MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2006

Re: Browser vulnerability was: Design Change Requests



fixed

On Wed, 2006-01-11 at 15:12 -0500, rob@xxxxxxxxx wrote:
> I don't think Joe was saying that FF is any better, or worse, than MSIE.
> He was saying that the "FF is secure and IE is not" concept is flawed. And 
> I can't see how anyone could legitametly disagree.
I can, and I do.  While it's not possible to say that FF is immune to
*any* attacks, it's much more immune to attack than IE.  Many attacks
that breeze through an IE install don't have any traction at all in FF.

On top of that the FF community actively and quite quickly squashes
flaws that are found.  Microsoft responses to flaws have been slower in
coming.

But, this is peripheral to the main issue.  I should be able to use any
standards compliant browser to access content on the internet.  IE is
*not* standards compliant.  On top of that, there is no IE on linux,
BSD, solaris, and so on, nor is it any longer supported on mac.  I don't
know what browser you use on iSeries, but I'm pretty sure it's not IE.



>   Anyone who trusts that 
> their browser will not let in these flaws simply because it is not MSIE is 
> opening up their PC to attack.
Security, as you know is many layered.  I rely on firewalls, virus
scanners, and the like, as well as my client software.

>   To believe otherwise can only be a 
> political attempt to push an anti MS bias.
Nonsense.  Just because IE is junk doesn't mean I have an anti-ms bias.
Junk is junk no matter who writes it.

> 
> And I will continue to believe so, just as I believe that Joe's perception 
> that none of IBM's "integrity" ptf's are out there for security purposes 
> is flawed because of his strict bias that i5/os has no security leaks that 
> have ever needed to be fixed because it is not susceptible to "buffer 
> overruns".
I've actually attempted to build code that I can break in such a manner.
I think there are probably programmers that create code that allows for
sql injection attack, but I haven't been able to make a 'buffer
overflow' work.  

I don't think every programmer writes code to check all input.  I can
and have accidentally crashed programs by sending them bad data.

Regards,
Rich







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact