On The Insider: Miley Cyrus in Sex and the City 2
BNET Business Network:
BNET
TechRepublic
ZDNet
TalkBack 5 of 9:
Next »
« Previous
Buried in the article... it's IE again...
I was kind of skeptical that javascript in blog feeds would be any more of a security issue than Javascript in web pages, though I had this sneaking suspicion that I knew what was up. And, lo and behold: "Additionally, some reader software on Windows systems uses Internet Explorer to display feed content, but doesn't use basic security settings that isolate the content. Instead, the JavaScript is downloaded to the PC and has full access, which can fully expose a person's PC, Auger said."

By "IE" he means "The Microsoft HTML control". IE is just a shell around the HTML control, which is used by many system components including the desktop Windows Explorer. To allow components like Windows Update and control panel applets that use the HTML control to run, the control grants rights to a document its rendering based on the security zone it's in.

I'm still flabbergasted that anyone thought this was a good idea. I'm doubly flabbergasted that - after it was so amply demonstrated to be a bad idea by the flood of email worms that took advantage of it - Microsoft not only didn't back it out and try a different approach but took the company to the brink of being broken up by the Department of Justice to keep it in. And now, ten years later, it's still in there.

Software authors: I don't care how attractive the idea is, don't use the HTML control unless you LIKE having your product headlining in ZDNet's latest security release.

Everyone else: Don't use IE. No matter how many layers of duct tape Microsoft wraps around it. Don't use any other application that uses the HTML control either. It's inherently insecure, and it can not be fixed without breaking every application that currently uses it... because the design flaw is built in to the API.
Posted by: Resuna   Posted on: 08/04/06 You are currently: a Guest | Members login | Terms of Use
Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

I have an idea  Linux User 147560 | 08/04/06
Rule of Thumb  smartyram | 08/04/06
RSS Javascript Risk  Downes | 08/04/06
The problem isn't Javascript, but javascript is the warhead...  Resuna | 08/04/06
Buried in the article... it's IE again...  Resuna | 08/04/06
This is all a Bunch of Crap  prwexler@... | 08/04/06
Cause for concern  Nathank@... | 08/04/06
Really not a news, and not fair  PhilippeV | 08/04/06
Sick and Tired  whoozhe@... | 08/04/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here
advertisement

IT Solutions for 2010

  • Get cost-effective strategies and roadmaps on the most important issues facing IT leaders in 2010! Learn how to easily cut costs and deliver greater efficiency starting with your database, IT compliance management and data center. Visit the IT Leaders Dashboard. Visit the IT Leaders Dashboard.
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline