More Kudos for IE....NOT!

[mikeymike]

Well, until a bug is found it's not a bug.

Pardon?

[mikeymike]

No. Bad coding should always result in bad publicity. Microsoft seem never to test their stuff - with their budget bugs like this are absolutely inexcusable, and a prime example why their monopoly is detrimental if not debilitating to the computing scene.

I hardly go around defending MS all the time, but I disagree with you here.

This is a fairly obscure vulnerability, even though it appears simple.  But, as with many things, the "solution" appears simple once it has been found.  Many other vulns have been found in IE6 SP1 since it was released late last year.

Microsoft do have an awesome budget at their disposal, but I don't think it's QA that is the problem here, it's that functionality is regarded as a far higher priority than security, reliability and performance.  The last three factors do not directly earn MS money.  Functionality is something definite that can be heralded by their sales/marketing reps.  Security, reliability and performance aren't anywhere near so easily marketed.

If people honestly judge Windows, it should be admitted that Windows for example is a fairly awesome product, and in many respects far ahead of the competition for the audience it is primarily aimed at (average desktop users).  However, its main problem is that, a bit like with Netscape 4x, true innovation has plateaued.  What is needed is for it to break out of that mould, which to a certain extent in the case of Netscape 4x, Mozilla did, and Firebird/Thunderbird has done also to a greater extent.  However, "breaking out of the mould" for a business is risky, and while in long development, doesn't earn them any money.

[mikeymike]

But even so, MS products are some of the most complicated software in the world. Especialy with their OS. It'd be damn hard to manage a project that large.

Ok, it is more difficult to manage a larger project, however MS are in a mess of their own making.  For example, the only reason IE is integrated into the OS is to push out browser competition.  All the other little features it has brought all stem from that bad intention ("what can we offer our users to distract them from the fact that we screwed them?").  It was implemented badly, the idea is flawed, and so Windows has a largely increased number of attack vectors as a result.  The project was unnecessarily complicated.

[mikeymike]

@ Lemonty

Doesn't crash IE here.  IE6 SP1 / Win2kSP4.

[mikeymike]

When i say best software, im not talking about how buggy it is or insecure

Ok.  Here's an example.

Web brower X has all the features anyone might ever want in a web browser.

However, anyone with the simplest of exploits can get your credit card details, access to any files on your hard disk, and trash your machine.

Is it still the web browser in your opinion?

[mikeymike]

Linux is a good example of this. Because of linux's fast adoption, more security flaws are being found.

I agree, in that this will hold true with any product as its usage increases.  However, if a vulnerability is found in one product by the security community, competing products are also usually tested to see if they also are vulnerable, and reports made accordingly.

With this in mind, there are, on average, 20 unfixed vulnerabilities in the most up-to-date, patched version of IE.  6, on average are "critical" vulnerabilities.  Compare to competing web browsers, say Mozilla/derivatives and Opera, where there is on average one unfixed vulnerability at any time.

I said previously about MS prioritising functionality far over security, reliability and performance.  I'll add to that now.  What is far more dangerous about MS software is that by default, the state in which the product is shipped to the customer, is with everything wide open.  On other operating systems, for example - ssh on UNIX derivatives, you can't log in remotely as the 'root' (highest privileges) user by default.  It has to be configured to do that.

When linux is a huge monopolly

Unless some company chooses to adopt MS typical tactics (which should be illegal), no operating system will ever have a monopoly.  Why?  Because users will always have a choice.  The opposite is a monopoly situation, when users have little or no choice.

[mikeymike]

It seems like alot of the little security problems found in Microsoft Products are found by these companies that test the software for security bugs. Why doesn't Microsoft have something like that in place before they release their products or at least hire these companies to help them out before they release their products

No amount of in-house testing, short of never releasing a piece of software such as a web browser, will ever provide as thorough testing as in the outside world.

The people who are employed at security companies, or just active members of the security community, are pretty damn clever people.  Many of them probably used to crack/hack into systems as well, and in some cases, particularly security-related, the phrase "to catch a thief" springs to mind :-)  

Also bear in mind that IE earns MS no direct revenue.  How much can a business justify spending on such a product?  Which is why MS announced they wouldn't be releasing any standalone new versions of IE, only as part of new operating system releases.

Also, if a company can get away with shovelling bug-filled crap and customers buy it, why should they bother improving their QA, unless their revenue stream is at risk.

The other thing is that without any decent competition Microsoft IMHO has gotten lazy. I think if they had to fight for 40 or 50 percent of the worlds marketshare they would be a lean, mean coding machine.

Variety is the spice of life.  Competition certainly spices it up as well :-)