Slashdot Mirror
IE Developer Responds to Mozilla Accusations
sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
No one is ready to pay what really bug-free code would cost. We accept a few bugs. Please note that we even accept some airplane crashes (not to mention car accidents), but, naturally, different industries and software components pose different levels of "reasonable" bug count.
And therein lies the heart of the MS development philosophy. Strictly speaking, that's true, but take something like Windows XP. It's is the ultimate case of the kid who cleans his room, ostensibly, but when his mother checks the closet, an avalanche of dirty clothes and assorted toys and things exlpodes from the doorway. I think MS could learn a lot from Apple, as they always have, and should look into utilizing something like BSD to start over. Obviously, they can't come out and say "our products suck; it takes half a gig of ram just to appease the system tray icons in Windows XP...sorry about that." But some way, some time they will have to move away from Windows as it is today.
I Want To Believe
IF there are no operating system API's used by the browser, then why did MSFT fight so hard not ot have to remove it from the browser. IT might not use the OS API's, but im fairly sure it works the other way round. Has he ever tried to remove IE cleanly from a windows install?
I can't figure it out. Is Dave playing dumb, or is he really dumb?
The guy works for Microsoft, so maybe it is willful ignorance. How else can you explain someone that works on IE from trying to claim it is not part of the OS? Oh, we're going to get down to nit picking. Yes, yes, yes IE is not part of the kernel.
However, Microsoft wasn't too interested in this argument when it was fighting for its life in court, arguing that IE was embedded and could not be removed from the OS.
And now we see, they were right. IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.
Ironically, the word ironically is often used incorrectly.
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter. That does not make use of any unknown undocumented APIs. Try this, paste this code into a text file (hint: it came straight from your website):
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
wscript.echo "Automatic Cup Holder."
Then run "cscript filename". Oh my god, Microsoft tied vbscript into a stand alone application on your system!!! Give me a break, mod the parent down please
-dk
Eh no, this is an issue will allowing scripts run with unfettered access to the system. Made IE great for intranet applications but a security disaster on the web.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
I would never use I.E. again if Firefox could do one thing (more), to be able to navigate to other (windows) boxes using my browser (like i can in I.E.)
by typing \\servername or \\ip address
my understanding was that this functionality was part of the API that is not available? this is the only thing keeping I.E. on my windows desktop.
This is not meant to be read by geeks, it's for PHBs. Either that or I'll have some of what he's smoking.
Justin.
You're only jealous cos the little penguins are talking to me.
"But Mr Dent, the plans have been available in the local planning office for the
..."
last nine month."
"Oh yes, well as soon as I heard I went straight round to see them,
yesterday afternoon. You hadn't exactly gone out of your way to call attention
to them had you? I mean like actually telling anybody or anything."
"But the plans were on display
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked
filing cabinet stuck in a disused lavatory with a sign on the door saying
Beware of the Leopard."
That's the sound lusers make as they get their so-called browsers hijacked and spywared to death.
If a packet hits a pocket on a socket on a port,
And IE is interrupted as a very last resort,
And the address of the memory makes your FireFox abort,
Then the socket packet pocket has an error to report.
If your cursor finds a IE link followed by a dash,
And the VBScript code puts your windows in the trash,
And your data is corrupted because IE and Firefox clash,
Then your situation's hopeless and your system's gonna crash!
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter
Er...isn't that sorta the point?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
"IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present."
So why not just have an html rendering library and make IE an optional add-on? Plenty of other OS's seem to get by with this approach; I guess that none of them are so hellbent on pushing out a particular product...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Thats the point though the IE gives websites access to the APIs of other programs like WMP without asking the user.
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.
Guys, uh guys, that's The Problem.
http://www.eweek.com/article2/0,1759,1776387,00. asp
To sum my thoughts in that story up, you have a gateway, IE, to the Internet that has deep, Inadequately Protected, connections to the core operating system.
IE, in specific, and Windows, in general, cannot be secured.
Microsoft's one seamless whole is really one giant security hole.
Steven
It is part of the OS. That's the part of the post he made.
IE is part of the OS primarily because it is an API that is relied on by other parts of the OS, and other 3rd party apps.
It is rightly described as "middle-ware". Clearly, it's not a driver, or the kernel, or whatnot.
But also clearly, it is not a single executable strapped on top.
It's integrated, but using only methods that and API that are available to anyone to use.
As part of the testing phase when I design a new web site I have to point out that the majority of my time is spent "tweaking" the site to display correctly in IE. While on the other hand I can take the same site and test it in Mozilla, Firefox, Konqueror, Safari, Netscape, etc. on various platforms (Linux, Mac, and Windows). I don't see why all browser developers can not or will not just design browsers to be equally compliant. With all the market share MS already has in my opinion they should, as atleast an act of good faith, build IE to conform with standards. I can not see any reason not to, I mean come on how difficult is it.
Open Source, Open Formats, Open Doors, Open Your Mind "Break On Through to the Other Side" The Doors
An article from 2003:
Microsoft allegedly opened up Windows APIs last year... Now, Devos claims that Microsoft's disclosures remain sufficiently inaccurate and incomplete for developers to continue using his own documentation.
Devos claims that Whirling Dervishes has discovered hidden Windows interfaces that are crucial for the development of such applications, but whose existence is denied by Microsoft. Not much change there then, post-lawsuit. These and other interfaces which Devos says should have been part of the API disclosures are used in NSELib, and he proposes to make public full documentation on how to use them.
Developers: We can use your help.
To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows.
This is always the standard Microsoft defense. Our products are written with the same API's as are available to everyone else. Everything's fair.
Except that Microsoft developers get access to the people who wrote the specifications. They can influence the specifications to change. In fact, according to a friend of mine who works at Microsoft, they have a tool which highly optimizes their code after compilation, by, among other things, moving the infrequently used code like error handling routines to the back of their DLL's, etc.
The fact that this tool hasn't been released to other developers is proof that they unfairly compete.
"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."
I would have loved to be at the party they must have had when ActiveX went through it's security reviews.
Seriously though, that post was a load of bollocks. But hey, I pity the guy.. in a way. He can't turn around and admit the architecture's a piece of shit.
(Actually, this might not work on IE 6.0+. Can you believe they actually fixed the problem.)
Still not fixed, at least its not fixed as of IE version 6.0.2800.1106
I see you're trying to counter the open source movement... Let's get started! Would you like to:
-Spell check
-Grammar check
-Print this document
-Connect to Microsoft Office Online
[/CLIPPY]
"If you think you have things under control, you're not going fast enough." --Mario Andretti
What, Mozilla does security through lack of features?
If the "features" are insecure, would you want them?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
You might want to check your spelling when you're making a very public argument about how your software is not more prone to vulnerabilities than another.
Who proofreads blog entries? That's like clicking the Preview button on Slashdot.
I'm the guy who posted the story to Slashdot. One thing I noticed and which got edited out was that - nowhere in the post, does Dave Massy criticize Firefox itself. Though it is his own personal blog (it is not the IE team blog), he never mentions anything about Firefox. On the other hand, we have various people associated with Firefox badmouthing IE every chance they get.
I'm sure Dave could have pointed out with glee Firefox recent security problems (IDN, GIF handling ) or update-rollout problems. Can you imagine a Firefox dev not jumping on similar problems with IE and making fun of them?
I worked with a guy last year who came from the IE6 team at MS. He wasn't a programmer, but he agreed that it was common knowledge on the team that IE used secret APIs for better performance/quality, which competitors like Mozilla couldn't. He also said that this was also true about MS SQLServer, though he didn't have direct knowledge. And that these secrett APIs weren't controversial, or just gossip - they were assumed by everyone talking about development strategies for those products.
This MS developer is lying. I used to talk with people programming VB6, when I was project lead for a big NYC insurance project that MS was hot to get started in the industry through. They would routinely lie to me about internal code paths that were triggering bugs, especially in printing. When I would analyze them into a deductive corner, they would tell me a little truth. Their big mistake was their managers' greed to get into the industry, which put me in direct, unmediated contact with the programmers, combined with their technical inadeqacy to keep up with the discussions enough to mediate them.
I suspect that the MS claims of "national security" interest in keeping their code secret is based partly on the political havoc that would ensue (pun intended) if we could see just how much MS code is written to protect their anticompetitive abuses. The Department of Justice would have a lot to answer for, and it certainly wouldn't stop there. Especially if the ripples could prove how many Congressmembers were bribed to keep their monopoly "remedy" decisions untouched by human hands.
--
make install -not war
But you *can't* fix them! Those bits use proprietry MS code. What MS is saying is that anyone _could_ hook into their code, and therefore, arguments that IE is tightly integrated with the OS are rubish.
But the counter argument being made here is that, yes, Mozilla (for example) could integrate with these MS "features", but doing so would result in an insecure browser.... so probably not a good idea.
I'd venture that MS can't _un-integrate_ them from IE because and bunch of other code (from MS office to Encarta) depends on this functionality.
And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design.
And hasn't that been the argument all along?!
User: I want to be able to log in without a user name or a password! Remotely!
Tech: That's horribly insecure
User: I don't care! Its easier that way!
Tech: * finds rusty knife and commits seppuku *
And that, boys and girls, is one of the reasons why Microsoft is the 800 lb gorilla. It understands that users are more than willing to sacrifice security on the altar of 'its easier that way'.
Hello? Wasn't this an issue of the monopoly law suit? That it CAN'T be removed from the operating system?
I must be wrong, so somebody please clear this up for me. Can somebody explain this to me in lamen's terms?
Also, he says that the IE development process prevents them from introducing bugs into the software? Then how does stuff like viewing .jpgs become a security flaw? Is it that there development process is just not up to snuff? Or is it the APIs that the use from the operating system that are flawed? So it's not the browser, that's flawed, it's the operating system? That makes me feel better. Also regarding a user experience the difference between the operating system is null?
I confused.
Treat me like a marketing stat, and I'll treat your movie like a series of ones and zeros
the blog was obviously microsoft-centric, considering it was written by an employee. however, the comments were pretty interesting and thought-provoking until you got to the ones posted today after this was posted to slashdot. why must all the people on slashdot be out to get microsoft? as a company they are not evil. a lot of the comments to the blog just make open source advocates out to be a bunch of complete idiots. one comment in particular... "move away from closed source, that's always been microsoft's downfall". microsoft doesn't seem to be collapsing or losing money to me... apparently closed source works for them. come on now people, get real...
please me, have no regrets.
Really Dave? Great, so i can use Firefox for Windows updates?
SEO Firefox Extension
The specificness here is that the ActiveX control that comes with windows media isnt smart enough about handling running in an untrusted container.
there are win32 api calls that manage this (you have to implement some other interface in your COM object to get told about security zones), but nobody ever does.
ActiveX is the underlying problem here. They took something that worked in a constrained role -OCX controls for adding functionality to VB apps, and made them -as you note- scriptable by web pages.
the worst part: they dont give up. Even IE6SP2 leaves activeX at "prompted" in the internet zone. Since windows update sites are in that zone, you cannot run windows update without saying yes to prompted downloads. If you disable AX in the internet zone, bye-bye security patches. I despair.
It's nearly two years ago that Whirling Dervishes said they'd found these secret functions and promised to release documentation on them. But I can't find any documentation or specific info on their web site.
I'm not sure what to blame, but I just compared IE and FireFox side by side on a PC isolated to my local network. FireFox loaded many pages many times faster. Then I uninstalled all the virus protection (Norton) software on this newly aquired PC (as it will always be isolated to my local network for in-house testing) and IE performance improved dramatically.
He says, "To be clear there are no Operating System APIs that IE uses that are not documented on MSDN", because he knows we cant go and check the source to ensure he isnt lying, BUT HE IS LYING.
. html
http://www.desktoplinux.com/articles/AT7614463206
Jeremy White (CEO of CodeWeavers) who actually got IE to work under wine says so:
Lehrbaum: Did the issues that needed to be addressed relate to undocumented Windows functions used by the app, or non-API functions and/or environmental considerations expected by the app?
White: In the case of Quicken and QuickBooks, no. For Visio, you can see that the programmers at Visio had used some rather interesting pieces of the Windows API. These required new implementations or new understandings of the Windows API, and a reworking of Wine. For the undocumented API calls, the king is Internet Explorer!
Everyone keeps whining about not being able to remove IE from Windows. But did you ever stop to think about just how many applications actually use IE's API, and integrate html and web pages into their programs? So even if it were possible to rip IE out of Windows, which so many people seem inclined to do for whatever reasons, those programs just wouldn't work anymore.
And you know why? Because nobody else has developed such an API for Windows. It's not impossible for one to replace IE's API if they really tried. I know that many of the open source software developers are a clever breed, and can work around any obstacle presented to them. It's just that nobody's done it, or even tried to do it that I know of.
So don't whine about not being able to remove IE if you don't have an adequate replacement to prevent many other pieces of software from breaking. It would become a tech nightmare if IE WAS removable, because then every dummy would be trying to uninstall it to hate on Microsoft like all the "cool" people, then be crying for someone to come fix their machine when all their instant messengers stopped working.
I mean seriously, if you hate IE that much, why are you even still using Windows?
Consider OpenSSL. OpenSSL is a Linux operating system; however it is a fairly independent library implemented using only public APIs. Many parts of "the operating system" depend on OpenSSL and would break upon its removal.
Ditto MSIE.
IE uses public APIs from the OS. Other parts of the OS use public APIs of IE. Thus IE cannot be removed from the OS without removing or altering the components that depent on it - such as, AFAIK, Windows Explorer (the file manager).
We can question the decision to make other parts o f the OS depend so deeply on IE, and we can question the decision to make that dependency on IE rather than an abstract "web browser API" that could be implemented by other tools. That doesn't change the fact that it's still a part of the OS.
They bought Macs and are too busy actually getting things done to post here about the latest response from an IE developer.
The fact is, there are more uninformed people out there than there are informed people (just read the crap in the original article).
Another fact is that there are more Microsoft fans than there are Open Source fans (right now).
So, the intersection of those two groups means that there are more uninformed Microsofties than there are informed Open Source fans.
And those Microsofties, for whatever reason, have decided to hang out on
Get used to it. That's the same way it will be throughout most of your life, unless you restrict yourself to very exclusive groups with very high entrance requirements (/. is not one of them).You can't argue them down. They don't know enough of the material to know how ignorant they are.
I've argued here with people who swore that SMTP did NOT have authentication. Even after I posted links to the RFC's.
I'm not your typical Slashdot-fanatic, M$-hating, L1nux d00d. I love most of the latest MS products and think they're solid (as long as you're clued).
However, I literally laughed out loud when I read the following comment by the blogger:
As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack.
Which version of IE is this?! Nearly every released version of IE has had laughable (keep in mind, I'm not a Linux bigot) security flaws. I'm sorry, but you can't feed the sheep their own shit. They know, they KNOW.
He goes on to say:
The security of any browser is irrelevant to if it is part of the operating system.
That seems to be Microsoft's mantra. However, any security engineer or person with common sense would disagree.
If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the web.
Are you fucking joking? There is documented exploit after exploit demonstrating this. People aren't pulling it out of their asses. It's backed by fact, something you appear to be ignoring.
I'm a somewhat-loyal MS customer, but I've got to say I don't like reading tripe like this. What I do like reading is "we're going to fix IE's security model and this is how we're going to do it, what does the community think?".
Perhaps the IE team needs to review their security procedures, because they fuckin' suck hard.
Features are not insecure, users are insecure.
There is an old saying: UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things.
We used to complain that you couldn't do clever things on Windows. Now we're complaining that you can do stupid things on Windows.
Meanwhile, Linux continues happily letting people do even stupider things, and whenever these people complain -- we respond that it's their own stupid fault for not being smarter.
So why is it always the user's fault on Linux, but always Microsoft's fault on Windows? It seems to me that all the recent email worms need some dumbass to actually RUN THE PROGRAM. On Linux, we would say this user was stupid. But on Windows, this user was victimised by Microsoft's insecure operating system? I don't think so.
Security is the reciprocal of convenience, and the developer is simply unqualified to determine what security I need and what convenience I don't.
Microsoft cheerleader, blue flag waving, you got a problem with that?
I have yet to see a valid comment about how Microsoft his hiding secret apis from developers. Instead I see this post-apocolyptic wasteland created from your comments and the moderators that are falsely promoting your FUD.
Youre confusing me. You keep going on about the hidden APIs issue and I dont think that was what was being implied... Im assuming you mean this quote
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..
You also start the parent post with
Hold on hold on, let me get this straight. You originally said that IE is allowing secret hidden APIs (at least that is what is interpreted from your quote) because there was a security hole that allowed VBscript to load arbitrary ActiveX controls. Yet you failed to give any example of how Microsoft has kept developers from integrating VBscript into their own applications (for sake of argument, we will say Mozilla).
I didnt interpret his post this way and I dont think others did either(I could be wrong of course). I thought that the grand daddy post was making the point was that it was actually a good thing that Firefox et al dont have access to these APIs or else the browser can start accessing things it has no right to access.
Sorry if Im wrong... but I dont think its a issue of hidden APIs that Mozilla cant implmement is the issue. The issue is these APIs are documented fine, but we shouldnt implement them.
As to how this relates directly to the article being discusssed... specifically the original quote. He is arguing(I think) that the idea of intergrating something as netward facing as a HTTP client with core functionality is "stupid".
Is The Browser Part of the Operating System?
An exercise in misdirection