Comment Feed for David finally took down Goliath (Coffeehouse on Channel 9)

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

magicalclick — Thu, 09 Jul 2009 00:51:12 GMT

Sounds great. What does that exactly do? Does that mean when I unlock the ActiveX control on IE8, the virus still can't attack my machine while using my Admin account?

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

W3bbo — Thu, 09 Jul 2009 00:41:52 GMT

The <button /> element is incompatible with the HtmlButton control class and you cannot respond to server-side events for it.

So you can use it, but you can't take full advantage of WebForms with it.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

CreamFilling512 — Wed, 08 Jul 2009 22:24:23 GMT

The whole IE process with ActiveX controls is running with Vista's super-low privilege mode and doesn't have write access even to the user profile.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

AndyC — Wed, 08 Jul 2009 22:22:14 GMT

All binary extensions are susceptible to such problems and they really aren't going to go away. You can put more barriers in the way, but you can't really get total mitigation without crippling the whole purpose of extensions in the first place. Ultimately browser plugins need to be developed with security as their #1 priority. And sadly few are.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

magicalclick — Wed, 08 Jul 2009 21:49:32 GMT

While that Vista and Win7 is protected someone, that doesn't change the fact that ActiveX open to other attacks. To cover all the possibilities are hard. I think it is more important to move to a new design wtih security in mind. ActiveX is simply a dirty man's trick to make something happen, but just like C++, too much freedom comes with a price, and in our current computer era, this is not somehting we should cheat as old days.

As for backward compatibility, I am sure you can reenable the old style dirty ActiveX.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

SlackmasterK — Wed, 08 Jul 2009 21:30:31 GMT

W3bbo said:
you can't use it in ASP.NET without some hackery.

How so? I've run and used ASP.NET with IE6, even including AJAX, with no problems. Care to clarify?

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

W3bbo — Wed, 08 Jul 2009 12:49:15 GMT

text-decoration:; works fine on <button /> but I don't know about <input type="button/submit" />. But that's a very minor thing, why would you want underlined or strike-through on text on a button anyway?

Little tidbit: <button type="submit" /> isn't correctly implemented in IE6 so you can't use it in ASP.NET without some hackery. Also PocketIE doesn't support it at all, despite being finalised over 10 years ago.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

fknight — Wed, 08 Jul 2009 04:19:44 GMT

Short of pushing out an update disabling ActiveX under IE and XP, which would make loads of business software and numerous websites all of a sudden non-functional, what else should they do (other than patch whatever needs to be patched, of course)?

Seeing as the latest vulnerability is mitigated completely in Windows Vista and Windows 7 due to it's improved security, I would say they've done what they needed to do as far as ActiveX without breaking existing applications that depend on it.

If a seven year old operating system and web browser is as much a security problem as it's perceived to be and there's evidence that Vista and Windows 7 solve those, I'm pretty confident as to what the logical answer is.

Re: Re: Re: Re: Re: David finally took down Goliath

punkouter — Wed, 08 Jul 2009 01:00:09 GMT

I somewhat agree with your opinion that Microsoft needs to make a move and be more active. But implementing the standard partially is also not a good solution. IE had been non standard in the past and have bad reputations, even now after IE is fully standard. You definitely do not want make those people to come back and start pointing fingers at IE anymore.

What I think Microsoft needs to do is to have some kind of a fork from ie for community review. Whatever they call this product, this will completely for review only and will never see an official release. The product may only consist of the trident engine without any bells and whistles on it. That way Microsoft can get community reviews while contributing to the standardization process. Microsoft can even put a proof of concept on new suggestions there and noone will probably complains about it.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

SlackmasterK — Wed, 08 Jul 2009 00:12:41 GMT

I've found FF is good for using ABC's crappy video player. For some reason they don't recognize the IE8 user agent.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

Minh — Wed, 08 Jul 2009 00:01:56 GMT

PS. I removed the Skype add-in for FF 3.5 and life is good w/ FF 3.5 + Netbook again. Nothing near FF 3.5 on OSX but I'm happy.

PSS. wrt NSAPI... the security note says that the ActiveX control has no business being instantiated by the browser... so if you look at the potential target for NSAPI exploits, it'd be shoddy components interfacing w/ NSAPI. Whereas, exploits targeting ActiveX controls can aim for EVERY ActiveX control written... even if they never were meant for the web.

At least that's my limited knowledge of NSAPI...

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

magicalclick — Tue, 07 Jul 2009 23:10:26 GMT

I didn't think about NSAPI. This is not about comparing who is worse, but to think about a safer way to the same stuff as ActiveX. Something like ReadOnly ActiveX, and then, you have special user granted WriteToMyDocumentOnly ActiveX, and then, the finally Admin granted nasty ActiveX. I think it is better to kill ActiveX and think of something with security in mind.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

AndyC — Tue, 07 Jul 2009 23:04:35 GMT

I'm no web expert, I merely hear the swears from across the office. A quick perusal of Twitter feeds apparently reveals that "setting text-decoration on buttons doesn't work" was the latest. Whatever that means?

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

LeoDavidson — Tue, 07 Jul 2009 22:00:33 GMT

Fair enough. Might be a bug triggered by pages I don't view or something.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

W3bbo — Tue, 07 Jul 2009 21:30:48 GMT

In my experience cases where Firefox's rendering has differed from WebKit is when it's within the specification, like the default typeface and line-height settings which can be easily overridden in the stylesheet.

Do you have any examples where Firefox has gone against the spec?

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

kettch — Tue, 07 Jul 2009 21:02:40 GMT

I have no extensions, because I don't use the browser. You aren't pinning the blame for crappy software on the user this time. :P

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

LeoDavidson — Tue, 07 Jul 2009 11:33:53 GMT

If you've getting a lot of FF crashes, try removing your extensions. If you still get them then you might need to clear our your Firefox profile (probably due to some junk in it created by an extension).

Extensions are a huge blessing, and the main reason I use Firefox, but they can also cause things to go catastrophically wrong due to being so intertwined with the browser's code.

Firefox 2 and 3 have been very stable for me, FWIW, and when people have a lot of crashes it usually seems to be due to extensions gone wrong. (Of course, it can also be because different people visit different sites and some sites trigger bugs.)

It's like Windows Explorer: If it crashes then 99% of the time it's because of a bad shell extension (and there are a lot of them!). Problem is that Explorer.exe still gets the blame and looks bad.

Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

LeoDavidson — Tue, 07 Jul 2009 11:28:07 GMT

WTF does how much I'm paid have to do with anything?

Everyone has better things to do than fight with poorly designed technology (HTML + CSS).

I could be paid $1,000,000 per second I still wouldn't want to waste time fighting with bad tech when I could be getting on with something else. Web design isn't my job or my hobby; it's just a chore I go through to get things on the web. Even if it was my job, and I was paid by the hour rather than by the site, I'd much rather get on with another site instead of have each one take longer over fiddly details which, if CSS wasn't so awful, should be trivial. There's satisfaction in finishing and delivering things and it's more interesting to get something done and move to the next thing than it is to spend forever on boring, tedious work.

I suppose if I was super rich I could pay someone else to do that, but I don't see how that validates your argument.

HTML + CSS suck; end of story. Things don't stop sucking if you're paid a lot for the time they make you waste or if you can pay someone else to hide them from you.

Time is worth more than money.

(And FYI, my last salary was enough that, after resigning for other reasons, I've been able to spend most of the last two years working on pet projects which pay me zero.)

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

AndyC — Tue, 07 Jul 2009 08:11:47 GMT

"At this point I don't care if the browser renders everything with pixel perfect precision. I just want it to work! This is why I've relegated FF to being the (red headed) stepchild who gets drug out once in a while for a beating and stuffed back in the closet."

It's a fair point. It would almost be forgivable if the HTML rendering was perfect, at least it would make for a good reference renderer. It's not though, it has its own share of unique HTML rendering bugs too.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

CreamFilling512 — Tue, 07 Jul 2009 07:06:11 GMT

How is it anymore open to attacks than NSAPI?

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

kettch — Tue, 07 Jul 2009 05:46:18 GMT

If Flash, PDF, Silverlight, QuickTime, Mesh, and Windows Media, were ported over to a new plugin architecture then I would probably be 95%+ covered.

The remaining cases are all either miscellaneous Microsoft plugins or specialized stuff like WebEx, which I've only used once.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

magicalclick — Tue, 07 Jul 2009 05:26:17 GMT

The thing is when are we going to kill ActiveX? The whole system seems to have too much freedom for attacks. Why not making something much more protected, like read only or something.

Re: David finally took down Goliath

magicalclick — Tue, 07 Jul 2009 05:24:20 GMT

Perhaps ZF is not a suitable development envirnment for IE platform? But, if you want to go Chorm exclusively, go ahead. Like I always said, if you don't like USA, move to somewhere else. If you don't like the product, don't buy it. Your lack of support may one day be enough to convince MS's policies. If less and less website support IE, I am sure MS will starts to get worried.

I am sure everyone has their own crappy story about other platforms. We are the developers, shits happens, and we debug. That's not going to happen. Just like those HTML5 standards, assume you get 40% FF3 and 25% FF2 markets, you still need to code HTML4 for that 25% of FF2. Develope backward compatible software is always difficult. And * just happens. If you are so frustrated by web developement, try a software development, at least now you only have to fix your own mess or your teamates' mess.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

blowdart — Tue, 07 Jul 2009 05:13:17 GMT

That's not an IE vulnerability, but an vulnerability with a particular ActiveX control.

Of course ActiveX is IE only... but still it's not a problem with the IE code.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: David finally took down Goliath

PaoloM — Tue, 07 Jul 2009 04:24:52 GMT

You sound lazy. The framework features are documented in a table of contents that I so nicely linked in my last post. You need to RTFM or STFU. I mean that in the nicest way.

I can see you getting very quickly on the path of your predecessors...

Be corteous, polite and respectful. Don't assume you know more than anyone else (because you don't) and don't insult other niners.