Fog Creek Software
Discussion Board




Yup the problem is not patching

... or waiting for your vendor to make a fix.

IE "unsafe at any speed"

http://www.computerworld.com.au/index.php?id=117316298&eid=-255

obvious
Wednesday, June 09, 2004

From the article

"an exploit that Microsoft Corp. has been aware of since August 2003 but hasn't patched."

Mike
Wednesday, June 09, 2004

What is the point of this MS bashing???  Yes MS software has bugs / vulnerabilities. But that can be said of all software.

Yawn
Wednesday, June 09, 2004

"What is the point of this MS bashing???  Yes MS software has bugs / vulnerabilities. But that can be said of all software."

Maybe it's something related to MS having 50B on the bank and not using said money to fix the vulnerabilities of its softwares?

Dewd
Wednesday, June 09, 2004

So basically you want to tell them what to spend their money on?

Why do successful people / companies get shit on all the time?

Who is running the business?
Wednesday, June 09, 2004

What are people's impression of the Win XP SP2 upgrade?  Supposedly it's all security-focused, as that's the new buzzword around MS these days.  Or is it just a marketing ploy? :)

Joe
Wednesday, June 09, 2004

>Why do successful people / companies get shit on all the time?

Because being successful and making money does not mean you're acting in the moral interest of your customers (or public, which in Microsofts case is basically one and the same).

Microsoft has a history of making money, but showing poor moral character (security is an afterthought, screwing small companies over, stiff-arming distributors, etc).

Chris Kessel
Wednesday, June 09, 2004

For the record, the legal mandate of a corporation is that it generate money for the shareholders. This is even at the expense of the law, the rights of other people and companies, and so forth.

(See: http://www.thecorporation.com/ ... actually, see the movie and read the book.)

So yes, that's what MS does, not because it has the best interest of users in mind, but because it has the best interest of shareholders in mind. Since security problems are affecting their bottom line, they're addressing them at a rate that will provide them with the maximum return on investment.

Tim Sullivan
Wednesday, June 09, 2004

All you wankers convinced the altest Computerworld is further proof that the rest of the world is stupid -

please just go and install your favorite Linux distro which, as we all know, are perfect and confer immediate wealth and life altering happiness on the fortunate user.

And then piss off.

Happy Windows Developer
Wednesday, June 09, 2004

Perhaps so many people are tired of fat kids with a trust fund pissing on the internet commons.

I think that about sums it up.

hoser
Wednesday, June 09, 2004

Tim Sullivan:

Yep.  Yet more evidence, legal != moral :)

I use Windows all the time.  Some stuff drives me nuts and I prefered all Unix environments for real work.  But, Windows is the norm however MS got there, so that's what I use.

Really, as long as I get the work done I want to do, I don't much care anymore.

Chris Kessel
Wednesday, June 09, 2004

Happy,

A simple search on Google-news:
http://news.google.com/news?q=internet+explorer

Cheers

Dewd
Wednesday, June 09, 2004

Who let the linux fags out of the pens?

one meeeellion dollars!
Wednesday, June 09, 2004

> Perhaps so many people are tired of fat kids with a trust fund pissing on the internet commons.

That's right. Heros like Larry Lessig, happy to give away all your work while he collects his Harvard salary.

Happy Windows Developer
Wednesday, June 09, 2004

Meanwhile, Mozilla 1.7 RC3 and Firefox 0.9 RC have been released: http://www.mozilla.org/

Cheers

Dewd
Wednesday, June 09, 2004

I guess the current Linux crew grazing over here from Slashdot has never heard of a "rootkit".

Mitch & Murray (from downtown)
Wednesday, June 09, 2004

If you have an unpatched IE,  anyone with a webserver can do anything they want to your machine, if they can just get you to visit their site.  That is getting easier, I just followed a link off of some blog, and got my browser hijacked.  Someone had changed the content on the site after the link got popular.  I do a terrible job of protecting my home machine and paid the consequences.  The things it did to my machine were astounding: registry entries that change themselves back, it blocked popular spyware killers from running, and a hijacked home page that I couldn't fix for anything.  Thank goodness for XP's built in restore points feature.  It has gotten nasty enough out there that the web browser and email reader has to be rock solid secure.  Unfortunately, Microsofts products were designed to be feature rich, and those features required an object model that made them more prone to serious attacks.  A web page has no business mucking in my registry!

Keith Wright
Wednesday, June 09, 2004

Please explain how Lessig "gives away your work".

Mitch and/or Murray, (schitzo today? who are we?): Windows appears to be a rootkit with a user friendly installer.

hoser
Wednesday, June 09, 2004

Just a couple of points:

So Microsoft has $50-some BILLION in the bank.  That's cool.  However, you need to understand that all that money belongs to the SHAREHOLDERS.  Having a large cash reserve does not imply that all developers get blank checks.  If you think otherwise, you should spend a little more time reading up on how corporations work.

Furthermore, let's suppose that they we able to use all $50B to solve IE's secuirty problems.  How would they use it?  The way I see it, they could do three things:

(1) Pay their existing developers more money.  This might motivate the developer more to solve the problems, but it wouldn't magically fix IE overnight.  There's only so much a team could do.

(2) Throw more developers at the problem.  This sounds like an attractive solution at first, but it opens up a whole host of other problems.  As the size of a software team increases, so does the probablilty of bugs.  Also, there's the overhead of training these new developers on the codebase.  It also increases the management overhead something fierce.

If you don't beleive me, read The Mythical Man Month.  You can't have a baby in 1 month by putting 9 women on the job.

(3) Throw out IE and re-write from scratch.  This is a bad idea for a number of reasons, not the least of which is time.  It would take years to get a suitable IE replacement out the door.  Especially if you want to maintain backwards compatiblity with existing software.

Remember, any changes made to the IE codebase has dramatic repercussions.  Remember, the MSHTML engine is probably one of the most heavily reused comonents in the Win32 world.  Any changes that are made have to be regression tested.  This isn't to say that the holes can't be fixed, it just menas that developer have to be careful as their changing things.  This means lots of testing.

Joel has written more than enough articles on the "rewrite from scratch" policy.  Go search his blog if you want to read them.

It certainly sucks that there are secuity holes in IE, and I agree that they should be fixed.  However, having $50B in the bank doesn't allow them to magically fix every problem overnight.  I'm sure they wish it did.

Myron A. Semack
Wednesday, June 09, 2004

"What is the point of this MS bashing?"

The point is to remind people that they have a choice. If you choose to use Windows, you have to take additional precautions to deal with the fact that Microsoft products are the target of a lot of unsavory characters. Or you can choose another operating system that has other disadvantages (like small market share).

Tom H
Wednesday, June 09, 2004

I guess the current Linux crew grazing over here from Slashdot has never heard of a "rootkit".  Oh, gosh.  It can happen to unix too.  I guess that means all operating systems are equally deficient.  Just because you believe that MS is no worse does not make it so.  80% of the spam from the internet being served of compromised Microsoft machines is enough for me.


">Why do successful people / companies get shit on all the time?"

Funny how there are so many Ms Fanboys here.  Almost like bizarro slashdot.  Microsoft are only succesful when measured monetarily.  By many other yardsticks they fall short.

Zone
Wednesday, June 09, 2004

The thing that amazes me is there are stooges who are still willing to defend the security flaws in Microsoft software.

I wonder if they're on the payroll...  ;-)

Anon
Wednesday, June 09, 2004

As I type this my RH9 colo'd box is down.  Have a flaky nic driver I do believe.  If it ain't one damn thing...

Zone
Thursday, June 10, 2004

> The thing that amazes me is there are stooges who are still willing to defend the security flaws in Microsoft software. I wonder if they're on the payroll...  ;-)

Absolutely amazing. How could they be such SHILLS when everyone knows Linux is superior and MANY EYES means there are never ever any bugs in open source.

On the payroll, for sure
Thursday, June 10, 2004

I'm not convinced that Myron's Option 3 is so totally bad, as long as it was handled correctly.

How about if Microsoft actually did re-write IE, but with security built in at every level, rather than patched on the side with sticky tape and gum, like we have now ?

If it was demonstrably secure then business clients would be willing to pay for it. I would be happy to pay, say $100 per seat for IE/Outlook/etc that was not vunerable to these exploits.

If anyone has the resources to do this, it is Microsoft. They've got the cash, and the payback would be there too (especially from business clients).

On the other hand, perhaps it is just impossible to create this level of security in complex applications.

If this is the case, then these problems will remain endemic and slating MS, or anyone else, is just a waste of entropy.

Steve Jones (UK)
Thursday, June 10, 2004

There are alternatives on Windows.  I've writing this with Mozilla Firefox.  Web pages don't look any different, I can see just as much of the Internet as I could with IE.  The really funny thing is that Microsoft's own web site works -better- with Firefox than it does with IE.

Clay Dowling
Thursday, June 10, 2004

As Clay mentions, there are alternatives to IE, but I am not convinced that they're in widespread use in the business world. MS have won the battle of the corporate desktop with IE.

Steve Jones (UK)
Thursday, June 10, 2004

"If it was demonstrably secure then business clients would be willing to pay for it. I would be happy to pay, say $100 per seat for IE/Outlook/etc that was not vunerable to these exploits."

Or maybe, if software manufacturers faced lawsuits for shit products like car makers, they'd fix it one there own.

Mike
Thursday, June 10, 2004

"If it was demonstrably secure then business clients would be willing to pay for it. I would be happy to pay, say $100 per seat for IE/Outlook/etc that was not vunerable to these exploits."

LOL!

Just me (Sir to you)
Thursday, June 10, 2004

I don't doubt that Microsoft COULD re-write IE from scratch to help eliminate the bugs.  My question is whether or not it could be done in a timely fashion.  People want IE fixed yesterday.  Even with a big team of developers going all out, I guess it would take at least a year.  People are bitching about IE development being stagnant now.

You also have to consider, how many new bugs will they accidentally create re-writing IE?

Here would be my approach:  Parallel path.

Dedicate part of the team to fixing the known vulnerabilities in the current IE.  Get as much of it rolled out out by WinXP SP3 and Win2K SP6.

Dedicate the other part of the team to getting MSHTML moved into .NET and cleaned up.  Talk about adding new features.  Incorporate all the fixes from the other team.  This can be rolled out in Longhorn.

Now, big caveat.  I have no experience managing a large team working on a single project.  I also don't know the MS culture.  I don't know how feasable this actually is.

Myron A. Semack
Thursday, June 10, 2004

Too bad everyone isn't an honest, upright person - security would never be an issue...

Anonymous
Thursday, June 10, 2004

Yeah and stop surfin those porn and warez sites!

Seriously... if you want Microsoft to update their IE browser, give them a reason to... start using Mozilla.

I did for a while, but a lot of pages I visit didn't look the same and it was annoying enough to switch back.

Is it really so hard to keep the Windows "Automatic Updates" running?  They are getting a lot better about not requiring a reboot.

GuyIncognito
Thursday, June 10, 2004

*  Recent Topics

*  Fog Creek Home