IE May Share Shell Hole Found In Mozilla

KingFishKingFish
edited July 2004 in Science & Tech
On the same day that Microsoft released seven new security bulletins for the Windows operating system, four new "extremely critical" vulnerabilities in the Internet Explorer Web browser were announced Tuesday by a Denmark-based computer security firm.
The vulnerabilities discovered by Secunia aren't based on errors in the code of IE, according to Jerry Brady, chief services officer at VeriSign's Managed Security Services (formerly Guardent). Instead, he said, they're caused by weaknesses in the design of IE and of Web browsers in general. "You have to wonder if it ever makes sense in any case to accept code from a server and run it without authentication," Brady said in an interview with eWEEK.com. "Web browsers have lots of things in their functionality now that are well beyond what their original purpose was. It's hard to imagine a Web browser ever being very secure."
Source: eWeek

Comments

  • TheBaronTheBaron Austin, TX
    edited July 2004
    HAHA, Microsoft can't escape the superior browser :D
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited July 2004
    This "vuln or bug" was based on Mosaic browser design, way back when. At that time, there WAS no authentication for content downloads that was real secure. Opera, Mozilla, and IE all have patches, that essentially force soem form of authentication to be default, be it signatures, PGP-signature based verification certs, or a couple other things that can be configured in.

    That means site has to get a secure transfer cert from a recognized secure cert provider (which hopefully can verify that route in secure mode IS such) and then issue download cert. These days it is very hard to get such info from many sites that do not run sstores, or are not set up like Digital River. Sites that do this, to be certed and maintain certs, also end up having to verify ID of content uploaders to thier sites.

    Basically, back then, there was a rule that end users were to virus scan everything executable they put on their boxes before it was installed. The potential hole was known, onus was put on client end sysops to do the checking. McAfee AV was also free, basically-- public betas were available all over. In 1990 Mcafee knew less than 2,000 viruses total. The question becomes, with Bots floating the web, is this enough???? I'll stay out of IMHO as much as possble, merely will say without strnmegthened enforecement and montioring there need to be security standards to sign all downloads-- but that takes enforecment and monitoring to work, plus IDs that are themselves secure.

    Probably not gonna happen in any foolproof manner in the world as we know it. NICE for end user, probably overall more expensive for both server owners and end users, having each user have a secure cert to upload onto servers is only close approximation of this we will get in near future-- and those are sold for enough to pay for validity checks plus sold on a subscription basis, not given free if you want them from Verisign or an established cert authority with known verification practices. Think about how you would feel if you had to prove who you really were and have a contract and legal consequence for everything you emailled or uploaded anyqwhere, that could be checked worldwide. Now add anything you let be downloaded from your box has to have your ID on it in a way a browser can verify. If we demand too much security, we get to pay for it monetarily.
Sign In or Register to comment.