[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Microsoft and Security



On Mon, 28 Jun 2004, Nancy Kramer wrote:

> There are lots of sites written only for IE or clones of IE like
> Opera.  Some large sites are written only for late model IEs.  Many are
> from large companies.  Big business thinks MS is the state of the art and
> the only way to go for business.  You have a choice do it their way or
> don't get the benefits of their web site.  They play to the user who has
> AOL, uses only IE and Outlook with all the defaults on because if MS does
> it it must be right and they really have no interest in changing things or
> knowing about them.  People believe they are protected by big companies
> like MS.  They are fools but then like a friend of mine always says
> "business people are stupid".


nancy, some of this has to do with lazy webdesigners[1].  I recall a time
not too far back whence sites were setup for users that used GUI versions of
browsers, and those that used text based browsers, a cliet could browse
the site from the best perspecitive of the SW they were using.  This even
became more prevalent for a short period when things like 'frames' and
such came into the html lingo.  And there were even some sites back then
that had a 'ie view' as well as a 'netscape view', some still offereing a
thrid 'text only view'.  Course, this gets to be time comsuming and
tedious for the person laying out all that markup code and crafting all
those cgi's and java/perl/php/activeX gunk, let alone trying to tailor
dynamic pages such that they know how to play with the client browser in
use.  EI plays well with the M$ fav good ole security issue in it self,
front page, which produces markup code with a slant towards IE specifics.

Of course, security companiees, though advocating that active c0ntent not
be enabled in client vrowsers for the reasons we see over and over in the
security related lists have also long since given up the ghost.  A person
can fall asleep at the wheel trying to count on the fingers of one hand
the number of 'security specific' or 'security related sites' that do not
engage in actve content themselves.  Thus most  of the warnings and
recomendations to turn off the abilities of a browser to parse the more
potentially dangers dynamic aspects of html, fall on deaf ears all the wat
around, from end users on up.  The bigger flaw here I see is that which
hits when the industry itself pushes content in denial of the realities
they posture.


Thanks,

Ron DuFresne


[1] lazy is perhaps over strong here, and puts perhaps too much blame on
those tasked as content maintainers, who are actually often driven from a
corporate expense model, and often not making the core design decisions on
their own.  Only minor offences meant in the 'lazy' designation.  Of
course, then agian how many sites still maintain content for text based
broswers these days in addition to all the glitzy dynamic content they put
up for exploit?



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html