IE Developer Responds to Mozilla Accusations

sriram_2001 writes "Dave Massy, a Microsoft employee who works on the Internet Explorer team has a response to the Mozilla Foundation's Mitchell Baker's comments. Specifically, he responds to the claim that IE is a part of the operating system. 'IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows..'

MS needs to change windows fundamentally

[filmmaker]

No one is ready to pay what really bug-free code would cost. We accept a few bugs. Please note that we even accept some airplane crashes (not to mention car accidents), but, naturally, different industries and software components pose different levels of "reasonable" bug count.

And therein lies the heart of the MS development philosophy. Strictly speaking, that's true, but take something like Windows XP. It's is the ultimate case of the kid who cleans his room, ostensibly, but when his mother checks the closet, an avalanche of dirty clothes and assorted toys and things exlpodes from the doorway. I think MS could learn a lot from Apple, as they always have, and should look into utilizing something like BSD to start over. Obviously, they can't come out and say "our products suck; it takes half a gig of ram just to appease the system tray icons in Windows XP...sorry about that." But some way, some time they will have to move away from Windows as it is today.

Re:MS needs to change windows fundamentally

[Dr.+Evil]

How much RAM does it take to get a system tray icon to appear in Gnome or KDE?

Linux on the Desktop can nearly match Windows feature for feature now, but it can no longer claim low resource requirements while doing so.

IMHO, Mozilla or even firefox is a heavier app than IE. Once running, they're faster (to a trained eye) but sometimes, when pulling out of swap, they will still slug along.

No, the reason to go with Mozilla or Firefox is not performance. It, for me, is everything from reasonable error messages, to being able to control the junk which finds its way on to my machine, to standards compliance.

Re:MS needs to change windows fundamentally

[21chrisp]

OSX takse up it's fair share of RAM. More than XP or any other OS by my experience.

Re:MS needs to change windows fundamentally

[ettlz]

By 2015, Microsoft will be open source, and most likely, Linux will be its kernel.

I think this is unlikely. The underlying NT is quite well-designed (originally by David Cutler of VMS, amongst others, as I believe), and a reasonably flexible system upon which to develop applications. Microsoft's not going to give it up any time soon. It's what's run on top that's wrong with Windows.

Hmmm

[That's+Unpossible!]

I can't figure it out. Is Dave playing dumb, or is he really dumb?

The guy works for Microsoft, so maybe it is willful ignorance. How else can you explain someone that works on IE from trying to claim it is not part of the OS? Oh, we're going to get down to nit picking. Yes, yes, yes IE is not part of the kernel.

However, Microsoft wasn't too interested in this argument when it was fighting for its life in court, arguing that IE was embedded and could not be removed from the OS.

And now we see, they were right. IE may not be part of the kernel, but due to its use (and trust) by many core applications in Windows, it presents many more security challenges when compared to a standalone app like Firefox.

Re:Hmmm

[MightyMartian]

Microsoft simply changes the story to fit the audience. To a more technical audience, it denies that IE is part of the OS. To a court that could make its life miserable, it claims deep embedding. If this fellow doesn't like the accusation then perhaps he should go to his betters in Redmond and ask them what they mean by IE being part of the OS. I mean, we're only repeating what MS told a court, and MS wouldn't lie to a judge, would they?

i am reminded of the opening of the hhgg

[silid]

"But Mr Dent, the plans have been available in the local planning office for the
last nine month."

"Oh yes, well as soon as I heard I went straight round to see them,
yesterday afternoon. You hadn't exactly gone out of your way to call attention
to them had you? I mean like actually telling anybody or anything."

"But the plans were on display ..."

"On display? I eventually had to go down to the cellar to find them."

"That's the display department."

"With a torch."

"Ah, well the lights had probably gone."

"So had the stairs."

"But look, you found the notice didn't you?"

"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked
filing cabinet stuck in a disused lavatory with a sign on the door saying
Beware of the Leopard."

Stop. What's that sound?

IIIIIIIIIIEEEEEEEEEEE!!

That's the sound lusers make as they get their so-called browsers hijacked and spywared to death.

Re:what i want from Firefox...

[LEgregius]

You can do that from windows explorer, and you could before IE was "part of the os," so that's a windows core function, not an IE function. As for browsing pages from a server like that, click on the files in the browser once you navigate to them.

Dr Seuss explains IE

[TommyBear]

If a packet hits a pocket on a socket on a port,
And IE is interrupted as a very last resort,
And the address of the memory makes your FireFox abort,
Then the socket packet pocket has an error to report.

If your cursor finds a IE link followed by a dash,
And the VBScript code puts your windows in the trash,
And your data is corrupted because IE and Firefox clash,
Then your situation's hopeless and your system's gonna crash!

Re:Not tied?

[Arathrael]

They are operating system APIs used by IE, he says so - just none that are 'not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows', i.e. no secret undocumented APIs. So you can rest easy in the knowledge that if someone finds a bug letting them use a malformed website and IE to read files off your local hard drive, IE is only using a documented API to do it.

And he also says that IE is indeed part of the operating system 'so that parts of the OS and other applications can rely on the functionality and APIs being present'. Which presumably would mean a bug in IE could affect those parts of the OS and other applications. Which seems to be to go right along with what I thought the Mozilla guy was saying.

As responses go, it's not the best is it? :-)

IE's Win Connections arethe Problem

[sjvn]

IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present.

Guys, uh guys, that's The Problem.

http://www.eweek.com/article2/0,1759,1776387,00. asp

To sum my thoughts in that story up, you have a gateway, IE, to the Internet that has deep, Inadequately Protected, connections to the core operating system.

IE, in specific, and Windows, in general, cannot be secured.

Microsoft's one seamless whole is really one giant security hole.

Steven

Re:But, I thought IE WAS part of the OS

[danheskett]

It is part of the OS. That's the part of the post he made.

IE is part of the OS primarily because it is an API that is relied on by other parts of the OS, and other 3rd party apps.

It is rightly described as "middle-ware". Clearly, it's not a driver, or the kernel, or whatnot.

But also clearly, it is not a single executable strapped on top.

It's integrated, but using only methods that and API that are available to anyone to use.

Re:what i want from Firefox...

That should never be supported by a browser because that is not an internet standard and a big security risk. A browser should only work with valid URL's.

From the blog..

[tmasky]

"As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."

I would have loved to be at the party they must have had when ActiveX went through it's security reviews.

Seriously though, that post was a load of bollocks. But hey, I pity the guy.. in a way. He can't turn around and admit the architecture's a piece of shit.

Re:Not tied?

[TheRaven64]

The term operating system is not a clear one. In academia, the terms operating system and kernel are used more or less interchangeably, the operating system (OS) is the part that has more privilege than user programs - either a monolithic kernel and device drivers, or a microkernel and privileged servers. In Microsoft's world, an OS is `a kernel, and all of the stuff we pile on top of it and call an OS' (note that this is similar to RMS's definition of an OS, e.g. Linux + GNU tools + X11 + desktop environment). The second is more accurately known as an operating environment (OE) - a kernel and a set of basic libraries and applications that developers can rely on being present. OS is typically used in place of OE, because an OS on its own is not really much use to anyone, and so they are rarely available separately.

Internet Explorer is not part of the Windows OS (kernel). It does not have a privileged status, and makes use of no extra functionality that is not available to other applications. Internet Explorer is part of the Windows OE. Other applications depend on the libraries provided by it (most commonly the HTML layout engine). The most obvious example of this is the Windows help program, which most applications use. As such, it is not possible to remove Internet Explorer without replacing it with something functionally equivalent (i.e. exposing the same API), unless you expect things to break.

Being part of the Windows OE does not inherently make Internet Explorer insecure, this is just FUD spread by idiots. It does, however, mean that flaws in Internet Explorer are more likely to be important (it is tied into other applications, providing multiple attack vectors for an exploit). Internet Explorer has a large number of flaws (a fair number in design, as well as implementation), and I would not wish to be in the position of having to defend it, but claiming that `it is tied to the OS and therefore bad' is just stupid and undermines any rational arguments that may be proposed at the same time.

Re:Careless?

[natrius]

You might want to check your spelling when you're making a very public argument about how your software is not more prone to vulnerabilities than another.

Who proofreads blog entries? That's like clicking the Preview button on Slashdot.

Re:Automatic Cup Holder

[Zaiff+Urgulbunger]

But you *can't* fix them! Those bits use proprietry MS code. What MS is saying is that anyone _could_ hook into their code, and therefore, arguments that IE is tightly integrated with the OS are rubish.

But the counter argument being made here is that, yes, Mozilla (for example) could integrate with these MS "features", but doing so would result in an insecure browser.... so probably not a good idea.

I'd venture that MS can't _un-integrate_ them from IE because and bunch of other code (from MS office to Encarta) depends on this functionality.

And I'd further venture that the "..get them fixed.." idea has occured to MS but that this isn't easy to do due to poor design.

And hasn't that been the argument all along?!

Windows Updates

[flood6]

Dave Massey: "IE in turn relies on Operating System functionality to do it's job. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows."

Really Dave? Great, so i can use Firefox for Windows updates?

HE IS A LIAR

He says, "To be clear there are no Operating System APIs that IE uses that are not documented on MSDN", because he knows we cant go and check the source to ensure he isnt lying, BUT HE IS LYING.

http://www.desktoplinux.com/articles/AT7614463206. html

Jeremy White (CEO of CodeWeavers) who actually got IE to work under wine says so:

Lehrbaum: Did the issues that needed to be addressed relate to undocumented Windows functions used by the app, or non-API functions and/or environmental considerations expected by the app?

White: In the case of Quicken and QuickBooks, no. For Visio, you can see that the programmers at Visio had used some rather interesting pieces of the Windows API. These required new implementations or new understandings of the Windows API, and a reworking of Wine. For the undocumented API calls, the king is Internet Explorer!

Insecure features

[CDarklock]

Features are not insecure, users are insecure.

There is an old saying: UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things.

We used to complain that you couldn't do clever things on Windows. Now we're complaining that you can do stupid things on Windows.

Meanwhile, Linux continues happily letting people do even stupider things, and whenever these people complain -- we respond that it's their own stupid fault for not being smarter.

So why is it always the user's fault on Linux, but always Microsoft's fault on Windows? It seems to me that all the recent email worms need some dumbass to actually RUN THE PROGRAM. On Linux, we would say this user was stupid. But on Windows, this user was victimised by Microsoft's insecure operating system? I don't think so.

Security is the reciprocal of convenience, and the developer is simply unqualified to determine what security I need and what convenience I don't.