Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

IE Code quality commentary...

IE Code quality commentary...

  • Comments 47

I just saw this post by Michal Zalewski on BugTraq.  From the post:

It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.

I'm wondering when Michael's post will show up on slashdot.

Edit: Corrected Michal's name - Sorry about that.


  • In a recent blog entry in Larry Osterman's WebLog he explains various browsers other than MSIE have trouble with malformed HTML markup. He claims they have a security problem while MSIE is essentially bulletproof. He cites Michael Zalewski with an...
  • Welcome to the Slashdotting pal!

    The page didn't crash my browser, FireFox 1.0 PR running on Windows 2000 SP4
  • To Mike Dimmick:

    "Currently XPCOM binary extensions have no security model at all."

    It's because they don't need any security model. XPCOM is not ActiveX. You install XPCOM components into your system like any other dynamic libraries - you have to know beforehand if you trust them or not. This is no different from installing any IE addons to your hard drive.

    "Mozilla/Firefox smoke testing still appears to be post-checkin, though, not pre-checkin as I believe has become common practice at MS. It's not automated, which suggests the software wasn't designed-for-test."

    Smoke testing is generally post checkin (for some big changes the developers make test releases that are tested before the checkin is made). However, there are automated tests happening after checkin - page load tests, new window test, startup test, footprint, ... Also, every day thousands of volunteers download the nightly builds and use them and report bugs.

    "If you choose Microsoft software ... have performed the security reviews they say they have and that they're skilled to do so."

    It's in the company's best interest to claim so, but since it's closed source we have no way to know what they have done and how good their people and processes are. With open source, we at least can find out this information. Several types of reviews, including security reviews by security professionals, have been done on Mozilla source code.
  • I hope those who tried this and didn't get a crash immediately closed and restarted the browser. It might corrupt memory and not crash until much later, possibly causing additional data corruption along the way. (The same could be true with IE, but I assume the original tester knows what he's doing.)

    What this really makes me wonder about is something like... :(
  • Is there some mis-understanding. The tool used, which it seems like everyone is pointing to is brute force test. This means that it produces random html code 99.99% of the time, the browser will cope, but when it refreshes the codefor the 1 millionth permutation, the browser may, or may not crash. Using the script that he was useing, it took him 2 hours, to find those 2 "security" problems, (browser crashes). and thats with the code running on the local machine and auto-refress on. So... it probably wont crash the time that you use it, unless your realy un-lucky. oh, and to find bugs to crash firefox, all you have to do is to search beleve me, you can find plenty. shame we cant see Micro$ofts bug racker, sure to be large i would imagin ...
  • Larry - Why do you advocate Microsoft and closed source software? You know what people like you are? Insane. Why would poeple write OSS in the first place if existing solutions weren't sufficient? Of course the Firefox team knows what they're doing. Have you ever visited even? If you believe that MS software is better, hey, go ahead. May your system be riddled with spyware/malware and many a virus. But preaching crap should not be tolerated. Does microsoft pay you for this? Throughout their existence they've lied and cheated their way to the top. They're not on top because they make good software. A lot of companies are not on top becasue of quality software. This isn't hard to see. Many people know this. You'd have to be blind not to see how big of a problem microsoft is. This is capitalism. You're advocating shit, pal. People like you are partly the reason computer technology is behind at least 10 years.
  •"> caused 3 IE windows to close, among the 7 that were open at the time. If processes were properly isolated from each other then only 2 IE windows should have closed, not 3. The reason for generously allowing 2 was that I had opened"> by right-clicking a link and selecting "open in new window", which sort-of implies that IE's bugs will kill both windows together.

    Of course I told the crash reporter to send a report to Microsoft, but I kind of doubt that the report includes the above facts.

    As usual I can't use the mouse to copy and paste from a dialog box, such as the dialog box displaying IE's version number.
  • I don't know if Heikki will come back here or not, but anyway: XPCOM is a binary interface, XPInstall is an installer solution, you can script XPCOM and XPInstall in Mozilla and FireFox using XPConnect. The net result is that - just like ActiveX - a site author can cause an unmanaged binary component to be downloaded by the browser, installed, then scripted by the page.

    Firefox 1.0 PR does now have an information bar similar to IE 6.0/XP SP2's, when a site tries to install a component. Unlike IE's, the user can only opt to allow sites to install components, rather than allow this single installation. If the user chooses to allow, and tries again, you get a dialog with 'Install Now' and 'Cancel' options. There's a timeout to stop you just pressing Enter, but the default is still 'Install Now' - unlike IE's, which is 'Don't Install'.

    Once the component is installed, if the component's interface is marked [scriptable], it can be scripted. There's no equivalent of 'Safe for Initialization', or the IObjectSafety interface, where the object can participate in safety decisions. The only option is to either enable or disable JavaScript. I saw mention that only scripts from the same site as the page will be able to script objects in the page, but that's not much hardship for a determined spyware-injector.

    It's another case where Microsoft's actual security *model* is stronger, but has been let down - in the past - by a weak *implementation*.
  • Negativeions:

    Larry: Maybe you need an "About Me" link on the left.
  • Rendering bad HTML is probably the only thing IE is good at (it sure can't render correct HTML properly)

    IE with tabs : (pre-empting any firefox zealots screaming about IE having no tabs. Also features adblocking, google bar support.

    MyIE 2 is about twice as buggy and random-crash-prone than regular IE. And it eats up a rediculous amount of memory when you have lots of tabs open.
    crashed my IE+XP/SP2 ;-9
  • Let me be perfectly clear. I never said that IE was perfect. The IE team doesn't say that IE's perfect (

    But I AM saying that we tested against fuzzed input, and that testing against fuzzed input is necessary.

    People need to get away from the idea that just the input is syntatically incorrect it can be ignored.
Page 3 of 4 (47 items) 1234