General discussion

  • Creator
    Topic
  • #2291123

    Dear IE, I’m leaving you for good

    Locked

    by typemismatch ·

    article root

All Comments

  • Author
    Replies
    • #3292935

      you’re kidding right?

      by typemismatch ·

      In reply to Dear IE, I’m leaving you for good

      I hate to point this out but it doesn’t matter how good firefox is, 99% or higher of users have no damn idea what it is you’re talking about and will use whatever browser their operating system comes with. That being said, IE is here for good, forever….you get viruses from time to time but if you’ve got good virus software who cares. Even if firefox could do my work for me while I lie on the beach, I wouldn’t use it …. why? well, most smart people know, when building a website that your visitors will be using IE so you build your site to support IE …. imagine no VBScript or ActiveX or other such things … but yet again, if firefox did ALL those things, most people don’t know what it is …. you can’t ignore that little fact.

      If I was MS I’d be laughing my ass off at these reactions.

      -ie

      • #3292717

        Agreed – easier than writing ‘Stupid’ on your forehead

        by david hamilton ·

        In reply to you’re kidding right?

        Yes, there are a large number of users who have no idea what a browser is (I’ve often had the response Word 97 to the question “Which operating system you are using?”!). Of course those same users are the reason that I’m being spammed to death at the moment – they’ve no idea about security, got viruses and their address book stolen and sold to spammers. Their ignorance is a problem, not a justification.

        But the real point is that I’ve been watching the usage stats of various types of websites, and, only a week after it’s release, Firefox 1.0 is already a 10% usage on certain types of websites – notably ‘Software’ and ‘Weblogs’. In other words it is particularly ‘net savvy’ individuals who are using Firefox – the movers and shakers in the industry.

        If you write a site that is IE-only, you would be:

        a) Publicly advertising your ignorance of the internet and it’s standards, and how to properly write a website.

        b) Highlighting your ignorance to many of the movers and shakers in the internet community – the important people!

        In fact – you’re right: Keep your site as IE-only – that way we can easily identify you (and your clients, if you have any) as ignorant of the internet and disregard anything you say.

        It’s a lot easier than having ‘Stupid’ tatooed on your forehead, after all.

        /david

        • #3291087

          are you insane?

          by typemismatch ·

          In reply to Agreed – easier than writing ‘Stupid’ on your forehead

          Who cares what the movers and shakers think? Really, I couldn’t care less. You must be right up there if you think the important people decide what browser we use …. geez.

          If I was selling products online or some form of online service do you really think I’d be trying to target the movers and shakers …. are we making movies here? I only care about the average and the average says IE and since everyone has it, unless you’re a die hard linux user, then IE it will always be.

        • #3292599

          No – just not marketing to sheep

          by david hamilton ·

          In reply to are you insane?

          Hey Buddy – guess why the movers and shakers are the so called? Because they’re the decision makers and influencers. They’re the ones that marketing are always so keen to advertise to, remember? The vast majority of the rest are sheep who just follow. In experiments, Milgram found that 63% of people would actually hurt other human beings for no other reason that they had been given a command to…

          Who cares what the majority think – they don’t actually think at all since they’re too busy following!!!

          The whole point about writing standards-based websites is that you target everyone – not just those who are too ignorant to know what a browser is.

          /david

        • #3292457

          Code reuse

          by thedew ·

          In reply to are you insane?

          You know, I think the fact that Outlook, IE, Windows Explorer, and others’ reliance on the same HTML rendering component is a good example of code reuse, something that I continually try to acheive in my line of work.

        • #3291429

          You couldn’t be more right

          by madestroitsolutions ·

          In reply to Code reuse

          I must say FireFox has lots of interesting features that I like (I am an IE user), but you know how much time I spend making the websites I design look the same in other browsers?
          I somewhat favor Open Source and definitely don’t like monopolies, but the fact of the matter is that it would be much easier to design web sites and program software if all the components were tightly integrated like you mentioned.

      • #3291155

        I usually don’t like MS bashing because…

        by dgarvich ·

        In reply to you’re kidding right?

        Usually, people who are out to bash Microsoft and Microsoft products are doing just that… bashing. Often there is no real alternative to what the products offer in terms of functionality so I’ll deal with the bugs.

        However, the browser market is different. I was there when Netscape introduced tables, I’ve been there through every major browser, browser war, virus, vulnerability and feature. Lynx was my first browser and I still use it on occasion.

        Now, I use Firefox exclusively for development AND browsing. There are very few sites which get rendered oddly and the additional add-ons in the form of extensions makes Firefox a much better platform for development.

        Do I represent 90% of the market? No, but I do represent the more informed 10%. Funny thing is… it’s the informed 10% who have always dictated which browser was the de-facto standard, much like fashion designers dictated what will be “in vogue” next season.

        The public is becoming more and more savvy as the internet and its pitfalls become more and more mainstream, there’s no reason a browser as weak as IE should be the de-facto standard forever, particularly when Microsoft has said they would offer no further development on it.

        My traffic reports show a significant increase in Firefox usage in the past few weeks… One can only hope…

        • #3291084

          Reply To: Dear IE, I’m leaving you for good

          by typemismatch ·

          In reply to I usually don’t like MS bashing because…

          The only de-facto standard browser is the one you get with your OS and I hate to point out it is and probably will be for a very long time IE.

          I think the increased problem with viruses shows that the public is _not_ becoming more savvy with the internet, more exposed but not any more educated.

          I don’t hate firefox and I do use it at work as well as IE but it isn’t the greatest and to be honest I would like to know why we need another browser anyway? and that is a serious question, is the industry trying to make a new browser just because people are pissed with MS? ….

          anyway …. life goes on

      • #3291427

        Reply To: Dear IE, I’m leaving you for good

        by dlwaters ·

        In reply to you’re kidding right?

        typemismatch,

        >well, most smart people know, when building a website that your visitors will be using IE so you build your site to support IE

        I am a web application’s programmer, so of course first and foremost I will make sure my web sites function in IE. It would be suicide not to, but I will also work to support Netscape, and Opera & Firefox, and Text Browsers because I am not the one who determines who wants to shop at my sites. I find it hugely arrogant of sites that say to me when I arrive at their doorstop, “If you don’t use IE, don’t bother shopping here.” How offensive can you get? What an enormous turn-off it is for me to have to load IE just to visit your site. Can you imagine walking up to a grocery store and being asked to provide your Microsoft Loyalty Badge before being able to walk in??

        I am not a mover, nor a shaker, just someone who likes tabbed browsing. I discovered tabbed browsing using Opera, but could not stand Opera’s overall interface. Firefox provided me with a much clearner interface that I happen to love. I do not claim that Firefox is a perfect solution. I have my beefs and find that it’s startup configuration is a bit too spare and that users who don’t enjoy searching for and finding extensions might not like Firefox. A coworker of mine and even my fiancee (who is very much a techy) both do not like Firefox, which is their choice based on their needs.

        But, the bottom line is, as a web applications programmer it is my duty to supply cross-browser compatibity in my sites so I don’t alienate potential customers. I won’t go out of my way to support every ancient browser out there, but I will cover the major players, and in spite of your feelings Firefox is a major player now.

        Dean L. Waters

        • #3291422

          True, but the question is…

          by madestroitsolutions ·

          In reply to Reply To: Dear IE, I’m leaving you for good

          Wouldn’t you like to have a single platform so you do not have to be waisting your time modifying your HTML and CSS to make it look the same in other browsers?

          I am with you, FireFox has nice features that IE does not have and will never have (unfortunately due to halt development), so under that idea, it is definitely better. Imagine if we could have an integration of all the features of FireFox with a Microsoft rendering engine… after all, it doesn’t cost a cent to dream…

        • #3291314

          IE Makes us..

          by lsw ·

          In reply to True, but the question is…

          If IE would finally support standards and quit doing their own thing…. we would not have to hack our sites to look good in IE & other browsers…..

          Safari, Opera and Firefox all show ms sites closely to the same….. Only IE forces me to add CSS hacks to show what I want.

        • #3311172

          Standards are often Arbitrary

          by dlwaters ·

          In reply to True, but the question is…

          Of course I would like to be able to program to a single set of standards. That would be lovely, but I find even Firefox has some pecularities to how it interprets some CSS.

          But, in reality, I am a coder and I have never been able to program much of anything that behaved exactly how it has been specified. It angers me that Explorer ignores certain standards, but I hate to say it, but I find *some* of the CSS standards to be oddly chosen. For instance, I would like it if there were a toggle to have containers *contain* floats, or at least the bottom edge of floats so that they don’t leak out of their container when they fill up.

          But this is just picky. At the heart of it a “Standard” doesn’t mean “Correct.” A standard is often quite arbitrary and both Microsoft & Netscape have violated standards at times in hopes that Their Standard would become The Standard.

          I am deeply suspicious of Microsoft’s choice to not release a new browser version. I quite honestly think they are lying through their teeth about this “operating system integration” necessity. Horse poo! They could have easily devoted a small portion of their research budget to an interim update with new features. It is my not-so-humble opinion that they were hoping other browsers would just go away. Well they haven’t! Maybe it’s the revolutionary in me that likes the Idea of Firefox as much as the implementation. I always like it when the underdog does a better job than the Corporate Imperialist.

          But that is also why I am quick to point out Firefox’s limitations as well as it’s strengths. I find that honest dialog is better than Preaching.

          Dean L. Waters

        • #3311164

          Agreed, MS must be up to something….

          by madestroitsolutions ·

          In reply to Standards are often Arbitrary

          Given the ever increasing popularity of Internet around the world, I find it hard to believe that Microsoft is not putting any money into it. I wonder what their strategy towards this is…. They must be planning something… WaterFox?

        • #3310920

          Conspiracy Theories 101

          by david hamilton ·

          In reply to Agreed, MS must be up to something….

          My 5 cents is that Microsoft are working on a number of proprietary solutions to add extra rich content to the Internet Experience.

          However to experience them you will have to be using both IE on Longhorn, and accessing a servers running MS server software. They’ll use proprietary protocols owned by Microsoft.

          That will crush Linux, Apple, Mozilla, Opera, Apache etc. at a stroke.

          Of course, it’ll totally remove consumer choice as well, but most consumers have shown themselves not to want that anyway. 🙁

          /david

        • #3310859

          True

          by madestroitsolutions ·

          In reply to Conspiracy Theories 101

          I agree. That is what Microsoft always does, and sadly enough, you are right, consumers stick to Microsoft. (although I am a Microsoft user and love IE and other products, I still don’t agree on Monopolies)

      • #3305029

        heh, the IT world does not belong to MSFT

        by gimbal ·

        In reply to you’re kidding right?

        Pardon if this sounds like it’s off from “left
        field” or what, but, really, if I was Microsoft,
        I’d be cringing.

        They may be cringing, already.

        Obliquely put:

        Signs of desperation appear, where the Microsoft
        name approaches Linux.

        Signs of misunderstanding may appear, likewise,
        in a “business” sector that is not really
        getting what the heck is going on.

    • #3291163

      Firefox has bugs too!!

      by nathwdavis ·

      In reply to Dear IE, I’m leaving you for good

      I have Firefox installed and used it quite a bit for a month or so, but I got tired of the frequent crashes, the bugs, and the mis-display of web pages that are XHTML compliant.

      Also, it has its own security vulnerabilities as well, they are just not advertised like IE’s are because hardly anybody is using or even knows what Firefox or Mozilla is.

      Let’s be realistic!!

      • #3291097

        What Security Vulnerabilities?

        by david hamilton ·

        In reply to Firefox has bugs too!!

        OK, I’ve looked on the Mozilla vulnerabilities page – there are no unfixed issues:
        http://www.mozilla.org/projects/security/known-vulnerabilities.html

        I’ve also listed all open bugzilla issues on Firefox 1.0 and can find nothing against ‘security’ or ‘vulnerability’ that corresponds to anything resembling a security bug.

        Can you please provide evidence of your statement, otherwise I’ll have to assume it is untrue. And that would mean that your statements about crashes, bugs and mis-display would appear to be untrue too…

        I await your evidence.
        /david

        • #3291036

          RE: What Security Vulnerabilities?

          by nathwdavis ·

          In reply to What Security Vulnerabilities?

          You are correct: there are no unfixed vulns for the current release.

          The current release is about 2 weeks old. That isn’t much time to find new vulns.

          Also, I like 99% of people don’t check for the latest version of my browser every few weeks. So, I have version 0.9.3 – which has about 8 vulnerabilities. It’s a good thing I’m not using FF much.

          Fortunately IE vulns get fixed by Windows Update, so my current IE is vulnerabiliy-less.

        • #3292589

          Several unfixed vulnerabilities in IE

          by david hamilton ·

          In reply to RE: What Security Vulnerabilities?

          How wrong can you be? There are several unfixed vulnerabilities in IE, the latest of which is:

          http://news.zdnet.com/2100-1009_22-5457105.html

          But in particular, if you’re not using XP SP2 (and a lot of the world isn’t) there is this particular unfixed nasty out there:

          http://news.zdnet.com/2100-1009_22-5439370.html

          And that’s only the one’s that they’re admiting to – they have a habit of starting arguments with security companies that dare tell the public about problems.

          And if you want proof, look at the Microsoft’s knowledge-base numbers against the JPEG security patch released in September 2004…

          http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

          At the time the press praised Microsft for its prompt fixing of the problem – but if you look at their sequentially allocated KB numbers at different story emerges – the first number against the flaw is 830348.

          Now if you look back through their history of other patches you find the following fix for KB831527 (after the first JPEG issue report) in November 2003:

          http://www.microsoft.com/security/bulletins/200311_office.mspx

          Thus my conclusion is that it took at least 10 months from Microsoft being aware of the JPEG buffer overrun to releasing a fix. Now I realise it was a big patch, but almost a year?!!!!

          Be afraid – be very afraid – if you’re still using Internet Explorer!

          /david

        • #3291420

          Never seen it crash?

          by madestroitsolutions ·

          In reply to What Security Vulnerabilities?

          Guess what, me neither…
          So now you are going to tell me you have never seen a software work fine in some computers and crash in others?
          I can post the same question backwards to you:
          Have you thoroughly studied FireFox’s code? Are you 100% sure there are no security flaws? If not, I will have to assume your statement is untrue. There is no perfect software in the world, and if you were a true programmer, you would know that.

        • #3310926

          Your point?

          by david hamilton ·

          In reply to Never seen it crash?

          Agreed there is no such thing as perfect software. But that does not mean that all products are equal.

          My point was that he was making some points he couldn’t substantiate, so that makes me distrust the rest.

          /david

      • #3291310

        Not support XHTML?

        by lsw ·

        In reply to Firefox has bugs too!!

        Excuse me… but if you open a TRUE XHTML web page that actually uses the XHTML mime type and sends it ot the Server you will see Firefox return true XHTML Pages.

        If you visit the same site with IE… IE will try to download the page because it DOES NOT KNOW what to do with True XHTML. IE only accepts XHTML served as HTML. Just try this document at Juicy Studios to see how both browsers treat it, it is true XHTML.http://juicystudio.com/mimetest/xhtmldoc.asp

    • #3291512

      One night stand

      by bcampbellone ·

      In reply to Dear IE, I’m leaving you for good

      Dear Firefox, Your good but not good enough to leave IE
      November 22, 2004

      By Robert Campbell
      Web Developer

      Dear Firefox:

      It’s over. Our relationship was just a flash in the pan, the honeymoon is over, the thrill is gone. I’m staying with IE.

      I know this isn’t a good time–you’ve just been released, the confetti is flying, and so isn’t the truth.
      You ask me what about virus’s, you know IE always is to blame. Well I do hope you can do better that that, I haven’t had any virus’s in the last 4 years, of course I do take all of the precautions and keep my system in tip top shape, I mean you’ve got have some sense of personal responsibility….
      Funny, you’d think all the geeks and developers would do the same, but they dont, they turn around and blame the browser, I guess that’s what they mean when they say "programmers are lazy." (Apparently, so aren’t tech editors.

      And Firefox, how is it that in all the time it took you to grow up, that you never mention the fact of how much you have learned from IE? Just like IE learned from Netscape.
      Afterall, no software is created in a vacum, we all learn from the trials and tribulations of everyone else’s software, especially from the biggest and most popular. You might want to try working with IE and Windows developers and see if you can really come up with something. Barring that, you might want to see shrink and deal with those self-esteem issues..

      That said, I just can’t continue with this relationship any longer. All you ever say is that fix things, but the problem is that they already are fixed.

      There’s nothing secret about IE’s marriage to Windows. I’m a business user and a Windows user, I want synergy to exist between the OS and the browser. I’m sorry you have a problem with that, but don’t you understand…it’s not MY PROBLEM…

      You ask,”what about HTML e-mail in Outlook? Every time there’s a new letter in the Inbox, you rush over to help Windows render it. And what about HTML within Word? …And don’t get me started with those late nights you’ve spent rendering thumbnail images in Windows Explorer. You’re all over Windows and, what, you just expect me to turn a blind eye?”

      Firfox, open source, God forbid you turn a blind eye! Give me a break, Windows users USE Windows for the very things that you whine about! What part of “I like Windows” don’t you understand? And you know what? I want more! Windows XP sp2 is great, built in firewall, popup blockers and configurable. Now I don’t have to install, all those utilities that screw up my system. Dear Bill, keep it coming.

      Firefox, I wish you’d make up your mind, a few years ago everyone was complaining about feature bloat, now you’re complaining cause we don’t just add features for features sake. Can’t we reserve waffling for just politics? Oh and by the way, I don’t need tabbed windows, and also, your welcome for showing you all of the things that can go wrong in the real world. Must have really helped your programmers to have a live working program to borrow from…

      God, more repititous, redundant whining…. “Last Christmas, I gave you a free RSS reader, Pluck, and you seemed to like it…” Don’t you read Cnet’s software comments… fifty-seven percent of Cnet’s users gave it a thumbs down. Maybe next time you will ask me if I want something or find out if I really need something before before complaining.

      Ya see Firefox, “what I want is a browser that’s strong and secure, one that handles the latest content and won’t crash…” And you know what, I got that in IE. I take care of it, it takes care of me. And it is much to soon to say the same thing about Firefox. You can dust off your conspiracy theories, flap your jaws and fill the world with exaggerations and hype, but in the end you just don’t have enough muscle to make a dent in my territory, but it will be amusing to watch.

      Better luck next time.

      Bob Campbell

      • #3291416

        You got skills

        by madestroitsolutions ·

        In reply to One night stand

        Very kewl letter, lol

      • #3314983

        It’s all right – we know you never two-timed IE

        by david hamilton ·

        In reply to One night stand

        I know you’d like people to believe that you had some kind of affair with Firefox, but the truth is that IE wears the trousers in your marriage, and, however bad it gets, you’re never going to leave IE. You’re so smitten that you’re blind to any failings, and scared even to criticise bad habits.

        You may never have see any of IE’s betrayals, but it remains that many other people have. And if bad things come onto people’s computers from web sites, it makes sense that the browser they use is responsible. It is not surprising that people feel let down by IE.

        And if you fail to see the wrinkles and lines of old age creeping into IE’s face, maybe its your love that’s blinding you, or maybe that your eyesight is beginning to fail too.

        That IE helps its friend Outlook with bits of work, well, I’m sure that’s charming, but when IE forgets to lock the front door in the rush (and allows a JavaScript exploit, or an IFRAME buffer overflow) and allows unsavory people into the house, that’s not so good.

        I’m suprised, though, that even you haven’t noticed that you’re living with a schizophrenic!!! Open a website and ask IE who it is (Help/About Internet Explorer) – answer “Internet Explorer”. Now open the ‘Folders’ Explorer Bar, and select a folder on your hard disk. Ask again who IE is (Help/About Windows) and the answer is ‘Windows’.

        And IE hides things about the house that you don’t know about – it’s good that you mentioned Thumbnails. Ever wondered where those thumbnails are hidden? No? Well you should, because viruses are starting to hide in the same places, where apparently even virus scanners can’t find them!

        I know that it is difficult seeing someone you love grow old – especially when there is a fresh face like Firefox around. Realising that with every day more and more sites start using CSS2 and CSS3 features that IE can’t display must really hurt.

        But yours is a true love, and I know that you will always love IE, no matter how old and shabby it gets; no matter that it no longer know who it is; no matter how many uninvited guests it allows in.

        And I think that’s great.

        /david

    • #3291465

      Latest Virus Link

      by fbuchan ·

      In reply to Dear IE, I’m leaving you for good

      The My Doom variant described in that link does not affect anyone running SP2. That isn’t a defence of IE, just an observation. And, its infection rate is low, so if you want to use a risk as a springboard for such an article, why not choose one that is less pedestrian?

      And, while Fire Fox is very good work, to suggest that it doesn’t suffer vulnerabilities is simply disingenuous. Suggest instead it currently isn’t a large target and has no known vulnerabilities and that may stand as a fact, but even the developers who built it will admit that it is a matter of time before someone with intenta nd time exposes its users to risk.

      Until people stop clicking without thinking, there is no such thing as a truly secure browser experience. Switching from IE makes sense for some, but for most all the switching in the world won’t do much good until they think about their use in context of security.

      • #3291294

        Reply To: Dear IE, I’m leaving you for good

        by tommy higbee ·

        In reply to Latest Virus Link

        Considering that IE uses ActiveX, which is inherently insecure and badly designed from a security standpoint, anyone who claims that IE and Firefox are equally secure is provably wrong.

        I have no problem with people urging a more realistic view of security. Yes Firefox is new, and still a small target compared to IE. Firefox is not magic, it will be vulnerable. But just because it will never be perfect doesn’t mean it’s no better than IE. Just like Java is more secure by design than ActiveX, so Firefox has a security advantage over IE, 90% of which is from the lack of ActiveX controls.

        There is, by the way, an (unsupported) ActiveX plugin control available for Firefox, if you just have to get the two on an equal footing….

        • #3305148

          Yes, but.. who uses ActiveX controls anymore?…

          by madestroitsolutions ·

          In reply to Reply To: Dear IE, I’m leaving you for good

          I agree with what you are saying but who uses Activex controls anymore…. after all, like you said, they are badly designed and have always been a headache to use. You may argue that you still have some ActiveX components out there (like antivirus scanners) but then again, you have the choice of whether or not you want to install them. In my mind, that makes them no different than extensions for FireFox. They follow the same concept, allowing the browser to do things that it did not do by design. Sooner or later, someone out there will begin exploiting vulnerabilities in Firefox.
          FireFox can be better (and probably is) than IE, but if you look at it from that point of view, you have lots of software out there that does better things that Microsoft products do, but most people (and companies for this matter) favor Microsoft products because of architecture integration issues.

        • #3305014

          CERT Report on ActiveX

          by bcampbellone ·

          In reply to Reply To: Dear IE, I’m leaving you for good

          The CERT? Coordination Center has a white paper which dispels many of the myths that you are perpetuating. In the paper it talks about the security issue, the design and the power of ActiveX. And it does so in an informative, objective way.
          The thing I find most interesting is that it was written in 2000 and yet the same myths are still
          repeated by otherwise intelligent technical editors and geeks. After all is said and done, it is more about MS bashing then improving the technology.
          Bob

        • #3310912

          ROFL

          by david hamilton ·

          In reply to CERT Report on ActiveX

          A most amusing read!

          My executive summary of that paper is: “Only ever use ActiveX controls created by your own company on your own Intranet; disable everything else.”

          And I really enjoyed the 9 (NINE!) page appendix of vulnerabilities.

          😀

          /david

        • #3310881

          Knock your self out.

          by bcampbellone ·

          In reply to ROFL

          Hey, no problem knock your self out, it can be extremely difficult to get past our preconceptions and bias. That’s why the paper was written in the first place.
          As the paper notes,”ActiveX is a powerful and, therefore, potentially dangerous technology. Most of the risks can be managed if you are aware of the problems. The concerns discussed in this section should be borne in mind when deciding when and how to use ActiveX in your environment.”

          It seem the problem here is not really ActiveX, but a lack of ActiveX knowledge and poor implementation by developers…

        • #3310870

          Hello – planet earth calling…

          by david hamilton ·

          In reply to Knock your self out.

          We’re discussing the use of this technology on the Internet – right?

          OK, in that case:

          1) The only way to be safe is to know where the control comes from or disable it (e.g. don’t use it on the internet).
          2) Anything else is a risk and, sooner or later, given the size of the Internet, it WILL be exploited.

          No, the problem IS ActiveX, and more specifically its lack of sandbox facility, compounded by the power of scripting its capabilities. From the report (read and weep):

          “Execution Concerns ? running controls

          1. ActiveX controls have more capabilities than tools that run strictly in a sandbox. Because ActiveX controls are native code that run directly on a physical machine, they are capable of accessing services and resources that are not available to code that runs in a restricted environment.

          2. Nearly all ActiveX control security mechanisms are based on Internet Explorer. Unfortunately, ActiveX controls do not rely only on Internet Explorer; they can be installed and executed completely outside of IE. Third-party applications that use ActiveX technology may not provide the security mechanisms available in Internet Explorer.

          3. Many of the security mechanisms provided by Internet Explorer are coarse. Some of the security mechanisms are all-or-nothing propositions, forcing a user to choose between functionality and security. For instance, there is currently no way
          to run a single ?unsafe for scripting? control without enabling all ?unsafe for scripting? controls.

          4. When an ActiveX control is executed, it usually executes with the privileges of the current user. There is no mechanism for externally restricting the privileges of a control. (i.e., ?sandboxing?).

          5. Because ActiveX controls can be invoked remotely (through a web page or email message), each control presents a channel into a network that can potentially be used by an attacker.

          6. ActiveX controls do not have an effective abstraction. Because each ActiveX control has arbitrary latitude in deciding when it can be run and what it can do, it is impossible for users to intuitively determine the behavior of an given control.

          7. ActiveX controls are difficult to manage and audit, particularly for non-expert users. The tools to manage ActiveX controls are lacking in several important areas. (For more details, see the section for system and network administrators in Part 2.)

          Scripting Concerns

          1. ActiveX controls that are scriptable are responsible for implementing their own security. Because ActiveX controls do not run in a restricted environment (a sandbox), each scriptable control is required to implement its own security policy?in effect, its own sandbox. Implementing a single sandbox is difficult, as
          evidenced by recent problems in certain Java classes from Netscape
          (http://www.cert.org/advisories/CA-2000-15.html). Though it is not true that each control has to implement a general-purpose sandbox, each control does have to ensure that it behaves well in response to any input, in any order. Because each
          control presents a channel into your network (as described above), there is a large number of potential failure points.

          2. Scripts can use controls in ways unanticipated by the original control author. This often leads to unexpected behavior that can be exploited to violate security policy.

          3. Scripts can invoke controls ?translucently.? A user may not realize that a script is using controls, and it may be impossible to determine beforehand which controls are being used (in an HTML document). As a result, the user might not be able to make informed decisions on whether to open such documents.

          4. ActiveX is a means for scripts on a web page to escape the Internet Explorer ‘sandbox.’ This is arguably a script engine issue, but it does illustrate one way in which a control could be used to subvert security.

          5. Scripting engines other than those in Internet Explorer might not provide the security mechanisms that IE does with respect to ActiveX. As third-party applications incorporate ActiveX technology, they will be responsible for
          invoking ActiveX security.

          6. Cross-site scripting is still poorly understood. Users of many web sites are vulnerable to a variety of cross-site scripting attacks. (See
          http://www.cert.org/advisories/CA-2000-02.html). Because ActiveX controls are not isolated in any way, trust decisions made in the context of a cross-site scripting attack can lead to the invocation of vulnerable native code.”

        • #3310862

          Reply To: Dear IE, I’m leaving you for good

          by bcampbellone ·

          In reply to Hello – planet earth calling…

          It always amazes me how narrow peoples focus is when it comes Microsoft. Here you have the top internet security site on the web attempting to educate users, developers and management on a particular technology and what happens? More spin then a polictical campaign.

          Like I said, you only *see* what you want to see. Go back and read the whole document and you might see that the power and reuse of ActiveX controls comes from the fact that they DO NOT run in a sandbox, that’s the way they were designed.
          “ActiveX controls have more capabilities than tools that run strictly in a sandbox.
          Because ActiveX controls are native code that run directly on a physical machine,
          they are capable of accessing services and resources that are not available to code
          that runs in a restricted environment.”

          Microsoft has tons of material on how to use, secure and delvelop ActiveX controls. The trouble is that people don’t read. And if you don’t read, you will weep.”

          My planet is Earth, you may blindly go where no man has gone, but in technology, that will kill you.

        • #3310851

          Re: It always amazes me…

          by david hamilton ·

          In reply to Hello – planet earth calling…

          Reply to message above.

          The point that you’re completely missing (probably deliberately) is that the power that you talk about, while it is fantastic on a controlled environment like an Intranet, is DOWNRIGHT DANGEROUS in an uncontrolled environment like the Internet.

          “Microsoft has tons of material on how to use, secure and delvelop ActiveX controls.”

          I’m not talking about badly developed controls; I’m talking about deliberately malicious controls!!

          The Internet is a huge place, and (unfortunately) contains a fair number of pretty sick individuals. If a technology on the Internet can be misused, IT WILL BE.

          Unfortunately, that power that ActiveX has makes fundamentally open to misuse. You cannot dismiss that as spin – it’s the reality of the situation.

          Nelson, I think it is time for you to hold the telescope to your good eye, and look again.

          /david

        • #3310848

          That is the idea of ActiveX controls

          by madestroitsolutions ·

          In reply to Hello – planet earth calling…

          Where you see problems, I see features.
          That is precisely the idea behind ActiveX controls. They give you the flexibility and the functionality that you otherwise would not have in a stateless and limited environment as the web is (Not that ActiveX controls cannot be used in regular programs).
          And Of course the developer is responsible for security. If ActiveX allows you to have a component running on the client side with user priviledges, it is up to you to make sure that no one exploits your control.
          Talking about “Scripts can use controls in ways unanticipated by the original control author.”, hmm, that sounds to me like most vulnerabilities out there. If I send a super long and carefully crafted string to your web server, I will get it to do something you did not program it to do, like access violations, right?

        • #3310845

          Re:Re: It always amazes me…

          by madestroitsolutions ·

          In reply to Hello – planet earth calling…

          If that is the case David, then we should stop making cars and motorcycles because they are dangerous. Maybe you should give a call to Marlboro and ask them to stop making cigarrettes, and while you are at it, call the patents office and ask them to destroy any patents and technology related to making guns, because someone might make a “deliberately malicious” gun and kill someone else…. 🙂

        • #3310837

          KeeBored – Your Error…

          by david hamilton ·

          In reply to Hello – planet earth calling…

          The error in your analology is one of scale. While dangers with cars and bikes do exist, the danger is constant. I.e. a problem with one car is not likely to infect other cars and bring the road system to a standstill.

          Flaws on the internet can increase by orders of magnitude due to the level of automation, and so a totally different set of danger criteria have to be applied.

          I’d give your short essay on Internet Security a grade of “D-. Hasn’t really got the hang of the subject yet”.

          Regards
          /david

        • #3293713

          Well, a few things…

          by madestroitsolutions ·

          In reply to Hello – planet earth calling…

          1) Evidently, you do not live in a big city, or at least not in one where a simple car crash can bring 1/4 of the city to a traffic halt.

          2) In terms of Internet Security, there are only two alternatives: either it is secure, or not.

          Finally, being a programmer with over 7 years of experience and having worked in some pretty big companies and projects, I can assure you I know what I am talking about.

          Cya!

    • #3305025

      Konqueror is enough for me

      by gimbal ·

      In reply to Dear IE, I’m leaving you for good

      ….given, “What’s available?” — across all PC
      operating systems.

      (Konqueror is also the basis — somehow — of
      Apple’s nice Safari browser.)

      —-

      I’ve been through with Windows and IE, on my
      home station, for some many years.

      (I can deal with the Microsoft systems, at work
      — they are as they are; people get what they
      get; people use what they’ve been taught on —
      but, there is nothing so seriously useful to me
      as my own self-admin’d Linux station — that
      being, really, not a
      Microsoft-remote-by-way-of-kludgy-design admin’d
      station)

      KDE’s Konqueror is my favorite browser, in the
      Linux XFree86 world — it looks nice, it runs as
      well as any “full featured” browser

      (and the whole stinking lot of browsers seem to
      be bloated on some sort of insanity in the
      low-level code, or something, but, “we make
      due”)

      …and it’s customizable, stylish, comfortable,
      and quite more useful than Microsofts’ IE —
      though it’s made on some similar design
      principles, at least about the fact: Konqueror
      can be used as a web-browser, or as a regular
      file manager.

      Now, most of y’all might not know what SSH is,
      for one, but, in short: It’s useful for
      publishing to a web site (without the
      procesor-expenditures, attendant with DAV on the
      server, and the certificate fun, attendant with
      HTTPS). Konqueror, for one, handles scp: URIs —
      so, I can use Konq. to publish straight to a web
      site, as if I was copying a file to a local
      filesystem directory

      ….and I didn’t have to download, install, and
      keep track of any hacked-in
      patch/driver/CAB/whatever sort of thing, for
      that very useful “feature” of Konqueror to be in
      place. Konqueror ships with it.

      • #3311166

        Some simple facts

        by madestroitsolutions ·

        In reply to Konqueror is enough for me

        1) This is a tech post. Of course we know what SSH is.
        2) Evidently you have never worked for a company with more than 20 employees.
        3) If IE had come out after Konqueror, it would have had many bells and weasels too. Other browsers have what they have because they improve based on their predecessors.
        4) Internet explorer can also be used as a file manager.
        5) “To publish straight to a web site, as if I was copying a file to a local filesystem directory” sounds a lot to me like FTP. Again, IE has it builtin.
        6) They should mention the user technology & Knowledge level required to understand posts like this.

        No offense, all cheers mate.

Viewing 4 reply threads