate when security issues are raised.
Or did I misunderstand something somewhere?
So.. it has come to this
how was that flamebait?
Honestly, I think that slashdot has really gone to the dogs and this thread really proves that. My original post was first modded up to interesting, then down to troll and overrated and now its up to interesting again. 3 years ago a post like that would have been modded up to +5 Interesting and there would have been many supporting comments. But you take a look at all the reply comments people made now about it not being IE's fault and that its Visual Basic and you wonder, what are these people thinking? When did slashdot take on so many people that don't see the obviousness of this problem. When did we get so many windows supporters on this site. Where have all the great OSS zealots gone that could argue down windows folk with a brilliant point of logic.
Reading slashdot comments anymore feels like crawling through a post-apocolyptic wasteland.
I worked with a guy last year who came from the IE6 team at MS. He wasn't a programmer, but he agreed that it was common knowledge on the team that IE used secret APIs for better performance/quality, which competitors like Mozilla couldn't. He also said that this was also true about MS SQLServer, though he didn't have direct knowledge. And that these secrett APIs weren't controversial, or just gossip - they were assumed by everyone talking about development strategies for those products.
This MS developer is lying. I used to talk with people programming VB6, when I was project lead for a big NYC insurance project that MS was hot to get started in the industry through. They would routinely lie to me about internal code paths that were triggering bugs, especially in printing. When I would analyze them into a deductive corner, they would tell me a little truth. Their big mistake was their managers' greed to get into the industry, which put me in direct, unmediated contact with the programmers, combined with their technical inadeqacy to keep up with the discussions enough to mediate them.
I suspect that the MS claims of "national security" interest in keeping their code secret is based partly on the political havoc that would ensue (pun intended) if we could see just how much MS code is written to protect their anticompetitive abuses. The Department of Justice would have a lot to answer for, and it certainly wouldn't stop there. Especially if the ripples could prove how many Congressmembers were bribed to keep their monopoly "remedy" decisions untouched by human hands.
--
make install -not war
dude they're putting the effort in IE dev from all aspects, you must be crazy to think otherwise... they have a much bigger team working on IE than Firefox will ever have, they have procedures in place covering functionality, ui, and the god damn security... lots of R&D money put into it.... which is what makes Firefox amazing that it has gotten close to IE and actually surpassed it....
but people's opionion of MS is so f*cked up... going all the way to saying that they don't care about security... geez
screwed up thinking like this makes only one positive side to that: if it wasn't would they be actually putting enough effort? the answer is an obvious NO.
they are doing all they can to get IE secure, but the fact that it is so freaking being attacked from so many sides there's no way that they will ever succeed.
finally the fact that OS's other applications are relying on IE's API is downright scary.
You can go and uninstall IE on your machine any time you like. No one, however, has made the claim that your machine will be fully functional afterward, not even Microsoft. In fact they clearly state that the OS will use parts of the IE platform when it is installed. Those same parts will not be available to you if you happen to uninstall the browser. Never said it would be pretty. You do have the option. If you choose to rely on functions that are a part of the IE package in your OS and expect those to still be there, then perhaps you should ask the US Justice department to back off their judgement that MS has to deliniate the products in that fashion, by our own governments edict. You are suggesting that those features should be part of the OS. That is exactly what they were sued in court over and lost. You can't cry foul on both sides of the fence.
FTA: Update - Fixed the typo. Thanks for the feedback. I didn't have http://www.iespell.com installed on teh machine I posted from.
I looks like what they,re trying to say that IE both is and is not part of the operating system... depending on what the meaning of is...is.
Isn't that a bit of exaggeration of her statements about IE? She was only making a compare & contrast description of the two browsers. Nobody is pointing at Michael Jackson here.
error: no space left in device
Then why the 8*^094506&*% can't I remove it, without hosing my sys files. Bullshit it is part of the OS if you cannot completely uninstall it without causing a system failure!
Blame that on embed tags, not the OS.
But you *can't* fix them! Those bits use proprietry MS code. What MS is saying is that anyone _could_ hook into their code, and therefore, arguments that IE is tightly integrated with the OS are rubish.
But the counter argument being made here is that, yes, Mozilla (for example) could integrate with these MS "features", but doing so would result in an insecure browser.... so probably not a good idea.
I'd venture that MS can't _un-integrate_ them from IE because and bunch of other code (from MS office to Encarta) depends on this functionality.
And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design.
And hasn't that been the argument all along?!
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present
To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows.
In other words, all the undocumented APIs are embedded in IE?
"I'm not impatient. I just hate waiting." - My Dad
They simply dont care.
They dont want to recompile and bust the heads with things YOU might find interesting.
People want to get to their email, surf for pr0n, Attu and Fark and pay games. Oh yeah,..download some music. They dont know, care or even want to be a part of a battle against microsoft.
Sort of like the way the country is run. Think about it; you go through the farce of choosing between two identical candidates and then that person gives the reigns of the country to a cabinet that isnt elected but represents those whose money helped put choice A in power.
People arent stupid, we've just programmed them not to care. Its the ones that go around with buttons and stickers and talk about 'choices' that are stupid.Those people are like microsoft zealots.
User: I want to be able to log in without a user name or a password! Remotely!
Tech: That's horribly insecure
User: I don't care! Its easier that way!
Tech: * finds rusty knife and commits seppuku *
And that, boys and girls, is one of the reasons why Microsoft is the 800 lb gorilla. It understands that users are more than willing to sacrifice security on the altar of 'its easier that way'.
Hello? Wasn't this an issue of the monopoly law suit? That it CAN'T be removed from the operating system?
I must be wrong, so somebody please clear this up for me. Can somebody explain this to me in lamen's terms?
Also, he says that the IE development process prevents them from introducing bugs into the software? Then how does stuff like viewing .jpgs become a security flaw? Is it that there development process is just not up to snuff? Or is it the APIs that the use from the operating system that are flawed? So it's not the browser, that's flawed, it's the operating system? That makes me feel better. Also regarding a user experience the difference between the operating system is null?
I confused.
Treat me like a marketing stat, and I'll treat your movie like a series of ones and zeros
bash: cscript: command not found
Oops, using FC2 today...
the blog was obviously microsoft-centric, considering it was written by an employee. however, the comments were pretty interesting and thought-provoking until you got to the ones posted today after this was posted to slashdot. why must all the people on slashdot be out to get microsoft? as a company they are not evil. a lot of the comments to the blog just make open source advocates out to be a bunch of complete idiots. one comment in particular... "move away from closed source, that's always been microsoft's downfall". microsoft doesn't seem to be collapsing or losing money to me... apparently closed source works for them. come on now people, get real...
please me, have no regrets.
In a phrase...
"Thats a lie! Thats an out an out lie!"
Nuff said.
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
I would, if only MS didn't claim EMBED tags are their OS.
No, because you can include vbscript in any application. I will not be a personal reference to MSDN, but I have had to integrate vbscript into applications before.
Fine. For applications. I have no problem with application using whatever APIs and technology to achieve their functionality. I do have a problem with a Web Browser being able to access arbitary systems APIs. Why on earth would a browser require access to the ability to eject the hard disk.
And if if it does require this, why does it not first ask the user (or at least inform the user that it is going to mess her hardware. The problem with the above URL is that I go there in IE and my CD player open automagically. Nobody asks me about it, and server side control of a client machine is something that needs to be handled *very* cautiously for the obvious reasons. The above example is quite harmless. It worries me what malicious uses could be in store for us.
"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack." I almost spat my coffee at my keyboard when I read that.
What exactly is rocket surgery - sounds dangerous.
Really Dave? Great, so i can use Firefox for Windows updates?
SEO Firefox Extension
Web development will forever suck fat cock, because you will have to spend many mind-numbing man-hours tweaking your web sites. Cope. This is what web development has been, is now, and forever will be. No amount of letter writing, e-mailing, phone calls, or mobs with pitch forks and torches is going to change it.
It isn't a matter of difficulty. It's about some people exerting control where they can at the expense of everybody else.
"Play is the only way the highest intelligence of humankind can unfold." -- Joseph Chilton Pearce
The specificness here is that the ActiveX control that comes with windows media isnt smart enough about handling running in an untrusted container.
there are win32 api calls that manage this (you have to implement some other interface in your COM object to get told about security zones), but nobody ever does.
ActiveX is the underlying problem here. They took something that worked in a constrained role -OCX controls for adding functionality to VB apps, and made them -as you note- scriptable by web pages.
the worst part: they dont give up. Even IE6SP2 leaves activeX at "prompted" in the internet zone. Since windows update sites are in that zone, you cannot run windows update without saying yes to prompted downloads. If you disable AX in the internet zone, bye-bye security patches. I despair.
Comment removed based on user account deletion
Windows WHATdate?
Don't Blame me if I seem bitter, I'm at work, and the TV only plays soap operas.
Or perhaps your scenario indicates the failing of the technology industry to find a solution that does not place undue burden on the user?
It's nearly two years ago that Whirling Dervishes said they'd found these secret functions and promised to release documentation on them. But I can't find any documentation or specific info on their web site.
I'm not sure what to blame, but I just compared IE and FireFox side by side on a PC isolated to my local network. FireFox loaded many pages many times faster. Then I uninstalled all the virus protection (Norton) software on this newly aquired PC (as it will always be isolated to my local network for in-house testing) and IE performance improved dramatically.
The grammer was corrected by clippy..I was an OFA, The title meant ( Occupational First Aid Attendant ). My bosses wife could not type my job title on her work sheets because the MS grammar police changed OFA to OF A. It also changed it's to its without so much as a buy your leave. I had to finally show her how to shut the shit off. It drove her nuts. To bad the grammar police have moved to ./ OH Sorry /.
A runtime Error has occurred. Do you wish to Debug?
Line: 28
Error: Permission denied
Yes No
Your favorite
He says, "To be clear there are no Operating System APIs that IE uses that are not documented on MSDN", because he knows we cant go and check the source to ensure he isnt lying, BUT HE IS LYING.
. html
http://www.desktoplinux.com/articles/AT7614463206
Jeremy White (CEO of CodeWeavers) who actually got IE to work under wine says so:
Lehrbaum: Did the issues that needed to be addressed relate to undocumented Windows functions used by the app, or non-API functions and/or environmental considerations expected by the app?
White: In the case of Quicken and QuickBooks, no. For Visio, you can see that the programmers at Visio had used some rather interesting pieces of the Windows API. These required new implementations or new understandings of the Windows API, and a reworking of Wine. For the undocumented API calls, the king is Internet Explorer!
and then they produced documentation for hidden API's after the DoJ consent.
Do we believe them now?
I don't know if you omitted the close-italic tag intentionally to make a point or if you did so unintentionally, in which case that adage about 'throwing stones' probably applies.
Either way I got a chuckle. Thanks!
I want to drag this out as long as possible. Bring me my protractor.
Of course you mean ActiveX, not VBScript. JavaScript could do the same thing (actually JScript, the ActiveX-enabled version of JavaScript).
No matter how fast/RAM saturated is your system, launching a Windows app takes at least 5 seconds, not to mention vigorous hard drive noises. I suspect it's busy relocating dozens of DLL thats should have used -fPIC, loading out-of-process COM servers and doing millions of registry accesses.
Now make that app do something CPU bound. For example, run for(;;) putchar('a'); in a command prompt window. SMP or not, the system freezes.
Or go to a graphics/flash intensive page in IE. Oh boy!
To be fair, KDE under Linux does a decent job emulating Windows in these cases. Multitasking from a VT terminal works well, but keeping X server busy or doing dd if=/dev/zero of=/tmp/foo to saturate disk bandwidth does the trick.
Everyone keeps whining about not being able to remove IE from Windows. But did you ever stop to think about just how many applications actually use IE's API, and integrate html and web pages into their programs? So even if it were possible to rip IE out of Windows, which so many people seem inclined to do for whatever reasons, those programs just wouldn't work anymore.
And you know why? Because nobody else has developed such an API for Windows. It's not impossible for one to replace IE's API if they really tried. I know that many of the open source software developers are a clever breed, and can work around any obstacle presented to them. It's just that nobody's done it, or even tried to do it that I know of.
So don't whine about not being able to remove IE if you don't have an adequate replacement to prevent many other pieces of software from breaking. It would become a tech nightmare if IE WAS removable, because then every dummy would be trying to uninstall it to hate on Microsoft like all the "cool" people, then be crying for someone to come fix their machine when all their instant messengers stopped working.
I mean seriously, if you hate IE that much, why are you even still using Windows?
Consider OpenSSL. OpenSSL is a Linux operating system; however it is a fairly independent library implemented using only public APIs. Many parts of "the operating system" depend on OpenSSL and would break upon its removal.
Ditto MSIE.
IE uses public APIs from the OS. Other parts of the OS use public APIs of IE. Thus IE cannot be removed from the OS without removing or altering the components that depent on it - such as, AFAIK, Windows Explorer (the file manager).
We can question the decision to make other parts o f the OS depend so deeply on IE, and we can question the decision to make that dependency on IE rather than an abstract "web browser API" that could be implemented by other tools. That doesn't change the fact that it's still a part of the OS.
A requirement for a valid URL seems reasonable. Thus:
smb://hostname/path
as used by some browsers.
More to the point, a browser needs access to the file system, and on Windows \\unc\paths are as much a part of "the file system" as D:\drive\letter\based\paths are.
[blockquote]As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack.[/blockquote] Yet somehow the security flaws still find to expose the user. DAMN SECURITY FLAWS!
I am Bennett Haselton! I am Bennett Haselton!
Eh no, this is an issue will allowing scripts run with unfettered access to the system. Made IE great for intranet applications but a security disaster on the web.
Oh, I'd say less of a security disaster and more of a security mushroom cloud. It is pretty much the source for most security problems on the internet.
-----
Check out the Uncyclopedia.org , the only wiki source for not-semi-kinda-untruth about things like Kitten Huffing and Pong! the Movie!
Please allow me to hate the creator of the 120-character limit: *HATES*. Thank you.
Why so much alarm about their statements?
Its time to move on and forget about M$ predictions and replays. They are become to look foolish even for the big corporations. It's a big sick dog.
I'm not saying your point isn't valid, i'm saying your post has nothing to do with this thread. The original post is an obvious troll and you guys are falsly agreeing with him by saying that IE has no right to allow vbscript in IE. Okay fine, BUT IT HAS NOTHING TO DO WITH HIDDEN APIs. please, stay on topic
-dk
Okay, first of all they are SCRIPT tags, not EMBED tags. Read the friggin source for christs sake. If you don't want to do that scroll down just a few lines and read my follow up post. Microsoft integrated vbscript into IE. Probably a bad idea, however please tell me how integrating vbscript into IE is using secret hidden APIs that no one knows about? THAT is what the original post was about, suddenly this thread has shifted direction to MS bashing because they royally fucked up and didn't secure vbscript. Am I missing something here? We're glorifying an obvious troll post, but no its slashdot and we must shift everything to Microsoft-is-bad posts somehow.
-dk
You can! just use "\servername" instead of "\\servername". Works for IP addresses too: "\192.168.0.1" instead of "\\192.168.0.1".
"Firefox" - not just secure, it also saves you typing an extra backslash!"
But if we don't spend useless hours typing double backslashes, how will we ever become insane enough to buy MSFT products?
Oops, I let the cat out of the bag
[caveat: I own MSFT shares directly]
-- Tigger warning: This post may contain tiggers! --
I don't have dual processor or dual core or hyperthreading, just plain P4 2GHz with 1GB RAM, dunno whether 2000Pro utilizes HT or dual cores and such.
You can test XP's mem usage easily with VMware... run 2000Pro and XP Home/Pro with say 384M virtual machine... 2kPro is faster with 256M than XP with 384M.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
Or, in the case of automatially installing malware, any burden on the user!
If corporations are people, aren't stockholders guilty of slavery?
Someone please mod this post up. It's the only one that addresses the real issue. When people talk about IE's integration with the OS they are referring almost entirely to ActiveX and Browser helper objects. These are the real root of IE's security and malware holes.
No.
-dk
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
No, I mean VBscript. It just so happens that this VBScript loads an ActiveX control.
-dk
To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows.
Prove it.
And, I think you know how.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
The fact is, there are more uninformed people out there than there are informed people (just read the crap in the original article).
Another fact is that there are more Microsoft fans than there are Open Source fans (right now).
So, the intersection of those two groups means that there are more uninformed Microsofties than there are informed Open Source fans.
And those Microsofties, for whatever reason, have decided to hang out on
Get used to it. That's the same way it will be throughout most of your life, unless you restrict yourself to very exclusive groups with very high entrance requirements (/. is not one of them).You can't argue them down. They don't know enough of the material to know how ignorant they are.
I've argued here with people who swore that SMTP did NOT have authentication. Even after I posted links to the RFC's.
And what's processing the embed tags? mshtml.dll. And isn't that part of the OS? Internet Explorer is just a desktop application using mshtml.dll as the rendering engine, as some other apps do (help for example). An HTML rendering engine shouldn't have access to hardware like that.
Follow me
Seriously, it's a good point.
Thank you so much for providing a link to some actual reasoned discussion by people who know what they're talking about. Maybe someone will follow it.
The comments in this article have been enough to make me lose faith in humanity entirely. Or at least in that section of it that knows little about MS apis but feels compelled to get a big ol' anger session going anyway
Whence? Hence. Whither? Thither.
"To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'"
If Microsoft would merely provide the source, then we could determine this for ourselves. =)
-- Rob
So anyone suprised that the idiot can't even spell check his stuff:
"Update - Fixed the typo. Thanks for the feedback. I didn't have http://www.iespell.com installed on teh machine I posted from."
Doh!
The key point is that you do NOT want tons of extra CRAP (like a web browser and such) welded to the OS.
The *nix approach (as shown by libc) is far easier to maintain and is a better approach from a security standpoint.Again, it is easier to find the problems and fix them in a SMALL component (such as libc) than it is to find them and fix them in a complete web browser (with scripting and ActiveX and so forth).
Microsoft's approach was to hide portions of the browser functionality in other, system,
The better, cleaner, more securable approach would be the *nix way where the browser components are seperate and distinct modules.
I tried this experiment with a fresh installation
of Win2Kpro (plus Service Packs), and it did not
work. "Add/Remove Programs" allowed me to roll
back IE to a pre-SP version, but not to completely
remove IE. IE may not be part of the kernel, but
MS has made it part of the core OS. This is also
(IMNSHO) why any MSFT OS cannot truly be secure
(except as a stand-alone computer) -- no network
and definately no internet access.
MSFT doesn't have to roll out Longhorn to make a
more secure OS. All they really need to do is
make their OS more modular, operationally and
during installation. And it is not as if MSFT
has not had a bit of practice doing exactly this;
MSFT sells WinCE, as well as a RT NT core. MSFT
will not make such capabilities available in their
OS, because their monopoly position regarding the
OS that they are leveraging for IE and WMP (and
whatever comes next).
The US DoJ basically gave MSFT a "free pass" in
the monopoly lawsuit, and the EU does not want
to follow that same path. I say "Good for them",
and "Screw MSFT".
IE has developers? What a bunch of lazy bitches. Where is tabbed browsing, popup blocker, css2, a javascript console, extentions ala Firefox? Seems like they haven't been developing crap for the last 4 years.
A browser should not give you this much access the OS. That site works just fine in the latest version of IE on Windows XP. Scary!
I'm so glad I only have to use Windows at work (and here at least I can use Firefox) and can use Mac OS X at home.
And use something like: file:///d:/
But what about API's provided by IE the the *operating system* relies on...?
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Amen brotha. I have been using all the flavors of W2k since before it came out, and I have never had a problem. I ran a web server with it for 4 years straight, with about 99% uptime and zero infections or sucessful intrusions. Keep it patched (once a week, wither it needs it or not!) and it ran like a dream.
MS SQL 2k is also a rare gem. Most of the stuff they make is crusty with silly features and annoying eyecandy, but they have a few really solid apps if you know where to look...
HA! I just wasted some of your bandwidth with a frivolous sig!
I'm not your typical Slashdot-fanatic, M$-hating, L1nux d00d. I love most of the latest MS products and think they're solid (as long as you're clued).
However, I literally laughed out loud when I read the following comment by the blogger:
As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack.
Which version of IE is this?! Nearly every released version of IE has had laughable (keep in mind, I'm not a Linux bigot) security flaws. I'm sorry, but you can't feed the sheep their own shit. They know, they KNOW.
He goes on to say:
The security of any browser is irrelevant to if it is part of the operating system.
That seems to be Microsoft's mantra. However, any security engineer or person with common sense would disagree.
If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the web.
Are you fucking joking? There is documented exploit after exploit demonstrating this. People aren't pulling it out of their asses. It's backed by fact, something you appear to be ignoring.
I'm a somewhat-loyal MS customer, but I've got to say I don't like reading tripe like this. What I do like reading is "we're going to fix IE's security model and this is how we're going to do it, what does the community think?".
Perhaps the IE team needs to review their security procedures, because they fuckin' suck hard.
I think the question isn't whether IE uses any undocumented system calls, it's whether the system uses any IE-provided functions that are a) not part of the documented IBrowser interface and other relevant APIs (Javascript, etc.) and b) are actually neccesary (that is you can't do that via documented functions (eg. one doesn't need ActiveX to provide a clickable-image next-page icon in HTML, one can do that via the IMG and A tags and maybe a bit of Javascript)). An admission that it doesn't would be an admission that one should be able to remove IE and replace it with something else without affecting the rest of the system at all. Likewise, an admission that there are undocumented IE functions neccesary for system function would be an admission of abusive tying.
'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.
The functionality is dangerous and the APIs make security inherently impossible to achieve.
THAT is why having IE as part of the OS is a problem. Bringing up the "hidden APIs" issue is just muddying the waters.
I could tell that Slashdotters were posting half way down the page when the comments turned into "OMGF OSS" and "But in the anti-trust case..." bullshit repeated over and over again.
WindowsXP is based on NT, which was developed by guys they got from DEC, who had developed VAX operating systems. Windows "started over" long before Apple. Apple probably learned it from them.
Vote for Pedro
>The only thing preventing Firefox from being used
>for Windows Update is the Mozilla foundations refusal
>to support ActiveX
Google and you shall receive.
When I was a kid, we only had one Darth.
You can easily disable ActiveX in the internet zone and still get your security patches through Windows Update. All you need to do is put the 3 windows update server names in the trusted zone and allow ActiveX to run there.
Frankly, I could give a rat's ass if IE uses super-secret API calls. Other browsers seem to do just fine without them.
To me, the larger problem is the level at which other applications leverage IE's COM interfaces (IWebBrowser, etc.). These interfaces are published in the Platform SDK as part of the Windows development environment, without much mention of IE (that I could find). But using them requires IE to be on the system, since Microsoft makes it difficult (imposible?) for other browser applications to expose these interfaces and to be used instead of IE. Quickbooks is a great example, it uses these COM interfaces to include web pages in its application, requiring keeping IE on the computer in organizations that would like to purge IE. Sloppyness on Intuit's part? Perhaps. But is it really in their best interest to wedge support in for say, Gecko, when IE is pretty much guaranteed to be on the computer?
While it might be a misnomer to say "IE is part of the Operating System", it might as well be since developers are guided with a club toward it.
Features are not insecure, users are insecure.
There is an old saying: UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things.
We used to complain that you couldn't do clever things on Windows. Now we're complaining that you can do stupid things on Windows.
Meanwhile, Linux continues happily letting people do even stupider things, and whenever these people complain -- we respond that it's their own stupid fault for not being smarter.
So why is it always the user's fault on Linux, but always Microsoft's fault on Windows? It seems to me that all the recent email worms need some dumbass to actually RUN THE PROGRAM. On Linux, we would say this user was stupid. But on Windows, this user was victimised by Microsoft's insecure operating system? I don't think so.
Security is the reciprocal of convenience, and the developer is simply unqualified to determine what security I need and what convenience I don't.
Microsoft cheerleader, blue flag waving, you got a problem with that?
So when a true competitor to Mircosoft Word becomes available, will Word become an component of the operating system as well?
Microsoft is marketing on ignorance and propaganda.
The integration into the os probably consists of:
If (!explorer_is_present)
init.failed_boot sequence.
And soon MS project will be an integral part of the "os".
When I say OS calls, I'm referring to the ability of IE to use ActiveX to run code that can possibly damage Windows XP.
Think about it, because IE uses functions built natively into Windows, it is a lot easier for hackers to use exploits to run code that shouldn't be able to execute. Remember the Windows Help and Support exploit? Yeah, you could effictively run it from IE, and use another exploit to run malicious code.
Just hang out on Windows Update and read the Security bulletins sometime, you'll be amazed to see the vast array of vulnerabilities.
Because a browser like FireFox is NOT natively integrated into Windows, it is harder for exploits to be used. Not that there isn't any, but just that it makes it more difficult, because the FireFox code prevents certain things from executing. FireFox uses its own API and everything, which makes it slower, but more secure.
IGB: More fun than eating oatmeal!
I use FF now, but I have a preminition:
IE will get fixed, people will accept it and the world will move on. FireFox will go down as a footnote in history as the browser that fixed IE.
I do not know why people continue saying that IE is unsecure because is embedded in Windows. Embedding a rendering engine is good idea in a modern operative system because many applications can rely on it (The help system on windows is an example). Apple is doing that with WebKit. The problem with IE is that is not completely standard compliant AND is poorly tested at Microsoft. I do not think is really a problem on how it has been designed or how it has been coded, with proper testing&debugging from Those Who Have The Code it could be a lot more secure. Mozilla wins in security now because any user has access to the source code AND its developers pay a lot of attention to avoid security problems. I however believe you CAN remove Internet Explorer from the OS, but that would mean reimplementing every function of the documented API of the rendering engine and replace the original one with your. Don't know if it could be done as a wrapper to Gecko...
Its interesting to see the the insance amount of MS bashing that goes on her everytime a MS related article is posted.
Just to clear the air b4 someone calls me a MS agent, I'm a HW/SW developer that works for a bioTech comany and I do all my development work on *nix.
And no I'm not trolling, I'm just trying to state some facts.
I hear a lot of crying about IE being sucky etc etc. Fine, there are a lot of holes in it that are discovered routinely. But have you guys stopped to think that most of these holes are discovered because the browser is very popular. FireFox is becoming popular and it is starting to get attacked too (I've started to get pop ups in FireFox). But this concept applies to anything, if you live in a house facing a busy street, i.e. main road, your house will be more susceptible to crime, but when you move the same house to a quiet street, the house becomes less susceptible to crime.
About the whining that it comes packaged with windows, I say why not, when you buy a car, wouldn't you like it to come with free goodies instead of you having to pay extra for everything from floor mats to a CD player?
MS Windows also comes packaged with MS Media player, but why are there still so many users of WinAmp? I've been using Winamp for the past 7 yrs. The same thing applies to other pieces of software that come prePackaged with windows and yet has ppl using other solutions. The fact of the matter is if someone doesn't like a product and finds a better one they will go and get it. This even applies to cars, if ppl don't like what they have they buy stuff like CD decks, speakers etc.. The same applies to IE.
I think the argument is that IE shouldn't be able to get to WMP...that is, it shouldn't be able to get to any component installed on your system that has more permissions then the browser might have.
But as a side note when I opened thaton XPSP2 it got a Permissions denied JS error...which is defaintly a Good Thing.
I still don't think a web browser should be able to embed application objects into itself just because a web page says so...
You have no freeking clue what you're talking about. It isn't even worth my time writing 10 pages correcting the nonsense in your post.
Actually I blame that on the browser; it shouldn't allow access to objects just because a web developer says they want to.
But as I stated before, MS seems to have 'fixed' this, as I get a permissions denied error in IE when i open the link.
Its fixed by removing the features...or rather, but setting security so that the features are unavailable...but you could re-enable it though (and be back at square one...use of an insecure feature).
Despair not. You may not be able to run Windows Update if you disable ActiveX entirely, but by default, Windows XP SP 2 updates itself without opening Windows Update in IE, so "bye-bye security patches" is only applicable if you explicitly disable ActiveX in the Internet zone. Even then, you can set ActiveX to "Prompted" at the Trusted zone, add Windows Update to your list of trusted sites, and, viola, hello updates! Yeah, it's great fun to bash Microsoft, but at least *try* to find a workaround before complaining about "the man".
If that is an answer from an IE developer @ MS, then I have concrete doubts instead of just suspicions.
IE uses the same OS API's as any other program, so it's not insecure, eh? How about adding some thought: IE, a network application, uses system API's and provides API's to other applications and to parts of the OS (or at least to the interface...oh wait, that's part of the OS in windows...)
AB HOC POSSUM VIDERE DOMUM TUUM
"I'm not exactly sure what, if anything, compu-global hyper-mega /. does, but rather than compete I'm going to simply buy you out.
/. has become a windows fanboy site.
"Buy 'em out, boys!"
That said, this is the first time I've heard the suggestion that
CScript Error: Windows Script Host access is disabled on this machine. Contact your administrator for details.
Heheh.
Better yet, why isn't this (parent) +5 ? I spewed coffee when I read about the code traction.
not be documented? How could 3rd Party applications use them if they are undocumented?
The second half of your post makes no sense at all.
'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..' ...and this is relevant to Baker's security claims how?
The point isn't the APIs that connect the IE to Windows - it's the APIs that connect orther applications to IE. Because Windows apps can always depend on the IE APIs being present, they are more likely to tempt developers into using them instead of something more secure that they would have to build or install themselves.
I nominate: "I Am the Very Model of a Modern Tech Professional".
And humorously enough, ActiveX and BHO's have absolutely NOTHING to do with IE's integration with the OS.
Firefox can (and does) have equivlant mechanisms, and it's not a part of the operating system.
If MS really wanted to provide security for their users, they could, but it would piss off many of them since they are used to password less logons. If the users aren't educated, all the crypto and security systems in the world aren't worth anything.
Space for rent, inquire within
The underlying NT is quite well-designed
Slightly offtopic, but I wish I could say that about
their network stack.
NDIS is like a nightmare on steroids. Accompanying
userspace API (IP helper, NetCfg, CM_xxx & co.) are
not much prettier and far more buggier. Makes you
really appreciate the simplicity of *nix networking.
3.243F6A8885A308D313
If Massy is right, IE is part of the operating system *and* every function called by IE is part of the public API and documented, then every function in IE must be public and documented. I *know* that isn't true. You can't have it both ways
If you disable AX in the internet zone, bye-bye security patches.
Should read: If you disable AX in the internet zone, bye-bye easy security patches.
Patches are available at the Microsoft Download center as regular downloads. However, this will obviously not scan your system and tell you which patches you need to download.
Security is, by its very nature, nothing more than making certain things a pain in the ass in order to prevent them from being done. This applies to computers, to the physical world, everywhere. The stronger the security, the less the convenience, and vice versa.
Granted, the degree of inconvenience and thus security is (intentionally) disproportional from authorized users to authorized users - those who have/know the key are less inconvenienced and thus less restricted than those who don't - but there is still the inconvenience of having to keep or remember the key, and to unlock the system when you want to use it. If you use a multiple-key solution, the security gets even better but it's even more inconvenient. That's the nature of the beast.
The only perfect security is to "completely inconvenience" everyone - just kill 'em all, or destroy whatever they're trying to access. The only perfect convenience is to completely unsecure the system. These are obviously unwanted polar extremes, and the solution lies somewhere in between them - where depends entirely on context. You'd just got to find some system which makes certain things inconvenient enough that most security breaches won't be likely.
This could be a combination of physical and digital systems, even - say local login requires no authentiation but remote login is restricted, that way you've got to break the physical security in the building or the digital security over the net, but either way there is some security keeping unauthorized users out.
But if you've got the GP's hypothetical "I want to be able to log in from anywhere and do whatever I want without authentication!" user, then *anything* that will grant their wish will allow *anyone* to log in from anywhere and do whatever they want. There is no solution which could give them what they want and keep any semblance of security. The technology hasn't failed: the specs being demanded are flawed and impossible to match.
It's like designing a house without any locks because those damn keys are just so inconvenient - fine, but don't expect the doors to magically keep people out of the house while you're away. There is no lock that could possibly be created that will keep something secure without inconveniencing the user to provide some sort of key.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
.... that such thing is not a valid URI.
It is yet another Microsoftism that you are legitimizing.
IANAL but write like a drunk one.
Go and check what they are.
MS is breaking yet another standard and here you are, pandering to their monopolistic ego.
IANAL but write like a drunk one.
Is The Browser Part of the Operating System?
An exercise in misdirection
copy into text file, call it 'eject.js' or something, and double-click.
Be civil to all; sociable to many; familiar with few; friend to one; enemy to none. --Benjamin Franklin
"what's to say that all the Microsoft fans aren't in the informed group"
Its like claiming that guys who workship trees are really well-thought-out.
In other words, you really do mean ActiveX, the scripting language used is irrelevant.
Be civil to all; sociable to many; familiar with few; friend to one; enemy to none. --Benjamin Franklin
don't make me compile a list!
the only permanence in existence, is the impermanence of existence.
Even IE6SP2 leaves activeX at "prompted" in the internet zone. Since windows update sites are in that zone, you cannot run windows update without saying yes to prompted downloads. If you disable AX in the internet zone, bye-bye security patches.
So add the windows update site to your trusted zone already and leave AX disabled for the internet zone.
There are numerous HTML renderers on Linux that are not Gecko. Gecko is in no way integral to a Linux system. I'm thinking you meant X11, which isn't integral either.
Error: MS AntiSpyware requires IE 6.1 Please install IE 6.1 Before you install MS AntiSpyware... :(
Average is dumb
I don't know how accurate your source is, but my friend at Microsoft is quite adament that people working on different products at Microsoft are hardly even allowed to talk to each other. After all the court action in the past, Microsoft's set an in-house policy that basically says that each product team is only allowed to access other teams' specifications that have also been released in public.
Having said that, it wouldn't surprise me the slightest bit if executives make decisions from time to time that completely ignore this policy, if they think they can get away with it. But in the general case, programmers at Microsoft aren't allowed to talk to each other about the internal workings of independent projects except to distribute already published material. I suspect that this would be enforced quite a lot between the Windows/IE barrier, given all the accusations in the past.
Personally I think the bigger problem is getting Windows to stop bundling, loading and using IE at every opportunity if and when it's not wanted. I haven't used Windows seriously for several years, but it can't be that easy to change the assumption that many Microsoft and Third Part applications seem to have, that IE will always be available on a Windows system.
My understanding was that this was the whole issue. If IE were to be removed, many applications would simply break. Windows would also break, since it uses IE's API (which, by the way, is published for any operating system to use) to do so many things.
Is this still a problem? I haven't used Windows seriously for several years now, although to me XP appeared that Windows Explorer and Internet Explorer were still based on the same engine, even when I'd changed my default browser.
Which is included in OSX and not in WinXP (Home, probably in your config)
This is an awesome idea! People gleefully download IE plugins all the time--why not a "make css not suck in IE" option? Rah!
I've been saying this for a few years myself. Microsoft is dying, open-source *IS* the future no matter how many MS moles try to nay-say it. Let these remarks be archived forever on Slashdot... we'll see who has the last laugh.
Meh.
You are forgetting one little thing:
The. developers. for. Firefox. Do. Not. Get. Paid. They. Are. Free. To. Say. Anything. They. Want.
It's about responsibilty as a company.
Microsoft is being _paid_ by each and every person who ever got holed by IE. This equals responsibility, and makes it much much harder to get away with blaming anybody or making comparisons.
[...]And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design."
Poor design, or deliberate choice? really, Life is easy in Windowsdome as long as the MS world is tightly integrated. You cannot put openoffice vs. Office, mozilla vs IE, windows 2000 vs. knoppix. It is a "take the whole bunch or leave it " approach.
Be advised that this is no slur to what MS has done over the years. I Have been a big fan of Excel.....4. Let 's face it , it would be a big problem for MS if an application of theirs worked perfectly and wasn't "tightly integrated in the operating system". excel was a hit in apple world. Imagine if something like this happened today with linux, and it worked better on linux than on windows. There are two problems in MS world now: problem one, there is no "killer app" on the horizon for the personal computer. problem two, there is no turning back from the integrated approach, because it would mean that they lied to the court system in the antitrust case. So, when firefox crashes, you restart firefox; when IE crashes.... I hope you saved that end of term paper you were working on, boy.
"If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
What I cant understand is why the source code for windows hasn't been leaked yet. I mean we manage to get a hold of the half-life 2 code and that was just a game. You would think that the motivation to leak the code for the major product of a company as hated as microsoft would be a trivial matter considering how long they've been around. Maybe that's where all the money in the "security" budget goes to.
If a nessesary part of the OS (MMC could be an example in this case) requires an app. (IE) then the required app. is a part of the OS since the OS can't function without the app.
Next question is why can some other browser not replace IE in this functionality... the answer is in fact quite simple... this functionality is not a part of an Internet browser so no other browser implement it.
I'm getting this...
C:\WINNT\system32>cscript c:\cupholder.txt
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Input Error: There is no script engine for file extension ".txt".
So I have saved your text to c:\>cupholder.txt and then ran it as seen above and it gave mt the error. Still no luck.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Depending on which components you consider as part of "IE", there ARE undocumented APIs used by those components.
Some of them have since been documented by microsoft as part of the DOJ decree.
But not all of them.
Is this the NDIS that ndiswrapper (a way to use Windows drivers for wireless card in Linux) uses?
Now if it would only edit word documents and play mp3's too...
I want a web browser to browse the web, and a different app to browse filesystems/network. Using the same app for both feels to me like trying to cook with a hammer. Not like it's hard to alt-tab between 2 windows nor will it take a lot more resources.
That, my friend, is an awesome idea!!!
Organic free-range music... yum!
Its just that nobody opn Slashdot knows how.
IE is a bunch of ActiveX components, the one people mention most often is MSHTML.DLL.
Its entirely possible to replace this with the Gecko ActiveX component. When you do that, help, explorer etc should use Gecko to render their HTML.
http://www.iol.ie/~locka/mozilla/mozilla.htm
Last I checked Microsoft was ORDERED by a federal judge to stop distributing IE as a part of the OS. In order to comply with the rulling what did they do? They added the ability to remove the software only if you do so you no longer can use windows update. No call me crazy but how exactly is this even legal? Oh yeah and I am sorry M$ but IE really sux and so do your developers if they can't come up with something better. How much did you say you pay them for that job?
VMS is still around and going strong. If you need a reliable system, it's still one of the best options out there. Intel runs its production lines with VMS systems, when a "quick reboot" costs you millions in trashed product VMS becomes very affordable. If you need multi site disaster tolerance (not recovery, not fail over but uninterrupted transparent service) VMS is your answer. It outlasted 2 companies (Digital and Compaq) that tried to kill it, and may be around after people remember HP as that company that pretty good calculators and printers for a while.
Apache, Perl, Python and Samba are available for Open VMS, the VAX will boot BSD and the Alpha Linux. Pipe is there too, along with Emacs.
The Intel architecture may not generate the business, but the o/s is near platform independent. I'd like to see IBM take over VMS and port to Power. VMS quality design and IBM marketing.
You can't take an old version of someones code and then use that as an arguement as to why their current versions suck. Windows 2000 is a past version of MS's OS. Sure it is supported, but Quickbooks supports a couple of past versions to, however if you have trouble, you need to upgrade. It's the way all software works, including Linux. Perhaps we should start stating Linux's faults by using examples found in old versions of Distros. That would piss off Linux users too. Why? Because it's an unfair example based on old information.
;)
Yea I can't uninstall IE on my DR DOS 6.0 machine either. Perhaps it's because I couldn't install it to begin with. I am writing Digital Research to complain. Does anyone know who I write to now?
I completely agree with your premise that OS (as in Operating System) = kernel although a lot of the problem is that words and phrases take on new meanings. If enough people think OS = "The software stack required to implement a WIMP GUI and popular apps" (as happens when people say "The Windows Operating System") then the phrase picks up second meaning. This can lead to words and phrases being eventually redefined.
Now the bit I do take issue with is saying that x.org is an essential part of Fedora's OS. I know there are configuration tools for the kernel that require QT and GTK but there's a curses based config tool too. I think Red Hat would have a hard time of saying X11 was a part of the OE but it is "optional" (providing you don't run GUI programs) anyway. I am vaguely aware that on Windows signifcant parts of the GUI subsystem run in kernel space so I reckon you have a good case for saying GUI stuff is part of the "OS" there but not on Linux based distros...
The IE/X11 analogy also breaks down because it's possible to install Fedora without X11 but it's not (at least until Windows 2003?) possible to *install* Windows without IE. Nor is there anything which implements all the same functions as IE (unlike your sh example where you could use sash/ksh/csh). The fact that there COULD be something is somewhat by the by unless THERE IS something. It's like saying something could replace Quicktime (the movie player) on the Mac. The public API is documented so you could just rip out the current libraries and just slot in VLC as replacement right (even in embedded movies)?
FUCK OFF!
But remember to raise the trust levels of "trusted zone" to "medium", to stop you running unsigned controls against from any site that pretends to be in the MS domains,.
I will never understand the mentality of users who allow themselves to be "driven nuts" by software quirks, yet won't spend two minutes looking through the options or reading the fucking help.
It's not like Autocorrect is hidden or anything.