Zero-Day
December 16, 2008 2:33 AM   Subscribe

BBC: Users of the world's most common web browser (good old IE!) have been advised to switch to a rival until a serious security flaw has been fixed. Microsoft Security Advisory 961051.

Microsoft Corp. has tipped off its users of a “huge increase” in hacking attacks exploiting a critical unpatched vulnerability in some versions of its flagship web-browser Internet Explorer (IE), and notified that some of these attacks have originated from hacked porn websites.

In addition to IE7, other versions like IE 5 and IE 6 have also been found to be vulnerable to the flaw, which on proper exploitation could enable a hacker to seize complete control over victim’s computer, the company added.

The flaw essentially originates from the improper handlings of DHTML data bindings due to a memory corruption error. Though the hackers have been exploiting the vulnerability for more than a week, the company notified an upswing in attacks over the weekend.

Researchers Tareq Saade and Ziv Mador in one of their postings on Malware Protection Center blog said, “Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to websites containing exploits of this latest vulnerability”.

The researchers purported that the hackers have now changed their methodology of attacks, as instead of using malicious websites for attacks, they are now using compromised legitimate websites to trick the users.

Incidentally Trend Micro Inc has estimated that around 6,000 websites have been infected so far to exploit the vulnerability, with the count “quickly increasing in number”.
posted by chuckdarwin (113 comments total) 2 users marked this as a favorite
 
Maybe my office will listen to me now and switch to FF.
posted by ClanvidHorse at 2:37 AM on December 16, 2008


I must say, this is shocking.
posted by maxwelton at 2:40 AM on December 16, 2008 [3 favorites]


So that's what a fox laughing sounds like.
posted by mandal at 2:42 AM on December 16, 2008 [1 favorite]


ClanvidHorse, I'm actually typing up a new policy right now. I don't think they would have cared to implement it before.

It's too bad Chrome isn't more finished, because I quite like it.
posted by chuckdarwin at 2:48 AM on December 16, 2008


Maybe my office will listen to me now and switch to FF

I've been working on web apps for several major international banks and most of the people I deal with are still using IE6. I wonder it it's because the alternatives are mostly free, and, you know, free stuff can't be any good.
posted by le morte de bea arthur at 2:48 AM on December 16, 2008




Le morte, I think that must be it -- if you can't put it on a schedule of assets, pay for maintenance and deployment, all that, it doesn't really fit into the accounting and diligence habits of big institutions. Then it doesn't look like you're putting any money into IT, and you seem irresponsible. So we end up with software depreciating over time like any other asset, like it's a rusting tractor, even as it gets better.
posted by finnb at 2:58 AM on December 16, 2008 [1 favorite]


I quite like how Firefox 3 and Google will now warn me if a site may harm my computer. In the future, I expect them to warn me if a site will harm my brain ("This site contains poorly reasoned arguments, obnoxious design features, or meaningless propaganda. Proceed with caution.")
posted by twoleftfeet at 3:13 AM on December 16, 2008 [8 favorites]


Anybody else sick of these pile-on comments about Microsoft and IE?

Yes, IE/MS products have security issues.

Yes, all non-IE/MS products, including Firefox, have security issues.

Yes, IE/MS products are routinely the most targeted platforms for attack because they have the vast majority of users.

Yes, all non-IE/MS products, including Firefox, would be attacked just like MS products if they were the dominant products.

I'm not excusing MS for security issues and I certainly enjoy Firefox, but why is it these posts always devolve into fanboy drivel?

I just see the value of this entire post to be limited to the FYI that there is a vulnerability and to use best practices of using the lesser adopted browser if you have any personal concerns. I don't buy the argument that people won't adopt Firefox because it is "free". IE is free. People don't adopt Firefox because it isn't pre-loaded on their machine. There is also institutional concern about training people on Firefox (even slight differences cause panic among less experienced users) and the effort of pushing the browser onto everyone's computers.
posted by Muddler at 3:16 AM on December 16, 2008 [7 favorites]


It's funny. Only in the last year or two has IE gotten to a state where I would consider using it. I started using Netscape back in the day, before IE even existed. I got used to it and it kept adding functionality that I wanted (tabbed browsing years before IE did), so I never felt the need to switch.

For all I know, IE is the better browser with more customisation options, but after a decade of one, it's hard to switch to the other. The same applies for people who use IE, I'd imagine.
posted by slimepuppy at 3:20 AM on December 16, 2008


Anybody else sick of these pile-on comments about Microsoft and IE?

Nope, keep 'em coming.
posted by Blazecock Pileon at 3:20 AM on December 16, 2008 [20 favorites]


Yes, IE/MS products are routinely the most targeted platforms for attack because they have the vast majority of users. Balmer is that you?

IE is shite, and no amount of "get off their backs" from you will change that.

Microsoft have a responsibility to make the world's most distributed web browser free of these security flaws- but what? becaause they are a massive corporation we gotta cut them some slack. Gimme a break.
posted by mattoxic at 3:26 AM on December 16, 2008 [4 favorites]


I'm using this as the leverage I need to finally get those last couple of clients away from IE6. Can we talk the dangers of this up instead of down please? (I have, for example, set fire to my computer and taken a photo of myself pointing sadly at it, with a "See?" expression on my face.)
posted by Jofus at 3:31 AM on December 16, 2008 [2 favorites]


Anybody else sick of these pile-on comments about Microsoft and IE?

Which pile-on comments, precisely?

The morons in my IT dept will continue to enforce an IE6-only policy, which annoys me solely because it's a shit program, and the user experience of FF is far more pleasant. Bugger security, it's not my money.

So where do you work?
posted by pompomtom at 3:31 AM on December 16, 2008


Also, isn't the problem with Firefox vs. IE adoption in LargeCorp Inc. an issue with group policy stuff in Windows? As in, IE is more easily installed on every PC vs. Firefox lacking such features?

Also, MS & IE suuuuuuuuuck.
posted by slater at 3:38 AM on December 16, 2008




In answer to which pile-on comments, ummm...all of them. The comments here are not useful. These posts aren't leading to any helpful information on the attack or the solution, nor are they providing knowledgeable insight. It's just another rant-fest. There are a gazillion IT rant boards out there, why we have to pollute Metafilter with this stuff as well is beyond me.

No company can make totally secure software. Apple doesn't do it, Mozilla doesn't do it - nobody. Mention this to the zealots and they accuse you of being a MS corporate shill. Asinine.
posted by Muddler at 3:49 AM on December 16, 2008


In what way is "Don't use IE if you can avoid it, it's crap" not a solution?
posted by Skorgu at 4:05 AM on December 16, 2008 [3 favorites]


No company can make totally secure software. Apple doesn't do it, Mozilla doesn't do it - nobody.

Maybe not, but IE is by far and away the least secure option. Has been for years, as this study from a few years ago demonstrates. Also:
MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole. Firefox was 15% unsafe. There were 56 days with an unpatched publicly disclosed security hole. 30 of those days were a Mac hole that only affected Mac users. Windows Firefox was 7% unsafe.

As many have argued (here's one), open source projects like Firefox have the intrinsic ability to resolve security issues faster than, say, Microsoft can.
posted by twoleftfeet at 4:10 AM on December 16, 2008 [4 favorites]


The comments here are not useful. These posts aren't leading to any helpful information on the attack or the solution, nor are they providing knowledgeable insight.

Oooh gosh, well I hope this one qualifies as a helpful link.
posted by mandal at 4:13 AM on December 16, 2008 [4 favorites]


Muddler, it's called schadenfreude. Microsoft has spent the last how many years telling us about their new security focus and how they've gone over every line of code and closed source is more secure than open source and blah blah blah. And now they're telling us about this bug that's been around for NINE YEARS.

We all know Firefox has security issues too. We all know that software written by anyone is going to have bugs. It's irrelevant -- it doesn't mean we can't derive some enjoyment from watching Microsoft squirm when their hypocrisy is brought to light.
posted by jburka at 4:13 AM on December 16, 2008 [3 favorites]


Amusingly, the attack probably relies more on the compromised websites that are probably running open source programs on top of LAMP stacks.
posted by srboisvert at 4:23 AM on December 16, 2008


MS in general and IE in particular are complete crap. That said, the biggest problem here isn't poor software, it's monoculture thinking. "Get all of our users on X and that will solve all our problems." That just leaves you (a corporation, an industry, a country or a world) vulnerable to a single exploit or failure.

If you have "standardized" on IE7 and IE7 turns out to have a major security flaw, your entire operation is stopped while IT runs around trying to fix it (that's after a patch is finally released).

Instead of "standardizing" on a version number of a particular product you should instead choose some real standards and then offer a wide range of products that implement those standards. Then when one of the products turns out to have a flaw only a small subset of your users are stopped. And IT doesn't even have to wait until a patch is released because they can just migrate those users to a different product.

(If the standard itself is discovered to have a flaw my solution is no better than the usual one, but this is a rarer occurrence. Also, multiplicity of standards can help here. E.g., allow me to use FTP and HTTP and if one of them has a problem I can use the other.)
posted by DU at 4:33 AM on December 16, 2008 [4 favorites]


I'm not excusing MS for security issues and I certainly enjoy Firefox, but why is it these posts always devolve into fanboy drivel?

Because everyone likes watching the giant fall.

Because even if you don't use IE and do web development, you're still bound by it.

Because any sort of good will Microsoft had with the web community has long gone out the, um, window and ain't coming back.

Because it's a shit browser.
posted by Brandon Blatcher at 4:33 AM on December 16, 2008 [1 favorite]


I am so tired of the programs that are absolute requirements for my work and my school only working on IE. 'Specially cuz I have a Mac.
posted by brevator at 4:48 AM on December 16, 2008


I just wrote a company policy requiring the use of Firefox unless a specific, work-related site requires IE. Fun stuff.
posted by chuckdarwin at 4:52 AM on December 16, 2008


I just wrote a company policy requiring the use of Firefox unless a specific, work-related site requires IE.

In which case you should still use Firefox, just with the IE Tab extension.
posted by twoleftfeet at 4:57 AM on December 16, 2008


No company can make totally secure software. Apple doesn't do it, Mozilla doesn't do it - nobody.

Security is never an all or nothing issue; it's a one is better than the other issue. Sure, you are going to find security problems with Firefox or Safari but IE has had a long sad history of major problems and IT security is the art of minimizing risk not throwing up your hands and saying, "oh dear, they all suck so we can't make any choices."
posted by octothorpe at 4:59 AM on December 16, 2008 [2 favorites]


Yes, all non-IE/MS products, including Firefox, would be attacked just like MS products if they were the dominant products.

*points out Apache as the canonical counterexample*

*walks away from the 100th rehash of this discussion*
posted by you at 5:18 AM on December 16, 2008


No company can make totally secure software. Apple doesn't do it, Mozilla doesn't do it - nobody. Mention this to the zealots and they accuse you of being a MS corporate shill. Asinine.

There are plenty of totally secure applications out there. It's a bit rich of you to start chiming in with fanboy alerts so early in the post.

When the average internet browsing schmo is forced to use IE because they don't know of an alternative- then picks up all sorts of BHOs that renders their internet experience either useless or dangerous- then responsibility of reparing it should lie with the vendor.

IE6 (and for that matter 7) has been around for almost 10 years- no real upgrades or patches- it's insecure and is a poor environment to develop in. Sure, 8 years ago when the only alternative was Netscape 4.75- maybe IE was OK.
posted by mattoxic at 5:29 AM on December 16, 2008


One quibble: the wording of the FPP implies that Microsoft itself is advising customers to switch to an alternate browser, which isn't the case.
posted by swift at 5:37 AM on December 16, 2008


the wording of the FPP implies that Microsoft itself is advising customers to switch to an alternate browser

Microsoft is well known for encouraging its customers to use competing products.

I just wanted to see what that would look like in print.
posted by twoleftfeet at 5:51 AM on December 16, 2008 [4 favorites]


*throws shoes and runs*
posted by fcummins at 5:52 AM on December 16, 2008


> Yes, IE/MS products are routinely the most targeted platforms for attack because they have the vast majority of users.

Which puts Microsoft in the position of greatest responsibility to ship software that works right the first time, because they are putting the greatest number of users at risk.

Let's take one example: Email viruses. There used to be no such thing; email clients couldn't treat incoming email as executable files, so it wasn't possible. It was such a laughably bad idea to those in the know that the Good News virus was concocted by somebody as a prank to scare the newbies.

And then Microsoft shipped an email client that could execute arbitrary files. And it proved to be exactly as laughably bad an idea as every freshman CS major understood it to be. And for about a decade now users of Microsoft's mail clients have had to run increasingly complex antiviral software, be taught to do this thing and not that thing, to accept mail from these people and not those people. Corporations have had to spend tens of thousands of dollars on proprietary black box hardware, mail filters and gateways, and dedicate IT staff entirely to the purpose of preventing email viruses.

And, at no time, has Microsoft ever said, "WHOA, THAT WAS A BAD IDEA!" and simply eliminated the feature in Outlook that executes arbitrary attachments, the feature that is only exploited by bad people because nonmalicious users have been indoctrinated for a decade to never, ever, ever, send or open email attachments.

There's no such thing as perfectly secure software. Software can be designed and implemented to make itself more or less vulnerable to attacks, and Microsoft, vendor of eighty or ninety mumble percent of the world's desktop operating systems, has the greatest responsibility to get it right the first time, and they repeatedly do the opposite. When the folks designing my operating system think that it's a really good idea to cook up parallel-universe web page object models, design email software that will run anything anybody mails me, and all kinds of other flat-out-stupid ideas, I'll consider it on par with Windows.
posted by ardgedee at 6:07 AM on December 16, 2008 [10 favorites]


This is both sad and great news. I've passed the link along to a bunch of people and even if a fraction of them switch (to anything else) I'll be a bit happier.
posted by furtive at 6:07 AM on December 16, 2008


In the next Mac ad, Hodgman will reveal his superfluous fourth nipple.

#3 has its uses, thankyouverymuch.
posted by robocop is bleeding at 6:07 AM on December 16, 2008


> In which case you should still use Firefox, just with the IE Tab extension.

Remember that using IETab means running Internet Explorer all the same, and you are not immune from its vulnerabilities.
posted by ardgedee at 6:09 AM on December 16, 2008


No company can make totally secure software. Apple doesn't do it, Mozilla doesn't do it - nobody.

Theo de Raadt does.

Mention this to the zealots and they accuse you of being a MS corporate shill.

You're not an MS corporate shill, are you?

Asinine.

Exactly.
posted by cytherea at 6:11 AM on December 16, 2008 [3 favorites]


I think the South Park guys have said all there is to say about MS marketing.

"Get Bill Gates in here..."
posted by A dead Quaker at 6:34 AM on December 16, 2008


Microsoft is well known for encouraging its customers to use competing products.

Indeed. And not with mere words, either.
posted by rokusan at 6:43 AM on December 16, 2008 [3 favorites]


There are plenty of totally secure applications out there.

Name one.

Theo de Raadt does.

False.
posted by event at 6:47 AM on December 16, 2008


Did you actually look at those security fixes?
posted by cytherea at 6:53 AM on December 16, 2008


As many have argued (here's one), open source projects like Firefox have the intrinsic ability to resolve security issues faster than, say, Microsoft can.

I have agreed with this before, and there seems to be at least anecdotal evidence to back it up.

But--Microsoft's got a ton of cash, and nobody's holding a gun to their heads forcing them to not fix bugs. I understand that it's hard to change culture, but it's by no means impossible especially if there's someone high enough up that cares enough.

The immediate fallout of this is probably that they'll release a statement that defends their statement as not actually encouraging people to switch browsers.
posted by RikiTikiTavi at 6:54 AM on December 16, 2008


I don't want to get into a pissing match about app security but DJB's $500 has never been claimed.
posted by Skorgu at 6:58 AM on December 16, 2008 [2 favorites]


Fight Club:
JACK I'm a recall coordinator. My job is to apply the formula. It's a story problem.
TECHNICIAN #1 Here's where the infant went through the windshield. Three points.
JACK A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up.
TECHNICIAN #2 The teenager's braces around the backseat ashtray would make a good "anti-smoking" ad.
JACK The car crushes and burns with everyone trapped inside. Now: do we initiate a recall?
TECHNICIAN #1 The father's must've been huge. See how the fat burnt into the driver's seat with the polyester shirt? Very "modern art".
JACK Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

CUT TO: INT. AIRPLANE CABIN - MOVING DOWN RUNWAY - NIGHT Jack is speaking to the BUSINESSWOMAN next to him.

JACK If X is less that the cost of a recall, we don't do one.
BUSINESSWOMAN Are there a lot of these kinds of accident?
JACK You wouldn't believe.
BUSINESSWOMAN Which car company do you work for?
JACK A major one.
posted by twoleftfeet at 6:59 AM on December 16, 2008


I don't envy Microsoft. Of course it's great for them that they control the most common web browser platform on the Internet. But it's a huge responsibility, every time a security problem like this turns up they have to rush a fix out in hours, not days. It's not easy. I think Microsoft is pretty responsible about handling security problems: they notify, they have a fantastic auto-update service, they fix bugs quickly. But sometimes it takes a few days to make a patch.

The underlying problem is the way we all write software is broken. One of the linked articles says the bug "originates from the improper handlings of DHTML data bindings due to a memory corruption error". I'm guessing "memory corruption" means some sort of buffer overrun. It's 2008, we should not ever ever ever have bugs like that in our software anymore. But MSIE is old software, and I imagine Microsoft has decided not to spend the 10s of millions of dollars to rewrite the whole thing in managed code. C++ FTL.

The AP article says "The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market." I just bought a two-factor authentication token for my World of Warcraft account to protect agaist this kind of attack. Now my game account is more secure than my bank account. OTOH, game accounts are attacked a lot more often because there's no penalty for hacking them.
posted by Nelson at 7:08 AM on December 16, 2008


No, it's the way Microsoft writes software that's broken. Microsoft, where it isn't the overwhelmingly dominant player in the space, =still= is targeted and exploited with a grim regularity that other companies just don't worry about. Their software design is usually broken coming out of the gate, and internal politics and a "we'll fix it later" attitude prevents any remedy.

IIS and MS SQL come immediately to mind. Anyone else remember Slammer? An absolute catastrophe that the MySQL project or Oracle would never have allowed to take place, despite developing products that are just as dominant as Microsoft's. Slammer isn't an isolated incident that could happen to anyone - it's typical of the sort of apocalyptic horrors that MS users will face sooner rather than later, as this latest catastrophe illustrates.
posted by Slap*Happy at 7:22 AM on December 16, 2008 [1 favorite]


Ah, I didn't read the security advisory. It's quite detailed on the technical problem:
The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space.
What a stupid bug. It's only possible because so much software (including every major web browser) is still written in assembly language. Yeah, it's assembly with types and objects and a bunch of other C++ crap. But end of the day you're still manipulating pointers directly into memory. And sometimes that goes wrong and you get a stupid bug like this.

There is no reason to write application software in an inherently unsafe language like C++. Modern languages with managed memory are faster, easier to code in, and make bugs like this impossible. Java, .NET, 30 year old lisp, whatever. Why are we still living in the dark ages?
posted by Nelson at 7:23 AM on December 16, 2008 [1 favorite]


Why are we still living in the dark ages?

$

They don't want to start over and write something modern. Fixing stuff that's basically free (IE) and making it run properly isn't profitable... which is the kind of thinking (on MS's part) that put google where it is today. If they could figure out how to get everyone to pay $100 for a browser, they'd probably rewrite it from scratch. As it is, they just leave it alone and plug the holes.
posted by chuckdarwin at 7:32 AM on December 16, 2008


Even if it isn't any more secure, there are things Firefox can do that IE will never do.
posted by twoleftfeet at 7:38 AM on December 16, 2008 [7 favorites]


odinsdream: Java isn't interpreted.
posted by Nelson at 7:42 AM on December 16, 2008


Because modern managed languages aren't faster than assembly/c++ and probably never will be? And users like fast browsers?
posted by no_moniker at 7:44 AM on December 16, 2008 [2 favorites]


I couldn't care less about ha ha ha Microsoft, but they, like everyone else do need to keep on top of these things, obviously. It's odd that there is hardly and bile directed at those who write these exploits in the sense of "Oh you got robbed? LOL! You should have used a better lock, OMFG you're an idiot!" sense (I realize that the analogy is weak for a number of reasons). Of course it seems that initiatives to police crime on the net are focused primarily not on sabotage but on evil downloaders and pirates.

The other large issue is the time, money, and stress developers have to go through to make web standards function in IE. The insistence that IE be used by large corporations is an unfortunate fact of life and I don't believe they'll budge for either reasons. If only they'd license Gecko or WebKit and be done with it.
posted by juiceCake at 7:46 AM on December 16, 2008


There's a nice description of the actual exploit code here: Internet Explorer 7 Attack in the Wild if anyone is interested in how the heap overflow is created.
posted by trueluk at 7:46 AM on December 16, 2008 [1 favorite]


I would happily never, ever use IE - I use Opera, which is fast and lovely, it's what I'm used to and I really like the experience of using it. But sadly, there are pages that just don't seem to work on Opera. Recently, it's been Google books. They worked on Opera a few months ago, now they don't, and I have to use IE (don't have FF installed - no reason, just low on harddrive space and I have Opera).

Is it that Opera is not keeping up with pages? Or that the pages are not standard enough for Opera?
posted by jb at 7:50 AM on December 16, 2008 [1 favorite]


It's only possible because so much software (including every major web browser) is still written in assembly language.

Um. No?
posted by rokusan at 7:50 AM on December 16, 2008


pompomtom : The morons in my IT dept will continue to enforce an IE6-only policy, which annoys me solely because it's a shit program, and the user experience of FF is far more pleasant.

This drives me crazy. I fully understand that the IT department where I work has to deal with hundreds of non-technical people, and as a result of that, that they have a tough job to do, but when I point out to them that several of the diagnostic programs that have been developed by our corporate network operations center all say "Best Viewed with Mozilla Firefox" and ask them why we can't use it, and they respond with a glazed look "corporate doesn't want us using it, they think IE is better."

I really want to smack them. Clearly it's not the case, so I'm left wondering if it's laziness, incompetence, or some sort of weird office politics that make no sense to me.

I have seriously considered transferring into that departments management structure just to start the long process of making it make sense. I haven't yet because I don't think I need that kind of anger in my life.
posted by quin at 7:51 AM on December 16, 2008


There is no reason to write application software in an inherently unsafe language like C++. Modern languages with managed memory are faster, easier to code in, and make bugs like this impossible. Java, .NET, 30 year old lisp, whatever. Why are we still living in the dark ages?

Hoo boy. I don't even know where to begin.

Knock knock
Who's there?
(12-second pause)
Java

It's only possible because so much software (including every major web browser) is still written in assembly language.

Ah. Now I'm beginning to see. Um, would you guys remind me not to spoil the ending of this one by mentioning what that bytecode finally gets executed as?

I am a Java developer. I am not your Java developer. If I were your Java developer, I would not code your browser in Java, because I have stared into that abyss (Google 'IceSoft' and then ponder that they're dropping product support after giving up completely), and I have seen what stares back.
posted by Mayor West at 8:12 AM on December 16, 2008 [4 favorites]


Don't know why Opera doesn't get more love in these threads. For the vast majority of average users, its a better choice than FF. Faster, sturdier, sleeker, lighter, tighter, easier...
FF's only real advantage are it's more esoteric extensions (the main/basic ones are built in to Opera), which most users don't care about. Especially suitable for offices, and less computer-obsessed individuals.

There was a time a number of years ago that occasionally some sites didn't play well with Opera. But I use the web a shit load, and I've only had this problem maybe once or twice in the past 6 months or so. I expect FF probably has similar levels of very infrequent random problems.
posted by MetaMonkey at 8:13 AM on December 16, 2008 [2 favorites]


Modern languages with managed memory are faster, easier to code in, and make bugs like this impossible. Java, .NET, 30 year old lisp, whatever.

You've named three interpreted languages, which are slower than compiled languages like C/C++. Look at benchmark data here. One of the reasons that an interpreted language will have trouble overtaking compiled language performance is that the virtual machine has to be written in a compiled language. You can pick apart your VM implementation and go through it bit-by-bit and wring every extra ounce of performance out of it, but to do that you'll end up doing the exact kind of pointer-juggling that you're decrying.

And lisp is 50 years old.
posted by tylermoody at 8:14 AM on December 16, 2008 [2 favorites]


Metafilter: These posts always devolve into fanboy drivel
posted by lukemeister at 8:27 AM on December 16, 2008


CS protip: Learn about the halting problem, then come back and talk about "totally secure."

Security's a real tenuous thing. Something is called "secure," if, basically, a lot of smart people haven't figured out a practical way to break it yet.

For example, the cryptography currently used for you to buy things online goes away if some smart fellows figure out better mathematical techniques for certain problems, or once some other guys build a large-scale quantum computer.
posted by TheOnlyCoolTim at 8:30 AM on December 16, 2008 [1 favorite]


Modern languages with managed memory are faster, easier to code in, and make bugs like this impossible. Java

lol

Wait, I mean

response = responseFactory(responseLOL,getCurrentDateTime.convert(Julian))
htmlResponse = response.convert(formatHTML)
outputChannel = channelFactory(browserWeb)
outputChannel.init()
outputChannel.output(htmlResponse)

posted by DU at 8:35 AM on December 16, 2008 [8 favorites]


Provocative cat is provocative :-P

OK, OK, I'm well aware of the difficult history of trying to write application software in Java. I've used various incarnations of Java browsers and they do certainly suck, mostly because of problems in the GUI layer. The Eclipse IDE is a more positive example. And .NET applications work quite nicely on Windows systems. (And no, Java and .NET are no longer interpreted after the first execution of the code path. And yes, dynamic compilation in a JIT compiler can produce code that's faster than static compilation from a C compiler, particularly when you consider modern CPUs with complex caching and branch prediction. Most of the slowness in the larger environments comes from the layers of libraries wrapping kernel APIs, not the mechanics of executing the code.)

Mostly it appalls me that we still have stupid memory management bugs. If you don't like a full managed runtime like .NET or Java, how about just using a simple bounds checking runtime on top of C? Why don't we even do that? Yeah, it adds a little overhead. Wait a month and the new model of CPU will be fast enough to compensate. I mean, it's still considered controversial to ban strcpy() because some C nerd will tell you the overhead of strncpy() isn't necessary if you "know" the string won't ever overflow. That's just bullshit coding.
posted by Nelson at 8:45 AM on December 16, 2008 [1 favorite]


MS should direct people to the Widnows version of Safari. That will have people coming back and begging for IE.
posted by Artw at 8:50 AM on December 16, 2008


I really want to smack them. Clearly it's not the case, so I'm left wondering if it's laziness, incompetence, or some sort of weird office politics that make no sense to me.

The answer to your question starts with something they learned during their MBAs, and it starts with "Nobody every got fired for..."
posted by rokusan at 9:05 AM on December 16, 2008


Shitty programmers program shitty programs shittily. News at 11.

Your Java flame war is completely irrelevant, just like the nth-1 time it was fought. The fact that there is not a performant web browser written in pure Java means nothing.

I can point to a number of applications written in Java that are not web browsers that perform AMAZINGLY well (IntelliJ, Netbeans, Eclipse spring to mind, which do a hell of a lot more than browse the web), but that's not really the point either.

Writing secure software has to do with myriad factors apart from and on top of the choice of language. Can it be written in a readable manner so it is easy to peer review? Can it be written in a way that encourages refactoring when a security hole is determined to result from a deign flaw? Does the company writing it encourage these policies? Will the application respond accurately to static security analysis?

Java is great. It can be fast and secure. So can C++. So can language X. What does it cost to get there? Got a number? Great! Now what does it cost to get there from here? You're probably talking about legacy code instead of a full re-write.

So at the end of the day, is your staff up to all of this, or are they shitty programmers programming shitty programs shittily?
posted by butterstick at 9:13 AM on December 16, 2008 [1 favorite]


Managed code does not have to mean Java or C#. It doesn't even have to be a dynamically typed language or one that runs on a virtual machine. OCaml and Haskell. Both compile down to native code. Both run competitively fast while managing memory and are strongly typed to remove errors related to mismatched types (and null).

Just because Java and C# aren't as fast as C++ doesn't mean that managed code is a lost cause in the speed department.
posted by Axle at 9:31 AM on December 16, 2008


Metafilter: I'm left wondering if it's laziness, incompetence, or some sort of weird office politics that make no sense to me.
posted by jquinby at 9:33 AM on December 16, 2008


>> Java, .NET, 30 year old lisp, whatever.

You've named three interpreted languages


Wrong. Programming languages are not interpreted or compiled, their implementations are. And the dominant implementations of all 3 languages above are compiled -- either to a VM or to machine code. (Compiled to VM != interpreted.)

And lisp is 50 years old.

Sure. And it's had compiled implementations since the mid-1960s.
posted by oncogenesis at 9:43 AM on December 16, 2008


According to those benchmarks, the latest Java is (on average) between 1.2 and 3 times slower than C++. Personally, I would be happy to have my browser's CPU usage go from 10% to 20% if it ran in a verified sandbox. You can bash Java the language all you want (and I frequently do), but I haven't heard of an exploitable JVM bug in quite a few years; I expect now that HotSpot is open source, the risk will continue to decline.
posted by teraflop at 9:46 AM on December 16, 2008


No company can make totally secure software. Apple doesn't do it, Mozilla doesn't do it - nobody.

Theo de Raadt does.


No, he doesn't.

You're not an MS corporate shill, are you?

Rich coming from a fanboi.

Their software design is usually broken coming out of the gate, and internal politics and a "we'll fix it later" attitude prevents any remedy.

The real driver for their broken software design is people keep buying their stuff because customers (apparently) want cool features more than good, robust, secure software. If people were prepared to lose some features and sinhy gee-gaws for more secure platforms, Microsoft would either (a) change their strategy or (b) slowly go out of business.

Mostly they're rewarded for it though.

IIS and MS SQL come immediately to mind. Anyone else remember Slammer? An absolute catastrophe that the MySQL project or Oracle would never have allowed to take place,

Are you aware how many serious security defects Oracle have had over the years, most of which they refuse to address until the full disclosure community gets ahold of them? How out-of-date their Linux distro is on security patches? Obviously not, or you wouldn't say anything so stupid.

And holding the MySQL devs up as masters of good development is just... I think that may be the single stupidest IT-related comment I've ever seen on MeFi.

IntelliJ, Netbeans, Eclipse spring to mind, which do a hell of a lot more than browse the web

Actually, they do a lot less. I'd far rather try and craft an IDE than a web browser, because only one of those tools is, by definition, trying to accept data from literally anyone, anywhere, with no or minimal validation, and make sense of it without blowing up.
posted by rodgerd at 9:58 AM on December 16, 2008 [3 favorites]


Don't know why Opera doesn't get more love in these threads.

1) Opera used to have two versions: a free version which embedded a banner ad on top of the tool bar and a paid ad-free version. I think this turned a lot of people off, who thought that web browsers should be free. Only after FF was released, IIRC, did they drop the banner ad for their free version.

2) Opera has a reputation as being hard to use. Part of that is because they have so much built in functionality, and that it acts slightly different from other browsers at times, but the UI is more cluttered than FF.

3) Marketing: FF and the Mozilla foundation did a great job marketing and getting the word out about Firefox, and created this perception that FF was the first real alternative to IE for people.
posted by gyc at 9:59 AM on December 16, 2008


with no or minimal validation,

That should have read, "with no or minimal validation of the reliability of the data source."
posted by rodgerd at 10:14 AM on December 16, 2008


Don't know why Opera doesn't get more love in these threads.

I was giving Opera the love. I still am, as I type this in Opera right now.

But I might be forced to leave it soon (which I don't want to do) because of the increasing problems it's having in rendering some sites and services. It's not just from a few years ago, but from now - I can't get Google Books to work in the last few weeks. (if anyone knows a solution, please memail me).

I would go to FF, but because that takes installing, my default has been to use IE which (of course) came with my OS, which I use because certain programs I need for my work only work under that OS, and my computer came stocked with this OS and only this OS is supported by the manufacturer...

Basically, MS still has a pervasive monopoly - and the Justice department just caved on them. This is the real reason for the MS hate. They aren't just a company out to make a good product that people like and thus to succeed - they are out to use any means necessary to push out the competition, and those means have rarely involved "offering a better product".
posted by jb at 10:34 AM on December 16, 2008


So why is my IT department allowing us to use IE (7) today? Aren't they putting us at risk? (serious question)
posted by desjardins at 10:46 AM on December 16, 2008


Regarding software quality: it is possible to produce absolutely, provably, error-free software. It is just very difficult to do so, to the point that it's more of an academic exercise than normal development practice.

Projects like OpenBSD (or for that matter any number of flight-control and military software systems) are very high-quality and have a very low defect rate relative to typical desktop apps, because they dedicate a lot of effort to QA and peer-reviews and basically triple-checking everything. (The volume of paperwork and documentation generated by some quality-assurance methodologies for software would blow a lot of people's minds, I think.) But they're not perfect. Even OpenBSD has occasionally had security vulnerabilities, and that's just one type of problem.

However, it's not true to say that this necessarily has to be the case. Because software programs -- all software programs -- are really nothing but complex mathematical formulas, it's possible to formally define and prove how they will operate when executed on a finite state machine. This becomes ridiculously difficult with almost any non-trivial program written in most current programming languages, but there are languages and development methodologies designed for the task that make it easier.

I doubt that general-purpose PCs and web browsers will ever be written to pass formal verification and be provably secure/bug-free, but it's not totally out of the realm of possibility for things like embedded control systems to be. But in general, software has "bugs" and other types of programmer error because we -- consciously or not -- have done a cost/benefit analysis and decided that such flaws are acceptable.

It is always legitimate to criticize a piece of software for having defects, but those criticisms should be made with the cost/benefit analysis that has produced the defective software in the first place, in mind.
posted by Kadin2048 at 10:53 AM on December 16, 2008 [3 favorites]


it is possible to produce absolutely, provably, error-free software. It is just very difficult to do so, to the point that it's more of an academic exercise than normal development practice.

That proven-secure software would have to run on a proven-secure operating system which would have to run on proven-secure hardware. Even if we stipulate the first two, I am skeptical of the third. Is there any formal-methods research for dealing with, e.g., side-channel attacks on hardware?
posted by event at 11:12 AM on December 16, 2008


> So why is my IT department allowing us to use IE (7) today? Aren't they putting us at risk? (serious question)

As long as they're confident that the intranet servers they manage are not compromised, no. Permitting their users to browse websites outside of the corporate infrastructure is a different matter which some IT teams prefer to summarize as, "...so do you have permission to view that on company time?"

But realistically, mandating IE 5/6/7 for the company intranet and Firefox/Opera/Safari/Chrome/Whatnot for all other web browsing is not such a bad idea, technologically. It's only the humans who have to remember which browser to launch for which sites who are inconvenienced.
posted by ardgedee at 11:19 AM on December 16, 2008


We have at least 1 former IE developer here on Metafilter, who worked on ie 6 and 7.
I assume he avoids these threads, but who knows what he could tell us, were it not for the NDA.
posted by nomisxid at 11:37 AM on December 16, 2008


...and the pitchfork weilding mob.
posted by Artw at 11:38 AM on December 16, 2008 [1 favorite]


Is it that Opera is not keeping up with pages? Or that the pages are not standard enough for Opera?

I have problem with imbedded video on pages with Opera a lot. One update fixes it, then the next update breaks it again. I'm currently waiting for a Fixes It update.

Other than that I do prefer it to FF.
posted by Cyrano at 11:52 AM on December 16, 2008


...and the pitchfork weilding mob.

...and the deep personal shame.
posted by Blazecock Pileon at 11:54 AM on December 16, 2008


In the next Mac ad, Hodgman will reveal his superfluous fourth nipple.

Once you've seen his third nipple though, any further nipple revelation kind of loses its shock value.
posted by Blazecock Pileon at 11:56 AM on December 16, 2008


So why is my IT department allowing us to use IE (7) today? Aren't they putting us at risk? (serious question)

Our ftp site and Oracle based databases only run on IE so we kind of have to use it.

So does Netflix, weirdly enough.
posted by fshgrl at 12:00 PM on December 16, 2008


...and the pitchfork wielding mob.
that too.

...and the deep personal shame.
not likely. He did good work, and none of the vulnerabilities of the past several years could be tied to code he wrote, nor decisions he made. I know there were decisions made by higher-ups that he didn't agree with; he's not there anymore. Many of the vulnerabilities we see highlighted these days, have roots far deeper than ie6.
posted by nomisxid at 12:06 PM on December 16, 2008


Corporate IT departments are, often, not manned by very technologically savvy people. They're definitely risk-averse, to the point of being moribund. They also tend to read the email of any attractive women on staff, but that may just be the guys I know.

In large corporations, I imagine some of the resistance to change is having internal corporate browsing tools that depend on some sort of half-assed custom ActiveX component to work...am I right on that?
posted by maxwelton at 12:21 PM on December 16, 2008 [1 favorite]


none of the vulnerabilities of the past several years could be tied to code he wrote

In that case, he probably doesn't have much to say about this, and so an NDA probably doesn't enter into this.
posted by Blazecock Pileon at 12:35 PM on December 16, 2008


I'd hazard a guess that he knows more about the actual architecture and development practices than any of us. I certainly heard him complain about them enough =p
posted by nomisxid at 12:54 PM on December 16, 2008


What are you talking about? The browser is mishandling data, the web host is not doing anything incorrect in delivering the data. It doesn't count as a compromise if it doesn't actually affect the web host, as is the case with these specific xml files.

If the JavaScript file wasn't intentionally placed on the web host by the owner of said web host, then it was probably placed there by an attacker, through SQL injection or XSS. So, yes, that web host would be compromised in any meaningful sense of the word.
posted by me & my monkey at 1:15 PM on December 16, 2008


Oh man, I showed up late to the platform bigotry browser flamewar that will never end. Damn.

I've been reading this exact same thread since about 1996 - the only thing that has changed is the version of IE, and the name(s) of the other browser(s).

Let's continue with an endless discussion of Operating Systems. Which flavor of Linux should we use? Vista or XP? Which kitty cat of OS X?

If you put 20 monkeys in a room, each with a typewriter, after a month you will have 20 dead monkeys...
posted by Chuffy at 3:37 PM on December 16, 2008


Corporate IT departments are, often, not manned by very technologically savvy people. They're definitely risk-averse, to the point of being moribund. They also tend to read the email of any attractive women on staff, but that may just be the guys I know.

In large corporations, I imagine some of the resistance to change is having internal corporate browsing tools that depend on some sort of half-assed custom ActiveX component to work...am I right on that?
posted by maxwelton


Corporate IT Departments or often undermanned by technically savvy people who have to try to keep up with the ever-changing technology and security risks, while supporting mindless automatons that still open up emails with the subject, "hi." The resistance to change is usually tied to having to support hundreds of people who don't know dick about computers, with a small budget and an aversion to having to learn anything remotely technical like how to use a UNC path versus having a login script map drives for them.

IE may be a shit browser, but it is possible to install, patch and configure because it is part of Windows and AD. If you're savvy enough to know the differences between the browsers, you're probably going to write about how your tech support people suck...and how much more you know than them, yadda yadda. But the fact is, you're not supporting the retarded masses from themselves day in and day out. I have spent years listening to developers and engineers bitch endlessly about this and that, but who don't know shit about supporting a lot of people - and who are very quick to complain when they fuck up their own system and the people who they bitch about all day don't rush in to help them fix it.

Resistance to change comes from the overwhelmingly constant nature of technological change...there's a sort of bell curve to support: on one end you have the few savvy users who like to beta test everything and who have zealous opinions about everything - and on the other you have people who need immediate assistance fixing their email by having you come to their desk to push the power button on their system.
posted by Chuffy at 3:57 PM on December 16, 2008 [2 favorites]


> If you put 20 monkeys in a room, each with a typewriter, after a month you will have 20 dead monkeys...

...19 dead monkeys and one fierce, paranoid monkey who's discovered a thirst for blood and warm flesh.
posted by ardgedee at 4:14 PM on December 16, 2008 [4 favorites]


The real irony is that a lot ofl these sites hosting the malware are compromised linux-based sites. How about we address the core problem here: webmasters are not hardening their machines and we keep giving them a free pass. The hackers use known techniques (sql injection) and unpatched vulnerabilities to get into these servers. Of course the client should be as secure as possible, but the server end of things should be held up to a more rigorous standard.

I dont have this exploit on hand, but I wouldnt be surprised if it didnt work when running as a limited user. IE7 runs under user credentials not system credentials. Oh well, dont play on your computer as local admin 24/7. The unix kids know not to run as root.
posted by damn dirty ape at 4:15 PM on December 16, 2008


They're definitely risk-averse, to the point of being moribund. They also tend to read the email of any attractive women on staff, but that may just be the guys I know.

White guys drive like this. Black guys drive like that. AMIRITE?!
posted by damn dirty ape at 4:18 PM on December 16, 2008


So why is my IT department allowing us to use IE (7) today? Aren't they putting us at risk? (serious question)

You can filter out the offending .js, at least for known attacks.
posted by damn dirty ape at 4:21 PM on December 16, 2008


Just to close out this pointless rantfest, I note that one day after this exploit hit the news (and seemingly one week after first reports by MS they were investigating a potential issue) MS is releasing a patch. Crisis averted.

We can now join the rest of the world as they worry about slightly more pressing issues - such as the collapse of the world economy.
posted by Muddler at 4:21 PM on December 16, 2008


The browser is mishandling data, the web host is not doing anything incorrect in delivering the data.

Err, the web server has been hacked and is serving malware. Your local pornographer doesnt want to control your PC, he just wants to sell you videos of naked girls for money. You bet the web host is "incorrect" ;its been hacked.
posted by damn dirty ape at 4:26 PM on December 16, 2008


It's baffling that nearly all of the news stories I've read on this finish with something like "users are advised to use another browser until a patch is available" (my itals). WTF? That's like "beaten wives are advised to leave the house until he falls asleep".

You don't go back after this, you switch.

And a BBC story earlier didn't even name any other browsers. Nice going, chuckleheads.
posted by bonaldi at 7:01 PM on December 16, 2008 [1 favorite]


Part of me feels sorry for Microsoft employees, which is a first:

Employee: Hey I think we need to have a meeting to review security, I don't think we spent enough time on it ...
Boss: Hey so when we go look at porn, can the browser not let our wives know?
Employee: Well, yeah we introduced what is known as privacy mode for those who don't understand the clear cache function ...
Boss: So I can look at like any kind of porn? I like rape porn.
Employee: Um.
Boss: Okay let's see if we can focus more resources on this porn thing, I think our clients will like it.
Client in email: Boss is great, we want this feature, <3 boss.
Employee: Like um, so if I focus on porn, if a security problem happens, your decision to focus on getting rid of porn histories is your decision?
Boss: Of course!!! But if we get in trouble like, well, you know well you will get fired, I'll get a raise, if that is what you mean.
Employee: Fuck.
posted by geoff. at 8:48 PM on December 16, 2008


"Crisis averted delayed for another month."
posted by bardic at 9:16 PM on December 16, 2008


Huh. Well, I guess I'll be doing my own tech support from this point.
posted by maxwelton at 10:37 PM on December 16, 2008


And a BBC story earlier didn't even name any other browsers.

The BBC doesn't do advertising. They'd never be telling you to worry about browser X and try browser Y or Z instead.

And the reason we pay the licence fee is because most of us prefer it that way.
posted by PeterMcDermott at 2:02 AM on December 17, 2008 [1 favorite]


All of which I see you know already. Have another egg, grandma.
posted by PeterMcDermott at 2:04 AM on December 17, 2008


A virtual machine isn't an interpreter, hey? Link?

Many if not most modern interpreters use finite state machines to interpret. This is fairly close to a virtual machine, and only about two steps closer to human readability. Just because the ultimate language you interpret happens to look something like a real machine language doesn't mean it's not being interpreted.

Also:
/* one.c - 100% secure and (I think) bug-free */
int main(void) {
  return 1;
}
posted by jock@law at 2:49 AM on December 17, 2008


They're definitely risk-averse, to the point of being moribund.

Combine that with being work-averse, and you have a winning combination. I'm so happy to be told, "We can't do that - it's too much work!" Hence their refusal to try anything new, and their commitment to various forms of security theatre.
posted by sneebler at 5:50 AM on December 17, 2008


Yeah, it adds a little overhead. Wait a month and the new model of CPU will be fast enough to compensate.

CPU's haven't been doubling in speed since, what, 2001? 2002? The jig is up.

Disclosure -- I actually spend quite a bit of time helping Microsoft secure their code, but I spend a lot of time helping lots of companies secure their code (I was behind the recent DNS brouhaha) so hopefully that'll help.

Slammer and the horde of bugs against IIS5 are actually pretty instructive, because look what's happened since: SQL Server's the most secure database out there by practically any metric, and IIS6/7 haven't had remote vulnerabilities in ages. Microsoft's done some enormous investments to try to deal with security issues, and there are notable successes in this effort.

Browsers are a tricky thing to secure, because they're just several orders of magnitude more anonymous surface for an attacker to manipulate than anything that's on a server. Bugs are found in all of the browsers, it's just the IE ones that get exploited most due to return on investment.
posted by effugas at 11:55 AM on December 17, 2008 [1 favorite]


jock@law--

Interpreted vs. Compiled vs. Dynamically Compiled is a fundamentally fuzzy concept. CPU's dynamically recompile x86 to a microcode language. VMWare dynamically recompiles x86 to safex86, a somewhat safer variant. Hardware accelerated VMware sends instructions directly to the CPU, which handles the safe isolation. Java can be interpreted, but can also be just-in-time compiled. Microcontrollers directly execute instructions as provided -- interpreting them.

The boundaries are fuzzy.
posted by effugas at 12:20 PM on December 17, 2008


effugas: i propose a bright-line rule. if the core logic of the distributed binary is not in the native code of the target platform, it's interpreted. if the entire distributed binary is in the native code of the target platform, it's compiled. if some mix, then shoot the programmer who made it. ;-)

there will be oddities, like interpreted things that get compiled (JIT) and compiled things that get interpreted (lots of emulation-type whatevermajigs). the usual java ecosystem is odd in that it has been both an interpreted program that gets compiled (JIT for reused classes) and a compiled program that gets interpreted (legacy JavaVM for emulating the java processor which, afaik, never actually successfully got implemented in metal).

im not disputing that java is compiled. im disputing the statement that it's not interpreted. since the boundaries are fuzzy, i think a thing can be both.
posted by jock@law at 1:41 PM on December 17, 2008


Dudes, it's all the same in the end: you're just making electrons and no electrons (sort of like no tea) shuffle around inside pieces of doped silicon.
posted by TheOnlyCoolTim at 2:20 PM on December 17, 2008


jock@law--

Suppose you distributed C, and a compiler-bootstrapper (say, using tinycc). Interpreted, or compiled?

I think what you're trying to get at is -- is it a core element of the distributed application, to repeatedly compile a language into native hardware instructions over and over, or not? That, I think, cuts to the heart of the difference, for whatever that difference is.
posted by effugas at 12:58 AM on December 18, 2008


Once you've seen his third nipple though, any further nipple revelation kind of loses its shock value.

No, there's a sort of dip in shock value around Hodgman nipples #5 and #6, and then a steep linear regime up through about nipple #30. After that you see a a slight logarithmic increase in shock value with each subsequent nipple.
posted by sebastienbailard at 12:28 AM on December 19, 2008


jb: Google Books works fine for me with 9.61, but apparently lots of sites are having trouble with 10.
posted by goo at 6:06 AM on December 19, 2008


« Older Giraffes in space   |   The unforeseen Newer »


This thread has been archived and is closed to new comments