Re: [Full-Disclosure] IE is just as safe as FireFox

[bkfsec <bkfsec@xxxxxxxxxxxxxxxx>]

Vincent Archer wrote:

> Other apps flatly refuse to work with anything but IE. None of these
> are strictly "web applications" anymore - they are applications that use
> an UI processor, which happens to be the HTML processor as well.
>
>  
You see, this is precisely the problem.

HTML processors in web browsers should be designed to take in untrusted 
data and treat it, exclusively, in an untrusted fashion.  The problem 
with latching "trust zones" onto this is that you provide a backdoor 
that allows any person who can exploit the complex internal trust 
relationships (or otherwise bypass it) to do whatever the HTML processor 
allows it to do, which in the case of IE is almost anything.

The web browser was never meant to be a trusted application engine.  It 
was meant to display data, not interact with the software on your 
computer.  If done carefully and responsibly, add-ons that allow for 
code launching are fine - as long as they can be removed at will and 
without difficulty and do NOTHING transparently. 

What we have here is misuse of a technology.  That's where the root of 
these problems exist.  And any company that relies on the misuse of 
technology, frankly, needs to address their IT strategy immediately and 
think very clearly about what the ultimate end result of that is. 

            -Barry

p.s.  There will always be buffer overflows and ways to exploit programs 
using input, but following my line of thinking above, it becomes MUCH 
easier to secure the browser so that those issues can be effectively 
mitigated.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html