Share via

IE Code quality commentary...

  • Article

I just saw this post by Michal Zalewski on BugTraq.  From the post:

It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.

I'm wondering when Michael's post will show up on slashdot.

Edit: Corrected Michal's name - Sorry about that.

Comments

  • Anonymous
    October 18, 2004
    "I'm wondering when Michael's post will show up on slashdot."

    It's now submitted, let's see what happens.
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    Of the reported 3, 1 didnt crash on anyone, 1 was already fixed in Dev builds and I fixed the 3rd one myself - a simple NULL pointer deref. Within hours everything suddenly feels safe, without having to hopelessly depend on the vendor to fix the problems. Isn't this magical compared to what would have happened with a closed source product?
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    I don't know if all bug fixes made with Mozilla have been error free. I do know that on other OS projects, it has taken several revisions to create a security fix that didn't itself introduce new bugs.

    In <i this /i> case, the fix may have been simple and clean and easy. In other cases, it's not at all as clear.
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    To summarize - Software is hard to get right, humans code software as of now and thusly there is every chance that it is not perfect - But you are better off when you have the source with you. You can fix it by some means if nothing else works out. You don't have to be at anyone's mercy.

    And most importantly if everything in open and out there, you get elegant fixes instead of mere workarounds and you have the ability and capacity to correct the design if need be, without having to worry too much about how many other closed things it might break. (Linux USB API is a good example of this - they changed it thrice and they fixed all the drivers dependent on it - no ugly workarounds and bloat.)
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    didn't crash firefox for me,
    Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    I really dont know what is wrong here. Tested on firefox PR1.0 XP SP1 fully patched and there is is no crashing evidenced, even after several refreshes.

    However, I know that even a 'hardened' IE is no where near as safe as firefox in regards to viruses and spyware. I guess your not cleaning PC's for a living?
  • Anonymous
    October 18, 2004
    Based on the specific URL's he has provided it appears that FireFox PR1 crashes on Mozilla-Die1 and 2 but it ok on all others.

    I agree that the provided tool should be run agains Mozilla and firefox for a considerable time to determin anyother code errors.

    As for the issue of rendering bad HTML I am against it, however old sites should not be shunned. I think that if a browser incounters a doctype in the HTML header then it should be enforced. and an error presented about bad html, with an option to do a best effort.

    If all browsers did this then all webdevelopers would produce valid code.
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    [quote]I really dont know what is wrong here. Tested on firefox PR1.0 XP SP1 fully patched and there is is no crashing evidenced, even after several refreshes.[/quote]

    Same here. It would be nice to know what versions he was running... I didn't see anything about that in the article... but I could have missed it.


  • Anonymous
    October 18, 2004
    DoesntMatter: Works just fine for me in IE6 on SP2, no crash here.
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 18, 2004
    OK it doesn't crash in Explorer XPSP2 ... please, when will I have it for my Windows98, 2000, ME, ...?
    I find it funny that MS is saying that they have improved many things in Explorer XPSP2 when most Windows users can not use it (just because they are not using WinXP).
    Sorry, that's not an answer.
    Oh, if you would like to know, I have XPSP1 fully patched ... and that web page crashes the browser.
  • Anonymous
    October 18, 2004
    IE with tabs : http://www.myie2.com/html_en/home.htm (pre-empting any firefox zealots screaming about IE having no tabs. Also features adblocking, google bar support.

    Incidently, I wonder if firefox PR 1.0 still has the proxy bug that means you get an authorisation dialog for every resource.

    I'm not anti-firefox, I use it myself, it's just people moaning about IE when it was a leader for years gets a tad laborious.
  • Anonymous
    October 18, 2004
    Strange, the first example crashes my IE with XPSP2. My IE version string is 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
  • Anonymous
    October 18, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    Something great to mention: none of the tests seams to crash Konqueror :)
  • Anonymous
    October 19, 2004
    sounds like many of those bugs have already been fixed on various platforms/updated versions of FF. and for those that haven't, i'm sure they will be fixed quickly enough. i hope Zalewski continues to find bugs so that the quality of the code will continue to be improved by open-source developers worldwide.

    really, who needs IE anymore except MS to try to trick/force users into being locked into their proprietary stuff.
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    I totally confused Michael Zalewski with Mark Zibowski
  • Anonymous
    October 19, 2004
    In a recent blog entry in Larry Osterman's WebLog he explains various browsers other than MSIE have trouble with malformed HTML markup. He claims they have a security problem while MSIE is essentially bulletproof. He cites Michael Zalewski with an...
  • Anonymous
    October 19, 2004
    Welcome to the Slashdotting pal!

    The page didn't crash my browser, FireFox 1.0 PR running on Windows 2000 SP4
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    I hope those who tried this and didn't get a crash immediately closed and restarted the browser. It might corrupt memory and not crash until much later, possibly causing additional data corruption along the way. (The same could be true with IE, but I assume the original tester knows what he's doing.)

    What this really makes me wonder about is something like... http://khtml-win32.sourceforge.net/ :(
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 19, 2004
    The comment has been removed
  • Anonymous
    October 20, 2004
    Negativeions:
    uhhhhhhhhhhhhhhhhhhhhhh?

    Larry: Maybe you need an "About Me" link on the left.
  • Anonymous
    October 20, 2004
    The comment has been removed
  • Anonymous
    October 21, 2004
    http://it.slashdot.org/it/04/10/20/1344208.shtml?tid=172&tid=113&tid=154&tid=114&tid=218
  • Anonymous
    October 21, 2004
    The comment has been removed
  • Anonymous
    October 22, 2004
    Let me be perfectly clear. I never said that IE was perfect. The IE team doesn't say that IE's perfect (http://blogs.msdn.com/ie/archive/2004/10/21/246010.aspx).

    But I AM saying that we tested against fuzzed input, and that testing against fuzzed input is necessary.

    People need to get away from the idea that just the input is syntatically incorrect it can be ignored.
  • Anonymous
    October 23, 2004
    SiEd blog &raquo; Testing
  • Anonymous
    November 01, 2004
    Updates: http://www.newsforge.com/article.pl?sid=04/11/01/1558216 http://www.securityfocus.com/archive/1/379207/2004-10-20/2004-10-26/0