Slashdot Mirror
IE Developer Responds to Mozilla Accusations
sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter. That does not make use of any unknown undocumented APIs. Try this, paste this code into a text file (hint: it came straight from your website):
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
wscript.echo "Automatic Cup Holder."
Then run "cscript filename". Oh my god, Microsoft tied vbscript into a stand alone application on your system!!! Give me a break, mod the parent down please
-dk
You can do that from windows explorer, and you could before IE was "part of the os," so that's a windows core function, not an IE function. As for browsing pages from a server like that, click on the files in the browser once you navigate to them.
Not to negate your post, but have you used any modern window manager that was big on eye candy? They use just as much ram as windows xp does. Mac OS X with less than 512mb of ram is a joke (heck,even with 512mb of ram it slows down when I fire up more than one resource intensive app) and KDE is just as bad. If you go back to Windows 95 or NT 4 before all these themed desktops came into light you wouldn't need half a gig of ram to show systray icons..
-dk
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.
Guys, uh guys, that's The Problem.
http://www.eweek.com/article2/0,1759,1776387,00. asp
To sum my thoughts in that story up, you have a gateway, IE, to the Internet that has deep, Inadequately Protected, connections to the core operating system.
IE, in specific, and Windows, in general, cannot be secured.
Microsoft's one seamless whole is really one giant security hole.
Steven
Hmm, it works for me in firefox, I can browse other machines just fine.
An article from 2003:
Microsoft allegedly opened up Windows APIs last year... Now, Devos claims that Microsoft's disclosures remain sufficiently inaccurate and incomplete for developers to continue using his own documentation.
Devos claims that Whirling Dervishes has discovered hidden Windows interfaces that are crucial for the development of such applications, but whose existence is denied by Microsoft. Not much change there then, post-lawsuit. These and other interfaces which Devos says should have been part of the API disclosures are used in NSELib, and he proposes to make public full documentation on how to use them.
Developers: We can use your help.
I would never use I.E. again if Firefox could do one thing (more), to be able to navigate to other (windows) boxes using my browser (like i can in I.E.)
by typing \\servername or \\ip address
You can! just use "\servername" instead of "\\servername". Works for IP addresses too: "\192.168.0.1" instead of "\\192.168.0.1".
"Firefox" - not just secure, it also saves you typing an extra backslash!"
This is where the serious fun begins.
Granted his machine is a bloody mess, riddled with SpyWare but, prior to the uninstall, at least he could connect to a network - which would make my thankless task of resurrecting this poor abused box much easier.
Lesson: Sure, IE isn't part of the operating system, provided you don't count a working TCP/IP stack as a necessary part of the OS.
(Actually, this might not work on IE 6.0+. Can you believe they actually fixed the problem.)
Still not fixed, at least its not fixed as of IE version 6.0.2800.1106
"To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..."
Several points to this:
One, the MDSN documentation is horrific. There are few examples and fewer cross references. So you get into a game of "find the API" call you want.
Second, many of the API's are horribly quirky and have known bugs. The bugs tend to stay because programs become dependant upon them. But the MSDN documentation NEVER DOCUMENTS these "quirks". I'm sure IE has plenty of workarounds for these... but still use the "documented API's"
Thirdly, Microsoft will change the OS calls to suit their whim. Then bury it in the documentation with maybe a one-line blurb buried with about a dozen under changes in the latest MSDN release. (EG The new list control grouping features for XP or when they implemented "coolbars" for IE) And then there were few examples of usage. So general acceptance doesn't occur until some kind soul has trudged through the pixel mines and figured out how the new control API's work.
Lastly, IE functionality may only use ONE OS API call (CreateWindow) and have all custom code written for the rest of the app...er..kernel module...
kind of offtopic, i know but anyway. i was bored in college once, so i wrote a VB app in about30 seconds with a textbox, a go button and an IE OCX. the code was this (might not be perfect, ive not done any VB for a long time now):
sub command1_click()
iecontrol.navigate2 text1
end sub
And it was suprising how the security of IE is tied to the address bar and the rendering portion of the browser allowed me into c:, which i wasn't allowed to do in windows explorer. i cant remember if i was able to add/edit/delete files or not though.
Nice. I read that in mud help files in 1994, only substitute all the modern technologies with mainframe jargon. I don't mind the update, but don't hijack it, paste a new face over the top of it, and try pass it off as your original work. That's very Microsoft of you.
They dont contradict each other. What it is saying is that IE is implemented using publically available OS API calls only, not secret ones as people have surmised, and that it is PART of the OS in order to provide some DIFFERENT API calls to third party applications.
The two statements bear no relation to each other, other than that they both relate to IE and APIs.
Simple answer. Turn off the eye-candy. It's pointless. I use WinXP with classic theme (and theme service turned off), and along with turning off other unneeded services, WinXP runs with a memory profile of about 70MB when idle with no apps loaded.
Now as you do want to run multiple apps, even 128MB isn't enough leeway - but I do get by fine with 256MB.
-- *~()____) This message will self-destruct in 5 seconds...
There have been many holes in assorted portable C libraries. You don't hear about it like you do about IE problems because IE is used by thousands and thousands of people every day and it is on the front lines, where the rubber meets the road as it were. C library problems can be found when a hole manifests itself in any program using it (which is any C program) and when it is fixed for any of them it is fixed for all of them. IE is used by a lot of programs, but not as many as the C library.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Nope, that didn't work either.
Oh, yeah?
Windows 2000 Pro dropped my system two weeks ago because the piece of shit couldn't handle a 160GB (>137G) hard drive while dual-booting with Windows XP.
The piece of shit would actually format a partition to FAT32, tell me it's "healthy", then Bart's PE XP kernel would tell me it was STILL NTFS!
And it would then proceed to store data written to that partition to some other partition - including the Windows XP partition - crashing both systems.
Oh, you say, that was fixed in Service Pack 3?
Oh, yeah (again)?
Look up the Microsoft Knowledge Base article that says Windows 2000 SP3 can't read the partition table correctly on "some hard drives". Supposedly corrected in SP4 - which however, I applied separately after installing Windows w/SP3 - where the damage was already done.
WHICH hard drives? WHY? WHEN? Oh, perish forbid that MS would tell anybody this.
I'm now limited to Windows XP (and RH 7.3) on this machine because I CANNOT TRUST Windows 2000 at all on something this basic.
Of course, I've had Linux do the same thing on my old Compaq, so MS is not the only one that STILL can't get the goddamn partition table right after TWENTY YEARS.
ONE GODDAMN SECTOR and NOBODY can get it right YET.
This is completely illustrative of what is WRONG with the IT industry - commercial AND open-source.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
It's nearly two years ago that Whirling Dervishes said they'd found these secret functions and promised to release documentation on them. But I can't find any documentation or specific info on their web site.
Consider OpenSSL. OpenSSL is a Linux operating system; however it is a fairly independent library implemented using only public APIs. Many parts of "the operating system" depend on OpenSSL and would break upon its removal.
Ditto MSIE.
IE uses public APIs from the OS. Other parts of the OS use public APIs of IE. Thus IE cannot be removed from the OS without removing or altering the components that depent on it - such as, AFAIK, Windows Explorer (the file manager).
We can question the decision to make other parts o f the OS depend so deeply on IE, and we can question the decision to make that dependency on IE rather than an abstract "web browser API" that could be implemented by other tools. That doesn't change the fact that it's still a part of the OS.
The api had at least 6 memory pointers for device read/write and depending on what you were doing or the cycle of the moon, had to know which one to use.
Contrast that with all the other OSes I had to write device drivers for, they only required two. One was a virtual memory pointer the other was a physical memory address.And they even gave kernel calls to translate from one to the other.
I'd say based on the glimpse of the internals, that the NT kernel by the time it got to NT 4 got hacked so bad, quite well designed is not the description I'd use.
Uhh.. No. The MSDN program started in 1993. In particular, the IE API's have been available on MSDN since IE3, which was before MS had "integrated" it in the OS.
If you need web hosting, you could do worse than here
Someone please mod this post up. It's the only one that addresses the real issue. When people talk about IE's integration with the OS they are referring almost entirely to ActiveX and Browser helper objects. These are the real root of IE's security and malware holes.
With price of RAM these days, it dose not take that much to run 1 gig or more, I have less than $100 in RAM and currently run 1 gig.
l
I like to see windows pull this trick.
I have / (root of the drive) mounted in RAM! All my apps pop up instantly, (including firefox) Here is how to do it.
http://forums.gentoo.org/viewtopic-t-296892.htm
Sig
Can somebody - Dave? - point me to the API that let IE4 add a "Favourites" item to the start menu in Windows 95? I don't mean something that was documented last year, I mean something that was documented ... in 1995. I don't think there is such an API. I don't think there ever was.
Can somebody - Dave? - tell me why the IE installer calls the undocumented Extract cabinet.dll function?
As far as I'm concerned this is all very simple. Could Netscape have done to Windows 95 what Microsoft did with IE4? Obviously the answer is no: IE did things that weren't just *adding* APIs, they were replacing core parts of the OS like Explorer in order to add the Favourites menu, Active Desktop etc etc. Dave is full of shit and the sad thing is, he probably believes his own story.
It's not magic, Raymond Chen debunks some of those assumptions in his article. He specifically notes many people view this as undocumented APIs.
If you say "here goes my karma" I will bite you!!!
Here's a link to a copy of the original.
Doesn't work for me.
Looks like I jumped the gun - it works for "\server", but not "\server\share". Apologies for the confusion I've caused :-(
This is where the serious fun begins.
How come you're not thanking IamTheRealMike for his post (also in reply to my post) which points to examples of hundreds of undocumented MS API calls? Because your committment to believing MS lies is stronger than your self-interest in getting the equal access to their OS that they promise?
--
make install -not war
Geoff Chappell has news for you. It doesn't make Chen look too good.
--
make install -not war
The only thing preventing Firefox from being used for Windows Update is the Mozilla foundations refusal to support ActiveX, which is patently stupid because Mozilla extensions are exactly the same thing.
Microsoft could, if they wanted to, write a Firefox/Mozilla extension for Windows Update, but there's nothing compelling them to do so right now.
If you need web hosting, you could do worse than here
Eh, true to an extent. What NeXT did was really remarkable when you think about it. Mach was really cutting-edge in the mid and late 80s. The BSD layer (single server in user-space in the case of NeXTstep), was added for unix-compatibility, a robust filesystem (FFS), and networking capabilities. The Unix compatibility was important in NeXT's target market -- research.
None of that was remarkable; MS did the same thing when it lifted the BSD network stack for Windows NT. What *was* remarkable...the framework, and completely new programming and display model they built atop mach to use mach's neat features.
If you think the NeXTstep/OPENSTEP libraries were lifted, you're sorely mistaken. Take a look at how long it's taken GNUstep to replicate a fully-published API last updated around 1995.
Microsoft's API is similarly complex, but the underlying OS is about the same vintage (late 80s). MS's difficulties come from programming to a different model....that of a single-user machine, or an insecure LAN. Microsoft's dogmatic dedication to backwards compatibility also hurts matters. I can't honestly expect a 1993 NeXTstep application to run on OSX (please discount the 68k versus PPC difference....), but a 1993 win32 application probably will run just fine on Windows XP.
If they abandonded some of their backwards compatibility, it'd probably be better for everyone involved.
Actually I blame that on the browser; it shouldn't allow access to objects just because a web developer says they want to.
But as I stated before, MS seems to have 'fixed' this, as I get a permissions denied error in IE when i open the link.
Getting firefox WILL make you more secure, because one of the larger avenue of attacks is simply gone. You can't create ActiveX controls using script in FF. True there may be other exploits, but one of the larger ones is not there be design.
Given that they purposefully left out ActiveX scripting tells me they are at least learning from MS' mistakes, which creates some trust for them in me.
Mac has come down in price, but they're still much more expensive. At least $500 more for the bottom of the line G5. Their options are pretty poor too as you go up the G5 model line...a $2500 machine with a Geforce FX 5200 video card? Are there any games for mac yet? :)
I don't think that Macs are necessarily "overpriced" though. The quality of the product overall is certainly worlds above any big box PC.
As another poster noted, it is trivial to do this in Windows with a ramdisk and a batch file to copy the files from disk to ram.
Such ignorance.
Yes, IE uses DLLs used by the rest of Windows so most of IE's code is generally always in memory.
No, there is no IE code in the kernel.
the prices have been on par with Intel machines
... including wireless support, larger hard drive etc.
that is a lie.
from apple's website: 15", 1.5GHz, 512MB, 80GB powerbook is $1999. from dell's website, a 15", 1.5GHz, 512MB, 80GB inspiron 6000 is $1127. i customized the dell to meet the major characteristic of the powerbook
if anyone doesn't believe me, go and look on apple and dell's website. it took me 3 minutes.
the dell is nearly half as much. and please don't argue all of the little crap, like that the powerbook has a backlit keyboard. my guess is that to most people, things like that aren't worth $1000. but if you absolutely positively have to have bright colors and backlit keyboards, by all means, apple is for you.
A couple of points, IE is not just bundled with windows, it has been made part of the OS, thus when a hole is found in IE, it is a hole in the OS. Secondly if your main problem with Firefox is that you are getting popups, as opposed to the routine discovery of root access exploits with IE then your laughing.
Go into Control Panel -> Administrative Tools -> Services. From there, disable the Themes service. While you are in there, it's not a bad idea to disable other completely-stupid-to-have-running-by-default services like Remote Registry and Messenger.
"When did you ever hear of an exploit caused by the Microsoft help system?
Using mshtml in the help system or as the desktop is NOT a security problem and never has been. You are spouting more idiotic FUD."
When? I believe the last time was January 11, 2005.
"This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system."
I rarely criticize things I don't care about.
Depending on which components you consider as part of "IE", there ARE undocumented APIs used by those components.
Some of them have since been documented by microsoft as part of the DOJ decree.
But not all of them.