Security Issues That Aren’t – Part 2

IEBlog Security Issues That Aren t Part 2 | Cast Iron Cookware

IEBlog Security Issues That Aren t Part 2 | Cast Iron Cookware — Fri, 12 Jun 2009 05:50:55 GMT

PingBack from http://castironbakeware.info/story.php?title=ieblog-security-issues-that-aren-t-part-2

Firefox Myths | Foxfire Facts

Firefox Myths | Foxfire Facts — Sat, 15 Dec 2007 13:33:00 GMT

PingBack from http://mozillafirefox3.net/firefox-myths/

re: Security Issues That Aren’t – Part 2

Dave P — Fri, 11 Feb 2005 01:10:00 GMT

Bruce:

->"When the article says we're only securing XP
->customers, it's simply wrong. I don't see it as
->semantics but if you want to, feel free."

Now I know you guys get a lot of flak from a few cooks out there, but most reasonable people know full well that you continue to support security fixes on other platforms besides XP. That's not the point I am taking with your stance.

You do from time to time however deviate from this inclusive policy, at which point it becomes rather hypocritical to suggest that you do not. To deny that, and by focusing on it while ignoring the other very relevant points we're raising is playing semantics.

->We don't have any real audience in mind for
->this blog

That much is evident. As I would say to those that I work for though, and with no disrepect to your team, you would do well to find one. This blog would be much more effective it is was more targeted to specific users. That user group may not be the one I'm a part of, but no matter, the blog would still be better off for it. Perhaps a few different blogs? Pehaps more meaningful categories?

At any rate, I've done too much commenting on this blog as is for the time being, I'll shut up now. :-)

re: Security Issues That Aren’t – Part 2

Dave Massy — Fri, 11 Feb 2005 01:07:00 GMT

Quite correct Bruce. I certainly never meant to imply that "rewriting a website to be standard compliant was an unnecessary expense". What I meant to say is that for a company to have to change it's web solution so that it continues to work in a new version of the browser is an unacceptable expense for most companies. They need to crack open the code, work out what to change, specify the change, review the change and test the change. In my experience companies do not appreciate being forced to do that even when we tell them that the browser is better than the previous version :-)
Thanks
-Dave

re: Security Issues That Aren’t – Part 2

Bruce Morgan [MSFT] — Thu, 10 Feb 2005 23:55:00 GMT

When the article says we're only securing XP customers, it's simply wrong. I don't see it as semantics but if you want to, feel free.

Point is, if you go to Secunia with IE5.01 and try out some of their exploit tests, they won't work once you install our patches. That's why it's called a security update.

We don't have any real audience in mind for this blog, although I assume that each of us, when we write a post, has some sort of expected audience in mind for that particular post. John's posts are more toward IT corporate types, Dave's posts are more toward webdevs, some of our posts are of general interest to anybody driving by, and so on.

I don't think Dave really claimed rewriting a website to be standard compliant was an unnecessary expense. Frankly, reading is comment I don't know what he was trying to say (sorry, Dave) but it didn't sound like that to me.

BTW, we do talk to lots of customers daily.

re: Security Issues That Aren’t – Part 2

Dave P — Thu, 10 Feb 2005 19:02:00 GMT

I don't believe what I'm reading here.

Bruce seriously now, stop playing semantics and listen to what we're saying, damnit. We're not idiots: http://blogs.msdn.com/ie/archive/2004/12/01/273377.aspx

I posted the article as a counter to Dave's claim that for certain organizations redesigning their websites to be standards compliant is an unneeded expense. The article points to the blatent hypocrisy that obviously, for Microsoft this overarching concern for their customer's bottom line dosen't extend to features such as pop-up blocking (which, IMO if it isn't a security issue - run ad aware every damn day and you may be more inclined to agree that it is - is most definately a user experience issue). I don't really have an opinion on IE security fixes, but for you to propose a completely opposite stance than the one you practice is ludicrous.

Clearly, Microsoft doesn't consider aspects that include more money for them as "unneeded expenses" regardless of their utility. I think the point that expenses companies would direct to indiviual contrators and/or third parties are "unneeded" is quite derogatory. Let the customers decide what they will or won't spend their money on. You're supposed to be supporting us as well. Keep in mind that we are the ones talking to your customers daily, not you.

->Dave, the audience of this blog may not
->always be people like you. If you don't like
->what we blog about, well, change the channel
->to something you find more to your liking.

I was waiting for a response like this. Clearly, you may be correct that this blog is "not for people like me". So what kind of people is it for? Who is your audience? You haven't responsed to this, so I can only assume that this is the resource for "people like me".

It's possible that you have a silent majority of visitors interested in non-existant security issues, why you like windows and your favourite DHTML sites. Until they speak up however, I would have to go with what I know. Keep in mind that several people are agreeing with me in this thread, and I'm not seeing any other comments.

I can find somewhere else to get my IE information, it doesn't really solve anything, though.

I suppose saying I don't subscribe to the Redmond groupthink is an understatment, but you'd think voices like mine would be if not welcomed; tolerated, keeping in mind that we will help you to make your product better.

re: Security Issues That Aren’t – Part 2

Bruce Morgan [MSFT] — Thu, 10 Feb 2005 17:52:00 GMT

That's bunk. Look at http://www.microsoft.com/technet/security/bulletin/MS05-014.mspx, the latest security cumulative update for IE.

The update applies to:

Internet Explorer 5.01 Service Pack 3 (SP3) on Windows 2000 Service Pack 3

Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4

Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition

I left some off, but clearly you're just plain wrong that we only secure XPSP2.

Further, there different types of security issues. Implementing a popup blocker doesn't address the same security issue as fixing a buffer overflow, and that isn't the same type of issue as implementing data execution protection.

IE in XPSP2 has quite a bit more of the latter types of fixes, but all supported IE configurations (IE 5.01 onward) get buffer overflow fixes, fixes to the block drag-and-drop vulnerabilities, cross domain scripting fixes, etc.

Yes, the most secure and feature rich IE is the one in XPSP2, so that's what I recommend people use.

But if you're using IE 5.01 on Win2K, you still get security updates.

re: Security Issues That Aren’t – Part 2

Fiery Kitsune — Thu, 10 Feb 2005 17:35:00 GMT

Bruce, the article is valid...

The IE Team has done little to secure people who can't run XP or SP2 on their machines.

I don't know if it is was you or Dave M who said that people will need to upgrade to SP2 to be secure...

Would you guys make a popup blocker for older versions of IE if you weren't as busy?

If Bill Gates and Steve Balmer had the courage to say that releasing Windows ME was a mistake, then you guys should be able to admit mistakes were made in the development of IE's "security" for SP2 only.

re: Security Issues That Aren’t – Part 2

Bruce Morgan [MSFT] — Thu, 10 Feb 2005 16:08:00 GMT

Dave, the audience of this blog may not always be people like you. If you don't like what we blog about, well, change the channel to something you find more to your liking.

The article you just posted is incorrect in many respects. I don't quite get why you posted it.

re: Security Issues That Aren’t – Part 2

Dave P — Thu, 10 Feb 2005 06:53:00 GMT

Dave M, A few points:

->Some of this is best addressed in new posts and ->documentation on MSDN.

Well, I could go read about most of this stuff on usenet as well; point being that I'd like to discuss it "real time" with the folks who know the application inside out. I'm also not really familiar with any one that make it a regular habit to read product documentation for fun (probably because they don't get out that much) - it's bad enough maintaining my own!

Use the blog, that's what it's there for :-)

->It's easy to say that web developers should ->just fix their sites to accomodate a change.

I didn't say that, and by implementing DOCTYPE conditions as you just said I would suppose they wouldn't have to.

->However to a company that has a solution that ->was developed some time ago and on which no ->future updates are planned this is often an ->unreasonable expense.

It's a shame that such considerations aren't taken into account with say, oh I don't know security maybe? (http://news.com.com/Microsoft+to+secure+IE+for+XP+only/2100-1032_3-5378366.html) for a refresher.