Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

IE Code quality commentary...

IE Code quality commentary...

  • Comments 47

I just saw this post by Michal Zalewski on BugTraq.  From the post:

It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.

I'm wondering when Michael's post will show up on slashdot.

Edit: Corrected Michal's name - Sorry about that.

 

  • Based on the specific URL's he has provided it appears that FireFox PR1 crashes on Mozilla-Die1 and 2 but it ok on all others.

    I agree that the provided tool should be run agains Mozilla and firefox for a considerable time to determin anyother code errors.

    As for the issue of rendering bad HTML I am against it, however old sites should not be shunned. I think that if a browser incounters a doctype in the HTML header then it should be enforced. and an error presented about bad html, with an option to do a best effort.

    If all browsers did this then all webdevelopers would produce valid code.
  • The live 'lite' script didn't kill my Firefox 1.0PR, but the natty Javascript console popped up to warn me of the illegal character. I do like Firefox's debugging tools.

    I'd say Firefox, in the build up to their first full release have been doing exactly the kind of tests Larry claims they don't do *

    * not based on any knowledge of any kind whatsoever, this is me speculating.
  • Fun for Larry (just hover mouse over the link in IE - how did MS testing miss that one out? sorry if you already read slashdot :) -
    http://www.diplo.nildram.co.uk/crashie.html
  • [quote]I really dont know what is wrong here. Tested on firefox PR1.0 XP SP1 fully patched and there is is no crashing evidenced, even after several refreshes.[/quote]

    Same here. It would be nice to know what versions he was running... I didn't see anything about that in the article... but I could have missed it.


  • DoesntMatter: Works just fine for me in IE6 on SP2, no crash here.
  • I find this one also (also shown in Slashdot) really funny:
    http://www.neilturner.me.uk/2004/May/04/the_input_type_crash_bug.html

    I think it doesn't break Explorer now but it lasted quite a long time. My AVirus detects that web page as a Trojan when seen in Explorer. I find it strange that an AVirus does the work that the explorer should be doing.

    This errors are just HTML errors, no javascript involved. Are those workers paid for NOT doing what they should do?

    > you have to believe that Microsoft have
    > tested the software to the best of their
    > ability

    The thing is that I don't believe that any more (and many people agree with that). Users were doing beta testing for them. Now they are starting to get better but ... sorry, too late.
  • OK it doesn't crash in Explorer XPSP2 ... please, when will I have it for my Windows98, 2000, ME, ...?
    I find it funny that MS is saying that they have improved many things in Explorer XPSP2 when most Windows users can not use it (just because they are not using WinXP).
    Sorry, that's not an answer.
    Oh, if you would like to know, I have XPSP1 fully patched ... and that web page crashes the browser.
  • IE with tabs : http://www.myie2.com/html_en/home.htm (pre-empting any firefox zealots screaming about IE having no tabs. Also features adblocking, google bar support.

    Incidently, I wonder if firefox PR 1.0 still has the proxy bug that means you get an authorisation dialog for every resource.

    I'm not anti-firefox, I use it myself, it's just people moaning about IE when it was a leader for years gets a tad laborious.
  • Strange, the first example crashes my IE with XPSP2. My IE version string is 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
  • incidently http://www.diplo.nildram.co.uk/crashie.html doesn't crash with myie2/maxathon
  • Something great to mention: none of the tests seams to crash Konqueror :)
  • sounds like many of those bugs have already been fixed on various platforms/updated versions of FF. and for those that haven't, i'm sure they will be fixed quickly enough. i hope Zalewski continues to find bugs so that the quality of the code will continue to be improved by open-source developers worldwide.

    really, who needs IE anymore except MS to try to trick/force users into being locked into their proprietary stuff.

  • The Mozilla code-base has never impressed me in the first place.

    I ran a Cyber Cafe for a year on GNU/Linux server w/ X Terminals and Mozilla was by far the most unreliable application--freezing entire user sessions.

    Firefox is a huge improvement and now seems reasonable. IE on Windows XP and Win2K3 Server also crashes a lot for me--do not know why.

    BUT--once Konqueror is properly configured (cause it never is, out of the box), it's highly reliable. In the past, it still had rendering issues but nothing significant any longer. Even when it did crash, it didn't freeze up a user session like Mozilla or, sometimes IE. Konqueror, after all, isn't a browser--it uses the khtml kpart to render (and the most recent versions of khtml also enables wysiwyg editing capabilities).

    But Safari on Macintosh uses khtml and is pretty well configured from the start.

    To be honest, I've been long impressed with khtml's ability to render malformed html. And it's light and quick, too. It uses full C++ and thus largely avoids the tendency of C to have buffer overflow errors, and numerous other kinds of errors.

    Matthew
  • I used to work with you at msft on Exchange I was in QA for backup/restore. I then worked on MS Agent and I recall we spend time testing our API's for buffer overload and rnd crap being sent to them. Recently I started a project to extend IE by adding lots of features like tab browsing, memoing, blogging, etc... and was planning on giving it away for free. The thing that killed that project was how buggy and some cases incomplete the IE API calls are in how they work togather. In the end I think all the functionality I wanted to add could be added but IE would be very unstable and thus no one would use my extensions. Its great IE is more stable than the other browsers, my own experience agrees with that, but I use it 50/50 with Firefox and I still get IE hanging often but not as often as Firefox. For me its a mixture of features vs. stability. I think msft really missed the boat on not making IE a killer app when they had the market and redifining what a browser is. I guess it didn't bring in direct revenue and was thus expendable.

    Torr Randell
  • I totally confused Michael Zalewski with Mark Zibowski
Page 2 of 4 (47 items) 1234