Slashdot Mirror
IE Developer Responds to Mozilla Accusations
sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'
No one is ready to pay what really bug-free code would cost. We accept a few bugs. Please note that we even accept some airplane crashes (not to mention car accidents), but, naturally, different industries and software components pose different levels of "reasonable" bug count.
And therein lies the heart of the MS development philosophy. Strictly speaking, that's true, but take something like Windows XP. It's is the ultimate case of the kid who cleans his room, ostensibly, but when his mother checks the closet, an avalanche of dirty clothes and assorted toys and things exlpodes from the doorway. I think MS could learn a lot from Apple, as they always have, and should look into utilizing something like BSD to start over. Obviously, they can't come out and say "our products suck; it takes half a gig of ram just to appease the system tray icons in Windows XP...sorry about that." But some way, some time they will have to move away from Windows as it is today.
I Want To Believe
IF there are no operating system API's used by the browser, then why did MSFT fight so hard not ot have to remove it from the browser. IT might not use the OS API's, but im fairly sure it works the other way round. Has he ever tried to remove IE cleanly from a windows install?
I can't figure it out. Is Dave playing dumb, or is he really dumb?
The guy works for Microsoft, so maybe it is willful ignorance. How else can you explain someone that works on IE from trying to claim it is not part of the OS? Oh, we're going to get down to nit picking. Yes, yes, yes IE is not part of the kernel.
However, Microsoft wasn't too interested in this argument when it was fighting for its life in court, arguing that IE was embedded and could not be removed from the OS.
And now we see, they were right. IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.
Ironically, the word ironically is often used incorrectly.
Uh, if mozilla supports vbscript then it would be allowed in mozilla or any other web browser for that matter. That does not make use of any unknown undocumented APIs. Try this, paste this code into a text file (hint: it came straight from your website):
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
wscript.echo "Automatic Cup Holder."
Then run "cscript filename". Oh my god, Microsoft tied vbscript into a stand alone application on your system!!! Give me a break, mod the parent down please
-dk
This is not meant to be read by geeks, it's for PHBs. Either that or I'll have some of what he's smoking.
Justin.
You're only jealous cos the little penguins are talking to me.
"But Mr Dent, the plans have been available in the local planning office for the
..."
last nine month."
"Oh yes, well as soon as I heard I went straight round to see them,
yesterday afternoon. You hadn't exactly gone out of your way to call attention
to them had you? I mean like actually telling anybody or anything."
"But the plans were on display
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked
filing cabinet stuck in a disused lavatory with a sign on the door saying
Beware of the Leopard."
That's the sound lusers make as they get their so-called browsers hijacked and spywared to death.
You can do that from windows explorer, and you could before IE was "part of the os," so that's a windows core function, not an IE function. As for browsing pages from a server like that, click on the files in the browser once you navigate to them.
If a packet hits a pocket on a socket on a port,
And IE is interrupted as a very last resort,
And the address of the memory makes your FireFox abort,
Then the socket packet pocket has an error to report.
If your cursor finds a IE link followed by a dash,
And the VBScript code puts your windows in the trash,
And your data is corrupted because IE and Firefox clash,
Then your situation's hopeless and your system's gonna crash!
Thats the point though the IE gives websites access to the APIs of other programs like WMP without asking the user.
IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.
Guys, uh guys, that's The Problem.
http://www.eweek.com/article2/0,1759,1776387,00. asp
To sum my thoughts in that story up, you have a gateway, IE, to the Internet that has deep, Inadequately Protected, connections to the core operating system.
IE, in specific, and Windows, in general, cannot be secured.
Microsoft's one seamless whole is really one giant security hole.
Steven
It is part of the OS. That's the part of the post he made.
IE is part of the OS primarily because it is an API that is relied on by other parts of the OS, and other 3rd party apps.
It is rightly described as "middle-ware". Clearly, it's not a driver, or the kernel, or whatnot.
But also clearly, it is not a single executable strapped on top.
It's integrated, but using only methods that and API that are available to anyone to use.
That should never be supported by a browser because that is not an internet standard and a big security risk. A browser should only work with valid URL's.
As part of the testing phase when I design a new web site I have to point out that the majority of my time is spent "tweaking" the site to display correctly in IE. While on the other hand I can take the same site and test it in Mozilla, Firefox, Konqueror, Safari, Netscape, etc. on various platforms (Linux, Mac, and Windows). I don't see why all browser developers can not or will not just design browsers to be equally compliant. With all the market share MS already has in my opinion they should, as atleast an act of good faith, build IE to conform with standards. I can not see any reason not to, I mean come on how difficult is it.
Open Source, Open Formats, Open Doors, Open Your Mind "Break On Through to the Other Side" The Doors
An article from 2003:
Microsoft allegedly opened up Windows APIs last year... Now, Devos claims that Microsoft's disclosures remain sufficiently inaccurate and incomplete for developers to continue using his own documentation.
Devos claims that Whirling Dervishes has discovered hidden Windows interfaces that are crucial for the development of such applications, but whose existence is denied by Microsoft. Not much change there then, post-lawsuit. These and other interfaces which Devos says should have been part of the API disclosures are used in NSELib, and he proposes to make public full documentation on how to use them.
Developers: We can use your help.
"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."
I would have loved to be at the party they must have had when ActiveX went through it's security reviews.
Seriously though, that post was a load of bollocks. But hey, I pity the guy.. in a way. He can't turn around and admit the architecture's a piece of shit.
\\servername does NOT work for me, FF 1.0.2
\\servername\dir DOES work
\\servername\c$ DOES work
So the only thing that FF can't do that IE/Explorer can is browse to the server root, \\servername.
I see you're trying to counter the open source movement... Let's get started! Would you like to:
-Spell check
-Grammar check
-Print this document
-Connect to Microsoft Office Online
[/CLIPPY]
"If you think you have things under control, you're not going fast enough." --Mario Andretti
What, Mozilla does security through lack of features?
If the "features" are insecure, would you want them?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
You might want to check your spelling when you're making a very public argument about how your software is not more prone to vulnerabilities than another.
Who proofreads blog entries? That's like clicking the Preview button on Slashdot.
The fact that this tool hasn't been released to other developers is proof that they unfairly compete.
What? How is that unfair? They must document and release all APIs, sure, but all their in-house development tools too? That's quite a standard, and I bet not one you'd put on any other company in any other industry. Assuming those tools use some clever coding and those same public APIs, what's to stop anyone else from making their own super-DLL-optimizer?
I agree with the basic subject of this post ("Microsoft Unfairly Competes"), but this seems ridiculous.
"Science is a tribute to what we can know although we are fallible" -Jacob Bronowski
I worked with a guy last year who came from the IE6 team at MS. He wasn't a programmer, but he agreed that it was common knowledge on the team that IE used secret APIs for better performance/quality, which competitors like Mozilla couldn't. He also said that this was also true about MS SQLServer, though he didn't have direct knowledge. And that these secrett APIs weren't controversial, or just gossip - they were assumed by everyone talking about development strategies for those products.
This MS developer is lying. I used to talk with people programming VB6, when I was project lead for a big NYC insurance project that MS was hot to get started in the industry through. They would routinely lie to me about internal code paths that were triggering bugs, especially in printing. When I would analyze them into a deductive corner, they would tell me a little truth. Their big mistake was their managers' greed to get into the industry, which put me in direct, unmediated contact with the programmers, combined with their technical inadeqacy to keep up with the discussions enough to mediate them.
I suspect that the MS claims of "national security" interest in keeping their code secret is based partly on the political havoc that would ensue (pun intended) if we could see just how much MS code is written to protect their anticompetitive abuses. The Department of Justice would have a lot to answer for, and it certainly wouldn't stop there. Especially if the ripples could prove how many Congressmembers were bribed to keep their monopoly "remedy" decisions untouched by human hands.
--
make install -not war
But you *can't* fix them! Those bits use proprietry MS code. What MS is saying is that anyone _could_ hook into their code, and therefore, arguments that IE is tightly integrated with the OS are rubish.
But the counter argument being made here is that, yes, Mozilla (for example) could integrate with these MS "features", but doing so would result in an insecure browser.... so probably not a good idea.
I'd venture that MS can't _un-integrate_ them from IE because and bunch of other code (from MS office to Encarta) depends on this functionality.
And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design.
And hasn't that been the argument all along?!
User: I want to be able to log in without a user name or a password! Remotely!
Tech: That's horribly insecure
User: I don't care! Its easier that way!
Tech: * finds rusty knife and commits seppuku *
And that, boys and girls, is one of the reasons why Microsoft is the 800 lb gorilla. It understands that users are more than willing to sacrifice security on the altar of 'its easier that way'.
the blog was obviously microsoft-centric, considering it was written by an employee. however, the comments were pretty interesting and thought-provoking until you got to the ones posted today after this was posted to slashdot. why must all the people on slashdot be out to get microsoft? as a company they are not evil. a lot of the comments to the blog just make open source advocates out to be a bunch of complete idiots. one comment in particular... "move away from closed source, that's always been microsoft's downfall". microsoft doesn't seem to be collapsing or losing money to me... apparently closed source works for them. come on now people, get real...
please me, have no regrets.
Really Dave? Great, so i can use Firefox for Windows updates?
SEO Firefox Extension
The specificness here is that the ActiveX control that comes with windows media isnt smart enough about handling running in an untrusted container.
there are win32 api calls that manage this (you have to implement some other interface in your COM object to get told about security zones), but nobody ever does.
ActiveX is the underlying problem here. They took something that worked in a constrained role -OCX controls for adding functionality to VB apps, and made them -as you note- scriptable by web pages.
the worst part: they dont give up. Even IE6SP2 leaves activeX at "prompted" in the internet zone. Since windows update sites are in that zone, you cannot run windows update without saying yes to prompted downloads. If you disable AX in the internet zone, bye-bye security patches. I despair.
He says, "To be clear there are no Operating System APIs that IE uses that are not documented on MSDN", because he knows we cant go and check the source to ensure he isnt lying, BUT HE IS LYING.
. html
http://www.desktoplinux.com/articles/AT7614463206
Jeremy White (CEO of CodeWeavers) who actually got IE to work under wine says so:
Lehrbaum: Did the issues that needed to be addressed relate to undocumented Windows functions used by the app, or non-API functions and/or environmental considerations expected by the app?
White: In the case of Quicken and QuickBooks, no. For Visio, you can see that the programmers at Visio had used some rather interesting pieces of the Windows API. These required new implementations or new understandings of the Windows API, and a reworking of Wine. For the undocumented API calls, the king is Internet Explorer!
The fact is, there are more uninformed people out there than there are informed people (just read the crap in the original article).
Another fact is that there are more Microsoft fans than there are Open Source fans (right now).
So, the intersection of those two groups means that there are more uninformed Microsofties than there are informed Open Source fans.
And those Microsofties, for whatever reason, have decided to hang out on
Get used to it. That's the same way it will be throughout most of your life, unless you restrict yourself to very exclusive groups with very high entrance requirements (/. is not one of them).You can't argue them down. They don't know enough of the material to know how ignorant they are.
I've argued here with people who swore that SMTP did NOT have authentication. Even after I posted links to the RFC's.
I'm not your typical Slashdot-fanatic, M$-hating, L1nux d00d. I love most of the latest MS products and think they're solid (as long as you're clued).
However, I literally laughed out loud when I read the following comment by the blogger:
As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack.
Which version of IE is this?! Nearly every released version of IE has had laughable (keep in mind, I'm not a Linux bigot) security flaws. I'm sorry, but you can't feed the sheep their own shit. They know, they KNOW.
He goes on to say:
The security of any browser is irrelevant to if it is part of the operating system.
That seems to be Microsoft's mantra. However, any security engineer or person with common sense would disagree.
If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the web.
Are you fucking joking? There is documented exploit after exploit demonstrating this. People aren't pulling it out of their asses. It's backed by fact, something you appear to be ignoring.
I'm a somewhat-loyal MS customer, but I've got to say I don't like reading tripe like this. What I do like reading is "we're going to fix IE's security model and this is how we're going to do it, what does the community think?".
Perhaps the IE team needs to review their security procedures, because they fuckin' suck hard.
Features are not insecure, users are insecure.
There is an old saying: UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things.
We used to complain that you couldn't do clever things on Windows. Now we're complaining that you can do stupid things on Windows.
Meanwhile, Linux continues happily letting people do even stupider things, and whenever these people complain -- we respond that it's their own stupid fault for not being smarter.
So why is it always the user's fault on Linux, but always Microsoft's fault on Windows? It seems to me that all the recent email worms need some dumbass to actually RUN THE PROGRAM. On Linux, we would say this user was stupid. But on Windows, this user was victimised by Microsoft's insecure operating system? I don't think so.
Security is the reciprocal of convenience, and the developer is simply unqualified to determine what security I need and what convenience I don't.
Microsoft cheerleader, blue flag waving, you got a problem with that?