Microsoft Internet Explorer and Encryption
By Larry Smith
[ Editor's Note:
[
[ On 19 Mar 97 Craig Brougher reported that he'd received
[ notification, from MSN (Microsoft Network), of a security
[ bug in Microsoft's Internet Explorer. Although Robbie and I
[ tend to discourage discussion of unrelated computer trivia
[ and Internet rumors, this report seemed appropriate.
[
[ On 20 Mar 97 Larry Smith wrote in to explain in more detail
[ about the bug, confirming it was real. He also took the
[ opportunity to make some editorial comments about Microsoft,
[ Linux, encryption, and some other issues.
[
[ (Background Material)
[
[ I have been a student of Computer Science since the late 60's.
[ I started programming on IBM mainframes in Fortran and assembly
[ language, but soon found myself programming in Algol on a Burroughs
[ machine. I discovered a curious phenomenon. If IBM hadn't invented
[ it, many people discounted a technology. Burroughs had fielded
[ technology that IBM didn't have (or hadn't marketed yet), and
[ many people discounted it because it wasn't IBM. Much technology
[ was delayed to "the masses" until IBM decided to market it.
[ From my point of view, this delayed the evolution of Computer
[ Science, which I found frustrating. Clearly this is
[ an opinion, but many people hold this opinion, and its
[ relevant to what follows.
[
[ In the non-mainframe software market, Microsoft quickly became
[ the dominant player. Many people believe that Microsoft's
[ domination of the market has delayed the evolution of Computer
[ Software. Consider that many of the "features" just introduced
[ by Microsoft in Windows 95 were available on the Macintosh in 1987.
[ To me, it feels like the IBM/Burroughs (and other industry players)
[ struggle all over again.
[
[ As a consequence, I'm sympathetic to Larry's position about Microsoft.
[ I asked Robbie to run his article, and gave Robbie a verbal statement
[ to put at the end.
[
[ The apparent Microsoft "bashing" offended Pat Mullarky, who has a
[ "beta" testing agreement with Microsoft. (Beta testing is when you
[ help a vendor test a product by using before its released to the
[ general public). In the interest of allowing a "balance" of points-
[ of-view, Robbie and I decided to run Pat's article. The article,
[ however, had a personally critical tone towards Larry, which
[ Robbie and I overlooked. We owe both Larry, and the group
[ an apology for running the article. Larry, for not recognizing
[ that Pat's article would probably be offensive to him. To the rest
[ of the group because to "make it right", we're going to run a
[ couple of more articles on the subject which some of you may
[ not want to see.
[
[ The messages which follow are
[
[ 1) Larry's response to Pat's rebuttal message, which Larry found
[ offensive Although I received this message on the 24'th, I
[ have not run it until now. There's been several
[ "behind-the-scenes" messages between me and Larry and
[ between me and Pat prior to deciding to running these.
[
[ 2) Pat's response to my pointing out to him privately that Larry
[ had been personally offended by Pat's rebuttal and that I
[ was most likely going to print Larry's message (1) above.
[ Although Pat's message was addressed to the "rollreq" account
[ he's since sent me permission to run it.
[
[ Jody
Jody, I went to some trouble to ensure my post did not have a tone that implied any degree of Microsoft-bashing. I don't believe in that, and I don't do it. I use Microsoft products daily, and will continue to do so -- but it annoys me to the extreme when the members of the Church of Microsoft feel they must take such a post as an excuse to proselytize, and Mr. Mullarky's post was, in my opinion, entirely uncalled for. All I did was point out that alternatives existed -- and not only stopped short of _recommending_ them, I even went so far as to characterize them as somewhat paranoid! I am angry and aggrieved that Mullarky's post was sent to the list, I take it as a direct and unprovoked attack on my cred- ibility at my professional _job_ -- for testing software, and software security, is what I do for a _living_.
I believe the proper thing to do was to forward it to _me_ for comment _before_ posting it, and to allow me to dialog with Mr. Mullarky before he could go off half-cocked. The result would have been less inflammatory I am certain.
But I am afraid I cannot let it rest without addressing two important points: Mr. Mullarky said:
> I know the holes in the software. "Joe Average User" will *never*
> be hurt by them. And, even those tiny security holes have been fixed.
No one we know of _has_ been hurt by these bugs -- but the demo page showed very clearly _how_ a computer can be seriously damaged or disabled. That was _not_ a "tiny security hole". It was large enough to kill an entire system. Users _must_ download those patches and apply them _now_ if they want to continue to use Internet Explorer (IE) -- for if there were no web pages that would destroy your system before the holes were reported there surely are _now_. I have little doubt that the vandal mentalities of the network are already inventing ways of using these holes, knowing that many people _won't_ upgrade.
In less than a fortnight, _three_ security holes large enough to kill a system were discovered in Internet Explorer. It is possible those were the last such bugs in the program -- but it is also possible that they were not [*1]. _None_ of Netscape's reported bugs possessed such potential [*2]. I stand by my recommendation of Netscape as far less likely to have such bugs. I have spent enough years in software Quality Assurance to have some idea of what I am talking about. Un-critical fan-dom will not help other users on this list. Nor Microsoft, for that matter.
[*1] They were certainly not. Another bug has just been reported on Usenet that could potentially give web users unauthorized access to arbitrary files on your hard drive. Microsoft is planning a patch to the IE 3.02 release and will probably shortly have new patches for 3.00 and 3.01.
[*2] Netscape has had at least one security bug pegged against it in recent months which is shared with IE. This does not provide access to a hard drive, but it could theoretically allow a clever web pro- grammer to grab a VISA card number entered in a "secure" form to be retrieved from an insecure one. This is partly a bug, partly an issue with HTML, and partly carelessness. But it reminds us all that there is no one, entirely safe alternative, there are only acceptable and unacceptable _degrees_ of risk, and we all must determine how much risk we are willing to accept ourselves.
Mr. Mullarky also said:
> In my opinion: Linux is for computer professionals, only, as is the vast
> majority of Unix systems. Very few non-computer people can sit down to a
> Linux/Unix keyboard and simply edit and send a letter to their Mom
> without going through a very, very steep learning curve. Installing
> Linux/Unix on a computer can be very difficult even for professionals.
Denigrating competing products is also not a valid defense. And the above is completely unjustified, especially for readers of _this_ list, many of whom will not be able to "simply edit and send a letter to their Mom" no matter _what_ system they buy. Linux's installation and learning curve is no higher than Windows 95's, and only slightly higher than Mac's. Do not assume your _own_ familiarity with Microsoft products make them easy for all.
I will leave open my invitation to contact me with technical questions relating to Microsoft _or_ Linux and the programs that run on either of them. If I can't help, I can point people toward someone who can.
I would also suggest that henceforth Internet questions be redirected by the moderators to people they believe can help the questioner, and that advisories be sent by the moderators when needed, and kept to a minimum -- with a policy of not discussing them. Corrections can issued after off-line discussions.
regards,
Larry Smith |
(Message sent Mon 24 Mar 1997, 16:23:48 GMT, from time zone GMT-0500.) |
|
|
Mechanical
Music Digest™ Archives
