Slashdot Mirror
IE Developer Responds to Mozilla Accusations
sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
No one is ready to pay what really bug-free code would cost. We accept a few bugs. Please note that we even accept some airplane crashes (not to mention car accidents), but, naturally, different industries and software components pose different levels of "reasonable" bug count.
And therein lies the heart of the MS development philosophy. Strictly speaking, that's true, but take something like Windows XP. It's is the ultimate case of the kid who cleans his room, ostensibly, but when his mother checks the closet, an avalanche of dirty clothes and assorted toys and things exlpodes from the doorway. I think MS could learn a lot from Apple, as they always have, and should look into utilizing something like BSD to start over. Obviously, they can't come out and say "our products suck; it takes half a gig of ram just to appease the system tray icons in Windows XP...sorry about that." But some way, some time they will have to move away from Windows as it is today.
I Want To Believe
I can't figure it out. Is Dave playing dumb, or is he really dumb?
The guy works for Microsoft, so maybe it is willful ignorance. How else can you explain someone that works on IE from trying to claim it is not part of the OS? Oh, we're going to get down to nit picking. Yes, yes, yes IE is not part of the kernel.
However, Microsoft wasn't too interested in this argument when it was fighting for its life in court, arguing that IE was embedded and could not be removed from the OS.
And now we see, they were right. IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.
Ironically, the word ironically is often used incorrectly.
Eh no, this is an issue will allowing scripts run with unfettered access to the system. Made IE great for intranet applications but a security disaster on the web.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter
Er...isn't that sorta the point?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
"IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present."
So why not just have an html rendering library and make IE an optional add-on? Plenty of other OS's seem to get by with this approach; I guess that none of them are so hellbent on pushing out a particular product...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
They are operating system APIs used by IE, he says so - just none that are 'not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows', i.e. no secret undocumented APIs. So you can rest easy in the knowledge that if someone finds a bug letting them use a malformed website and IE to read files off your local hard drive, IE is only using a documented API to do it.
:-)
And he also says that IE is indeed part of the operating system 'so that parts of the OS and other applications can rely on the functionality and APIs being present'. Which presumably would mean a bug in IE could affect those parts of the OS and other applications. Which seems to be to go right along with what I thought the Mozilla guy was saying.
As responses go, it's not the best is it?
That should never be supported by a browser because that is not an internet standard and a big security risk. A browser should only work with valid URL's.
As part of the testing phase when I design a new web site I have to point out that the majority of my time is spent "tweaking" the site to display correctly in IE. While on the other hand I can take the same site and test it in Mozilla, Firefox, Konqueror, Safari, Netscape, etc. on various platforms (Linux, Mac, and Windows). I don't see why all browser developers can not or will not just design browsers to be equally compliant. With all the market share MS already has in my opinion they should, as atleast an act of good faith, build IE to conform with standards. I can not see any reason not to, I mean come on how difficult is it.
Open Source, Open Formats, Open Doors, Open Your Mind "Break On Through to the Other Side" The Doors
"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."
I would have loved to be at the party they must have had when ActiveX went through it's security reviews.
Seriously though, that post was a load of bollocks. But hey, I pity the guy.. in a way. He can't turn around and admit the architecture's a piece of shit.
\\servername does NOT work for me, FF 1.0.2
\\servername\dir DOES work
\\servername\c$ DOES work
So the only thing that FF can't do that IE/Explorer can is browse to the server root, \\servername.
Internet Explorer is not part of the Windows OS (kernel). It does not have a privileged status, and makes use of no extra functionality that is not available to other applications. Internet Explorer is part of the Windows OE. Other applications depend on the libraries provided by it (most commonly the HTML layout engine). The most obvious example of this is the Windows help program, which most applications use. As such, it is not possible to remove Internet Explorer without replacing it with something functionally equivalent (i.e. exposing the same API), unless you expect things to break.
Being part of the Windows OE does not inherently make Internet Explorer insecure, this is just FUD spread by idiots. It does, however, mean that flaws in Internet Explorer are more likely to be important (it is tied into other applications, providing multiple attack vectors for an exploit). Internet Explorer has a large number of flaws (a fair number in design, as well as implementation), and I would not wish to be in the position of having to defend it, but claiming that `it is tied to the OS and therefore bad' is just stupid and undermines any rational arguments that may be proposed at the same time.
I am TheRaven on Soylent News
What, Mozilla does security through lack of features?
If the "features" are insecure, would you want them?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The fact that this tool hasn't been released to other developers is proof that they unfairly compete.
What? How is that unfair? They must document and release all APIs, sure, but all their in-house development tools too? That's quite a standard, and I bet not one you'd put on any other company in any other industry. Assuming those tools use some clever coding and those same public APIs, what's to stop anyone else from making their own super-DLL-optimizer?
I agree with the basic subject of this post ("Microsoft Unfairly Competes"), but this seems ridiculous.
"Science is a tribute to what we can know although we are fallible" -Jacob Bronowski
I worked with a guy last year who came from the IE6 team at MS. He wasn't a programmer, but he agreed that it was common knowledge on the team that IE used secret APIs for better performance/quality, which competitors like Mozilla couldn't. He also said that this was also true about MS SQLServer, though he didn't have direct knowledge. And that these secrett APIs weren't controversial, or just gossip - they were assumed by everyone talking about development strategies for those products.
This MS developer is lying. I used to talk with people programming VB6, when I was project lead for a big NYC insurance project that MS was hot to get started in the industry through. They would routinely lie to me about internal code paths that were triggering bugs, especially in printing. When I would analyze them into a deductive corner, they would tell me a little truth. Their big mistake was their managers' greed to get into the industry, which put me in direct, unmediated contact with the programmers, combined with their technical inadeqacy to keep up with the discussions enough to mediate them.
I suspect that the MS claims of "national security" interest in keeping their code secret is based partly on the political havoc that would ensue (pun intended) if we could see just how much MS code is written to protect their anticompetitive abuses. The Department of Justice would have a lot to answer for, and it certainly wouldn't stop there. Especially if the ripples could prove how many Congressmembers were bribed to keep their monopoly "remedy" decisions untouched by human hands.
--
make install -not war
But you *can't* fix them! Those bits use proprietry MS code. What MS is saying is that anyone _could_ hook into their code, and therefore, arguments that IE is tightly integrated with the OS are rubish.
But the counter argument being made here is that, yes, Mozilla (for example) could integrate with these MS "features", but doing so would result in an insecure browser.... so probably not a good idea.
I'd venture that MS can't _un-integrate_ them from IE because and bunch of other code (from MS office to Encarta) depends on this functionality.
And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design.
And hasn't that been the argument all along?!
User: I want to be able to log in without a user name or a password! Remotely!
Tech: That's horribly insecure
User: I don't care! Its easier that way!
Tech: * finds rusty knife and commits seppuku *
And that, boys and girls, is one of the reasons why Microsoft is the 800 lb gorilla. It understands that users are more than willing to sacrifice security on the altar of 'its easier that way'.
Hello? Wasn't this an issue of the monopoly law suit? That it CAN'T be removed from the operating system?
I must be wrong, so somebody please clear this up for me. Can somebody explain this to me in lamen's terms?
Also, he says that the IE development process prevents them from introducing bugs into the software? Then how does stuff like viewing .jpgs become a security flaw? Is it that there development process is just not up to snuff? Or is it the APIs that the use from the operating system that are flawed? So it's not the browser, that's flawed, it's the operating system? That makes me feel better. Also regarding a user experience the difference between the operating system is null?
I confused.
Treat me like a marketing stat, and I'll treat your movie like a series of ones and zeros
the blog was obviously microsoft-centric, considering it was written by an employee. however, the comments were pretty interesting and thought-provoking until you got to the ones posted today after this was posted to slashdot. why must all the people on slashdot be out to get microsoft? as a company they are not evil. a lot of the comments to the blog just make open source advocates out to be a bunch of complete idiots. one comment in particular... "move away from closed source, that's always been microsoft's downfall". microsoft doesn't seem to be collapsing or losing money to me... apparently closed source works for them. come on now people, get real...
please me, have no regrets.
Really Dave? Great, so i can use Firefox for Windows updates?
SEO Firefox Extension
The specificness here is that the ActiveX control that comes with windows media isnt smart enough about handling running in an untrusted container.
there are win32 api calls that manage this (you have to implement some other interface in your COM object to get told about security zones), but nobody ever does.
ActiveX is the underlying problem here. They took something that worked in a constrained role -OCX controls for adding functionality to VB apps, and made them -as you note- scriptable by web pages.
the worst part: they dont give up. Even IE6SP2 leaves activeX at "prompted" in the internet zone. Since windows update sites are in that zone, you cannot run windows update without saying yes to prompted downloads. If you disable AX in the internet zone, bye-bye security patches. I despair.
He says, "To be clear there are no Operating System APIs that IE uses that are not documented on MSDN", because he knows we cant go and check the source to ensure he isnt lying, BUT HE IS LYING.
. html
http://www.desktoplinux.com/articles/AT7614463206
Jeremy White (CEO of CodeWeavers) who actually got IE to work under wine says so:
Lehrbaum: Did the issues that needed to be addressed relate to undocumented Windows functions used by the app, or non-API functions and/or environmental considerations expected by the app?
White: In the case of Quicken and QuickBooks, no. For Visio, you can see that the programmers at Visio had used some rather interesting pieces of the Windows API. These required new implementations or new understandings of the Windows API, and a reworking of Wine. For the undocumented API calls, the king is Internet Explorer!
Everyone keeps whining about not being able to remove IE from Windows. But did you ever stop to think about just how many applications actually use IE's API, and integrate html and web pages into their programs? So even if it were possible to rip IE out of Windows, which so many people seem inclined to do for whatever reasons, those programs just wouldn't work anymore.
And you know why? Because nobody else has developed such an API for Windows. It's not impossible for one to replace IE's API if they really tried. I know that many of the open source software developers are a clever breed, and can work around any obstacle presented to them. It's just that nobody's done it, or even tried to do it that I know of.
So don't whine about not being able to remove IE if you don't have an adequate replacement to prevent many other pieces of software from breaking. It would become a tech nightmare if IE WAS removable, because then every dummy would be trying to uninstall it to hate on Microsoft like all the "cool" people, then be crying for someone to come fix their machine when all their instant messengers stopped working.
I mean seriously, if you hate IE that much, why are you even still using Windows?
Features are not insecure, users are insecure.
There is an old saying: UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things.
We used to complain that you couldn't do clever things on Windows. Now we're complaining that you can do stupid things on Windows.
Meanwhile, Linux continues happily letting people do even stupider things, and whenever these people complain -- we respond that it's their own stupid fault for not being smarter.
So why is it always the user's fault on Linux, but always Microsoft's fault on Windows? It seems to me that all the recent email worms need some dumbass to actually RUN THE PROGRAM. On Linux, we would say this user was stupid. But on Windows, this user was victimised by Microsoft's insecure operating system? I don't think so.
Security is the reciprocal of convenience, and the developer is simply unqualified to determine what security I need and what convenience I don't.
Microsoft cheerleader, blue flag waving, you got a problem with that?
I have yet to see a valid comment about how Microsoft his hiding secret apis from developers. Instead I see this post-apocolyptic wasteland created from your comments and the moderators that are falsely promoting your FUD.
Youre confusing me. You keep going on about the hidden APIs issue and I dont think that was what was being implied... Im assuming you mean this quote
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..
You also start the parent post with
Hold on hold on, let me get this straight. You originally said that IE is allowing secret hidden APIs (at least that is what is interpreted from your quote) because there was a security hole that allowed VBscript to load arbitrary ActiveX controls. Yet you failed to give any example of how Microsoft has kept developers from integrating VBscript into their own applications (for sake of argument, we will say Mozilla).
I didnt interpret his post this way and I dont think others did either(I could be wrong of course). I thought that the grand daddy post was making the point was that it was actually a good thing that Firefox et al dont have access to these APIs or else the browser can start accessing things it has no right to access.
Sorry if Im wrong... but I dont think its a issue of hidden APIs that Mozilla cant implmement is the issue. The issue is these APIs are documented fine, but we shouldnt implement them.
As to how this relates directly to the article being discusssed... specifically the original quote. He is arguing(I think) that the idea of intergrating something as netward facing as a HTTP client with core functionality is "stupid".